Ransomware attacks have “the power to inflict the most damage on your charity”, a spokesperson from the Foundation for Social Improvement (FSI) has warned.
The FSI and its partner the National Cyber Security Centre (NCSC) hosted a Zoom webinar about ransomware and what small charities can do to protect themselves from it yesterday.
Remi Bridgeman-Williams, programme manager at the FSI, said: “Out of all the threats out there to your charity, a ransomware attack has the power to inflict the most damage on your charity - potentially affecting operations and costing the average charity approximately £8,000 to recover from.”
Ransomware attacks involve threats to publish an organisation's personal data. Charities are likely to handle the sensitive information of vulnerable people, making ransomware particularly dangerous.
What is ransomware?
During a ransomware attack, a criminal gains access to an organisation’s files and encrypts them with malware, rendering them unusable. The cyber criminal will then request the victim pay a ransom in order for them to release the files they stole.
Even large charities can become victims of cybercrime. For example, the International Committee of the Red Cross was affected recently when hackers seized the data of more than 515,000 of people the charity was supporting.
A spokesperson from NCSC led the webinar. They explained that one of the most common techniques cyber-attackers use to gain access to a company’s sensitive data is email phishing. Indeed, nearly 80% of cyber breaches on charities were made via phishing attacks last year.
The second most common technique is RDP brute force – when cyber criminals try to find out an account’s password by guessing. To prevent this occurring, atypical passwords that are hard for someone to guess are advised.
“If your data is lost, it’s your responsibility to inform the Information Commissioner's Office (ICO),” the spokesperson said. “If they find your data has not been secured enough, you may be fined.”
For example, last year Mermaids, which supports transgender young people was fined £25,000 after a data protection breach. The ICO ruled that the charity had a responsibility to keep its beneficiaries’ data secure, but most staff lacked basic training on data protection.
How charities can protect themselves from ransomware attacks
The NCSC suggested three preventative measures charities should put in place to avoid ransomware attacks.
“There’s loads of things you can do to protect your charity,” she assured viewers.
The NCSC spokesperson suggested charities turn off remote desktop protocol (RDP). RDP is the software that enables a user to access data remotely or in a different location. A criminal could use this to their advantage.
She emphasised the importance of creating offline back-ups of data that only a limited amount of people can access to increase security.
Thirdly she recommended using two of its digital tools that are free for charities:
- Early Warning scans computer systems and detects whether a server is vulnerable to cyber-attacks or if there is malicious activity present on a computer system.
- The security tool Mailcheck scans emails for malicious content and links, ensuring your mail settings are secure.
The spokesperson emphasised the importance of e-learning for all employees to prevent ransomware attacks. For example, ensuring employees do not click on any suspicious links that are sent to the work inbox. Only one-third of charities said they had a trustee responsible for cyber security last year.
The NCSC advises charities to make a response and recovery plan in the event of a ransomware attack taking place, as preparing for a cyber breach allows charities to understand the key factors in preventing one.