Although the charity sector has started to wake up and take notice of cyber crime. Not enough is being done to protect the sector from criminals who are determined to find ways to infiltrate organisations and steal money and data.
In their report, the National Council for Voluntary Organisations (NCVO) warned that many charities working with “outdated tools and systems” were a prime target for cyber criminals.
The ‘Road Ahead’ report looks at key issues affecting the charity sector. It states:
“Cyber crime will continue to be a huge risk and email fraud is predicted to become even more sophisticated.
“In order to protect their valuable funds, assets and good reputation, it will be crucial for charities to have greater awareness of cyber attacks and put a range of security measures in place.”
These warnings, have been highlighted further, following the cyber attack that hit housing charity Red Kite last summer, but only came to light at the start of this year.
Red Kite Housing falls foul of cyber crime
Red Kite Housing said they felt “frustrated and angry” following the attack which saw criminals walk away with £932,000.
When describing the attack, Red Kite Housing said:
“[cyber criminals] mimicked the domain and email details of known contacts that were providing services to Red Kite.”
The criminals then convinced Red Kite Housing employees that they were from genuine suppliers and asked for various payments for different services.
Charity staff then failed to follow the two-stage payment process which would have flagged up the scam.
Red Kite Housing said:
“[This] was a missed opportunity to shut the door before the money was taken.”
As a result of the attack, the organisation has now added additional security measures into their IT, and have reviewed the payment processes to prevent this error from happening again. It has also spent time and resource on training staff to recognise the risks.
The local police force and Action Fraud are continuing to look into the matter.
The NCVO’s report further highlights the need for charities to take a long hard look at their cyber infrastructure.
This is more prevalent as technology changes are set to hit the sector this year. These include: flexible/remote working, utilising artificial intelligence and using digital systems to support beneficiaries, such as tools for refugees.
The report states:
“A lot of charities are still working with outdated tools and systems that don’t support these developments.
“Money is one of the main barriers and many charities would update their IT infrastructure if they had sufficient funds.”
As the cyber attack on Red Kite Housing demonstrates, the cost of a cyber attack could heavily outweigh the cost of protecting yourself from them. It’s not just the financial implications of a cyber attack, there is also reputational damage.
However, another consequence that Red Kite Housing has suffered, is that the Regulator of Social Housing has downgraded its governance score following the incident. Previously, the organisation held the highest rating (G1). Now its marked as a G2 which shows that it requires improvement in some areas.
In a statement, the regulator said:
“Red Kite has experienced a significant financial loss as a result of a fraud due to a basic failure in its system of internal controls.
“Improvements are required to Red Kite’s control framework to ensure that key financial controls are robust, operating in line with established policies and procedures and with appropriate leadership oversight.
“The provider has met its co-regulatory obligations in self-referring the matter to the regulator. The regulator is working with Red Kite to address the weaknesses identified.”
St. Johns Ambulance hit by Ransomware attack
Back in July 2019, St John Ambulance announced that it had been targeted by cyber criminals and was attacked using ransomware. Luckily for the charity, they were able to isolate the attack and resolve it in half an hour.
Although the ransomware didn’t affect the operation systems, it affected the charity in a different way, by blocking access to their booking system which people use to book training courses and protected customer data by encrypting it.
The charity informed the Information Commissioner’s Office, however it was confident that no personal data (names, addresses, driving licence details) were made available to anyone outside of the organisation.
St John’s Ambulance followed police guidelines by reporting the cyber attack to their local Constabulary, and not giving into the demands of the cyber criminals.
Rob Jones, Director of Threat Leadership at the UK National Crime Agency (NCA), said:
“It is crucial that businesses report cyber crime to us because every incident is an investigative opportunity.
“The best way to prevent ransomware attacks is for companies to ensure they are not vulnerable by following best practices on cyber security basics to ensure good cyber hygiene.
“Having good, functional data backups, treating your data as an asset, having appropriate policies around your data, and having incident response available to you are all simple ways of mitigating the harm from ransomware, which is the most prevalent form of attack we see.”
The positive learning that other charities can take from the way St John’s Ambulance handled their attack are:
- Containing the attack
- Contacting the people whose data had been compromised
- Report the incident to the police and relevant authorities
- Published support information on its website
- Set up a designated email address for people to send queries to
What can your charity do to prevent cyber attacks?
Talk to us about protecting against 80% of common cyber attacks with the government recommended Cyber Essentials certification.
Today’s Cyber Security work with charities, non-profit organisations and businesses regardless of their size. We believe in a jargon free, straightforward and accessible approach to cyber security.
Contact us for a no obligation discussion.
T: 0330 3357 300 E: [email protected]