Despite the snowballing threat of cyber crime, Gareth Jones examines whether the charity sector is woefully underprepared

A third of Scottish charities are failing to take action to strengthen their protection against cyber crime – despite attacks being described as the biggest threat the sector faces.

Of the 250 respondents who took part in the Scottish Council for Voluntary Organisations' latest State of the Sector survey, 41% said that they had not taken any action to become more cyber resilient.

Many of those who claimed they were not planning on taking any action felt their systems were already adequate to cope with threats, despite 15 million new items of malware – software which intends to create damage – being created every day.

The study also revealed a reliance on outside companies for IT provision, with many respondents stating they felt confident trusting a company to handle their cyber security.

The findings tie in with previous studies on how charities are prepared for cyber attacks. A report from the UK’s national body on cyber security found, despite the prevalence of cyber security breaches in the sector, only 21% of all charities have a cyber security policy in place, and only 8% have an existing cyber security incident management process.

But what happens when attackers strike?

Gary Dickson, digital and design lead for the Scottish Federation of Housing Associations (SFHA), had to deal with his organisation’s website being hacked only weeks into his new job. This left the organisation’s website down, but also meant the details of the federation’s members may have been accessed.

“The awareness wasn’t there of the vulnerability and issues we could face if we didn’t continually ensure our website platform was secure,” he said.

“We were hacked due to a failure to maintain or understand our website content management systems through lack of ownership.

“The site was completely compromised and we had to send an honest correspondence to all our members to let them know what had happened.”

Left unable to access its website, SFHA had to work frantically to bring the site back into operation.

“One of the things that hit us was the initial shock of what it meant,” Dickson continued.

“No one in the organisation really understood the consequences till it happened.

“The good thing out of all of this was that we were able to learn from our mistakes. We now have a completely redeveloped website which has a key focus on a robust and secure web platform. We also now have a series of protocols and procedures in place to make our website much more secure. It is now a site that is continually developing and improving.”

The National Cyber Security Centre has warned that cyber crime is the biggest threat facing charities today.

It has deemed that although third-sector organisations do not perceive themselves to be targets, the value of the data they hold to cyber criminals makes them vulnerable to attack.

Charities are falling victim to a range of attacks with potentially devastating consequences. A report by the UK government last year revealed that seven in 10 large charities had experienced cyber breaches over a 12-month period.

The average cyber security breach was found to amount to a financial loss of £1,030 for the charities which took part in the survey.

Robbie Ross, cybercrime safety, prevention and resilience liaison officer at Police Scotland, said that charities can face a greater risk of falling victim to criminals as they are often less prepared that private companies.

“Whether you are a private sector, public sector, or third sector organisation, the risks are very similar,” Ross told TFN.

“A lot of the time cyber attacks involve the theft of financial or personal information.

“Alongside finances, one of the most important things you own is data about ourselves – and if you hold personal data it doesn’t matter if you are a private company or a charity.

“Where the difference can occur between charities and private companies is how that data is treated. If you are a small charity with four or five workers, you are much less likely to have a team of people looking a cyber security than a large private or public sector organisation.”

With technology changing on a daily basis, charities face an ongoing battle to keep their systems safe.

Attacks come in many formats with criminals using more sophisticated methods than just sending emails containing links to click.

In the autumn of 2017, Artlink Central was targeted by a fake advertising scam.

"They telephoned and asked to speak to me,” said Artlink director Kevin Harrison.

“The woman on the phone, who called herself Roxy, said that she had spoken with me in February and that I had promised to take out some advertising or sponsor a drug and alcohol guide for young people.

“It was a magazine called Child Safety, which she said was connected to the police.

“I said I wouldn’t have been surprised if they had called in February, but I wouldn’t have agreed to sponsorship then.

“When I said that it sounded dodgy, she put down the phone.”

Criminals accessing the bank details of a charity can have a devastating effect, for example nearly £500,000 was taken from Highland Hospice’s accounts, with charities likely to have less sophisticated banking systems than those in the private sector.

Just last month, the Save the Children Federation in the USA confirmed it had been scammed out of $1 million by email fraudsters, and the Wellcome Trust revealed the email accounts of four senior executives were compromised and sensitive information monitored for several months.

