Charities are more susceptible to ransomware attacks than other organisations because they hold “sensitive personal data” yet few have in-house IT expertise, a digital provider has warned.
Speaking at the Charity Finance Group (CFG) conference last week, representatives from Smartdesc urged charities to train staff in email security to help prevent attacks.
They encouraged voluntary organisations to follow a set series of steps in response if they did suffer an attack.
Charities 'particularly susceptible' to attacks
Ransomware is malware that deprives a company of access to its file by a hacker encrypting them and demanding a ransom payment to regain them. Ransomware attacks most commonly occur through phishing emails.
James Field, customer strategy director at Smartdesc, said: “Charities are particularly susceptible [to cyber-attacks] because they often hold very sensitive data, which is the most valuable kind.
“It gives an attacker maximum leverage; victims are more likely to pay because the alternative – highly sensitive personal data being leaked over the internet – could be catastrophic and result in a huge [Information Commissioner's Office (ICO)] fine,” he said.
“This is compounded by the fact that very few charities can afford in-house IT expertise so have to rely on external vendors, plus many charity workers are front-line staff for whom a computer is not their main tool for work, resulting in a comparatively low IT skillset compared to traditional office-based roles in other sectors; a perfect storm.”
According to the Office of National Statistics, over 25% of charities were victims of cybercrime in 2020. This is higher among high-income charities, where 51% in that same year suffered cyber security breaches or attacks.
Smartdesc is one of NCVO’s trusted IT suppliers. It works exclusively with charity clients, including Mind, Terrence Higgins Trust and Changing Faces.
How should charities prevent ransomware attacks?
Field said there were basic measures charities could take to make themselves less appealing to an attacker, including becoming accredited under the government's Cyber Essentials Plus scheme.
He recommended educating staff on email security as “email accounts for well over 90% of all successful attacks”.
Field explained that hackers often encrypt confidential charity information and threaten to leak it if the charity does not pay the ransom.
Andrew Coyle, head of information security at Smartdesc, was also speaking at the CFG conference. He said staff training on phishing emails and cybercrime is essential for charities to prevent attacks. He added charities should ensure they are backing up their files and that their system is protected by good anti-malware software.
How should you respond to a ransomware attack?
If your charity was unlucky enough to become a victim of a ransomware attack, Smartdesc advised the audience to take 12 key steps as part of its response.
- Beware of snap emotional decisions – such as paying the ransom, as it is not advisable for anyone to do this.
- Form a response team.
- Information triage - contact your IT team and staff to find out how it has affected them.
- Attempt to restore backups.
- Data analysis – analyse what has been encrypted by the hacker and what has not.
- Curate an estimate of how much it would cost to restore the data.
- Commence restores.
- Decide whether to engage with the threat actor or not (i.e. pay or do not pay the ransom).
- Communicate to stakeholders and beneficiaries what has occurred.
- Inform ICO if necessary.
- Inform the Charity Commission if necessary.
- Make an insurance claim.