Will COVID-19 turbocharge how Charities manage their Cyber Security Infrastructure?
The Department for Digital, Culture, Media and Sport found that only 32% of charities have performed a cyber-risk assessment in the last 12 months (The Cyber Security Breaches Survey 2019), meaning there are a significant number of charities that could potentially not understand all of their vulnerabilities. The cyber landscape is constantly evolving, and it is vital that all charities are aware of their risks and vulnerabilities so that the appropriate control measures can be put in place to protect them. Throughout my years of experience, I have found that if an organisation does not fully understand its risks, money is often wasted, and controls may not be as effective as they need to be.
At Exponential-e, most of our customers have set up VPN connections for their remote workers or virtual desktops for employees that aren't provided with laptops. However, there is still the potential risk for an uncontrolled, infected endpoint to unknowingly distribute malware into an organisation and consequently, take down all systems. Several organisations have been affected by ransomware attacks recently, which have all originated from a malicious phishing email. In order to reduce the success rate of phishing attacks, all users need to be educated to be able to identify a phishing email, and to know how to react effectively in order to stop them, see my Top Tips for Working From Home video for more information.
Increasingly, charities are reliant on online services – donation platforms and login pages – and consequently, many charities are falling victim to cyberattacks. Smaller charities are often more vulnerable, since they have less awareness of cyber security as a whole and are naïve to the risks they may face from a cyberattack. The National Cyber Security Centres' (NCSC) 'Cyber Threat Assessment: UK Charity Sector', identified that the most common vector for cyberattacks against charities were phishing emails; fraudulent emails, containing links to fraudulent websites. These impersonation attacks are dangerous, and often lead to malicious software making their way into IT systems. If a charity loses access to their online services, it could result in an existential threat to their survival – from the ensuing reputational damage and the prevention of service delivery.
Being one of the founding members and a current board member of The Cyber Helpline, a free, confidential helpline for individuals who have fallen victim to cyber crime. I use my expertise to help individuals contain, recover and learn from cyber attacks. The Cyber Helpline was designed and developed in the cloud, and we have continuously made sure that the infrastructure is always protected and tested each month. The founding members of The Cyber Helpline have come from the cyber security industry, subsequently we have been able to ensure that the security by design was in place from day one.
This service uses chat-bot technology, which was developed to help triage any incidents. When we first started out, we were worried that we might not have adequate resources to cope with the quantity of incidents occurring, so the use of this technology helped in addressing this risk. Our chat-bot can ask relevant questions, to help us identify what the incident is in relation to, and which classification it falls into, so that we can react accordingly. If an incident could cause harm to an individual, it is quickly escalated through to a volunteer or manager, to ensure it is handled appropriately. In other cases, when the incident can be resolved through following a set of step-by-step instructions, we provide the individuals with an appropriate guide, so that they are able to help themselves. Our volunteers use their own systems to access the cloud environment, but we train them thoroughly as part of the on-boarding process. Additionally, all our volunteers have anti malware solutions in place, to protect their systems, and are able to accurately identify phishing emails.
There are still many charities that are not able to employ a Chief Information Security Officer (CISO) and have yet to act and seek external help to mitigate the risks posed by cyberattacks. Even for those who have received external help with their cyber security, it is still crucial for them to stay on top of the evolving threat landscape. Accepting advice and guidance is important in preventing the damaging effects of cybercrime.
At Exponential-e, we welcome the opportunity to help any charity needing assistance with cyber security questions or solutions. Our Cyber Security team exists to support and educate our customers, especially those who are in the vulnerable position of knowing that cyber security is a threat, but are less aware of the solutions required to protect their organisations against it. We are consistently on hand when required, to supply knowledge and give support to our customers, all whilst maintaining and renewing our own knowledge base, to remain up-to-date with current threats in the industry and how best to mitigate against them. We abide by integrity, reliability and perseverance, in order to provide the best cyber security solutions for our customers' individual requirements.
We are currently hosting a series of webinars around different areas of cyber security, click here for more details.