Police Scotland has urged any charity that thinks it may have been the victim of a cyber attack, whether money or data may have been stolen, should phone 101, but it also operates a Safer Communities Cyber Crime Prevention Unit to improve knowledge and offer support on cyber crime.

Ross said one of the key principles of cyber resilience is understanding that data can be as valuable as money.

“Information that is held by many charities is vital to their operations, and this means it is very lucrative to cyber attackers.

“It is important to seriously consider your practices and protect against the threats.

“The data that organisations hold about the people they work with or donors is hugely important – and losing it could have a massive effect on an organisation’s reputation or even put their future at risk.”

Alongside access to cash, attackers are looking to steal data which they can then ransom organisations for.

As more public services go online the risk to organisations from this kind of cyber attacks is likely to increase.

Jak Deschner, head of IT at the Wise Group, which provides a range of public services linked to employability, said: “The threat is there across pretty much every aspect of our services.

“All of the organisations that we work with to deliver employability, community justice and what we call our sustainability service are very much pushing the digital agenda. That in turn exposes us to higher levels of risk.”

So, what can organisations do to ensure they are doing all possible to avoid falling victim to a cyber attack?

Jude Turbyne, head of engagement at the Scottish charity regulator OSCR, said that support is there for charities who may need help with digital security.

She said: “Although the number of fraud and cyber crime notifications we get in is low, more organisations are using digital methods of operating and it is essential that charities protect themselves against any potential attacks.

“OSCR recently produced guidance on fraud that contains sources of help and advice to support charities who want to be better protected. We also worked closely with the Scottish Government’s Cyber Resilience Unit to raise awareness of a grant scheme in late 2018 that gave charities money to improve their cyber resilience. This activity also involved the creation of some useful videos with top tips on the subject, and these can be found on our website.”

Emma Whitelock, chief executive of disability charity Lead Scotland, took part in the Scottish Council for Voluntary Organisations' Senior Leaders Programme as she looked to improve cyber resilience at her organisation.

“You need to get your chief executive, your senior management team and board thinking about cyber resilience,” she told TFN.

“What we did was work as a team and think about the different areas highlighted within the Cyber Security Small Charity Guide and Cyber Essentials accreditation."

To improve digital awareness, the charity’s board recruited a new member with a digital background, two full days of staff training on cyber resilience were held, a staff member was assigned to deal with any concerns about digital and Whitelock met with cross sector companies of a similar size to discuss how they approached cyber security.

“There can be a tension between those who want to lock everything down in terms of cyber resilience, and those who want things to be more open to allow creativity and autonomy,” said Whitelock.

“What you need to do is ensure that your systems are open enough so that staff can do their jobs effectively but that they are locked enough so that your data is safe. It is a balancing act.”

The Wise Group provides a range of services to both staff and members of partnership organisations to help them embrace cyber resilience, from digital training programmes to holding workshops to proactively engage with staff.

Deschner said the key to increasing cyber resilience in the workplace is creating a culture of openness so staff are not scared to come forward if they have made an error.

“I would much rather if someone clicks on a link in an email that may be a phishing attack that they come forward and speak about it,” he said.

“It’s all about helping staff to know about what the threats are, making the IT team aware about any threats and allowing us to take action as quickly as possible.”

Cyber insurance is another option for charities that want to protect their finances from the threat of an attack.

June Pennykid, managing director of financial firm Keegan and Pennykid, said charities have to look carefully at the policies on offer to find the right one.

She said: “In today’s GDPR world, it is essential that an organisation that has been subject to a data breach, responds to that breach appropriately. Whilst cyber insurance policies vary, an effective one will offer organisations a 24/7 incident helpline which becomes the first port of call in the event of a data breach.

“That helpline will then effectively co-ordinate the required response to the data breach, which may involve PR advice, legal advice, IT forensics and data restoration.

“A good cyber insurance policy will also cover the costs of notifying the people whose data has been lost or stolen, include business interruption cover and will meet the costs of any regulatory fines. In essence, a cyber insurance policy provides an organisation with a robust response to a data breach enabling it to meet its regulatory responsibilities whilst minimising down-time and reputational damage.”