Charities are more susceptible to ransomware attacks than other organisations because they hold “sensitive personal data” yet few have in-house IT expertise, a digital provider has warned.
Speaking at the Charity Finance Group (CFG) conference last week, representatives from Smartdesc urged charities to train staff in email security to help prevent attacks.
They encouraged voluntary organisations to follow a set series of steps in response if they did suffer an attack.
Charities 'particularly susceptible' to attacks
Ransomware is malware that deprives a company of access to its file by a hacker encrypting them and demanding a ransom payment to regain them. Ransomware attacks most commonly occur through phishing emails.
James Field, customer strategy director at Smartdesc, said: “Charities are particularly susceptible [to cyber-attacks] because they often hold very sensitive data, which is the most valuable kind.
“It gives an attacker maximum leverage; victims are more likely to pay because the alternative – highly sensitive personal data being leaked over the internet – could be catastrophic and result in a huge [Information Commissioner's Office (ICO)] fine,” he said.
“This is compounded by the fact that very few charities can afford in-house IT expertise so have to rely on external vendors, plus many charity workers are front-line staff for whom a computer is not their main tool for work, resulting in a comparatively low IT skillset compared to traditional office-based roles in other sectors; a perfect storm.”
According to the Office of National Statistics, over 25% of charities were victims of cybercrime in 2020. This is higher among high-income charities, where 51% in that same year suffered cyber security breaches or attacks.
Smartdesc is one of NCVO’s trusted IT suppliers. It works exclusively with charity clients, including Mind, Terrence Higgins Trust and Changing Faces.
How should charities prevent ransomware attacks?
Field said there were basic measures charities could take to make themselves less appealing to an attacker, including becoming accredited under the government's Cyber Essentials Plus scheme.
He recommended educating staff on email security as “email accounts for well over 90% of all successful attacks”.
Field explained that hackers often encrypt confidential charity information and threaten to leak it if the charity does not pay the ransom.
Andrew Coyle, head of information security at Smartdesc, was also speaking at the CFG conference. He said staff training on phishing emails and cybercrime is essential for charities to prevent attacks. He added charities should ensure they are backing up their files and that their system is protected by good anti-malware software.
How should you respond to a ransomware attack?
If your charity was unlucky enough to become a victim of a ransomware attack, Smartdesc advised the audience to take 12 key steps as part of its response.
- Don’t rush: beware of snap emotional decisions, paying the ransom is never advised
- Form a Response Team of pre-agreed, empowered decision makers
- Plan your information triage - contact your IT team, be clear with staff to keep it confidential (for now), find out how it has affected them, contact your insurers early on
- Assess your backups – do you have a copy of the affected data that could be recovered? When was it last taken?
- Data analysis – analyse what has been encrypted by the hacker and what has not – it might be only a small subset of data
- Assess and plan much long restores will take, and any associated costs (“time to recovery”)
- Commence the recovery process
- Decide whether to engage with the threat actor or not (i.e. pay or do not pay the ransom)
- Communicate to external stakeholders and beneficiaries what has occurred – by now the full extent should be clear
- Decide if you are legally required to inform the ICO
- Decide if you are legally required to inform the Charity Commission
- Begin the insurance claim – keep track of all costs as the recovery progresses