by Bharat Mistry
It’s estimated that charities contribute almost £12 billion to the UK economy – more than agriculture. Yet we rarely consider this sector and the particular cyber security challenges its organisations face every day. Cybercriminals will usually go after the easiest targets – the ones likely to generate the quickest RoI for them. And that means, in some cases, third sector organisations.
The problem is compounded by the fact that many charities simply don’t spend enough of their limited resources on cyber security. We think that should change.
In the crosshairs
Although the voluntary sector employs around 3% of the UK workforce, many of its organisations are around the same size as an average SME. And the problem many smaller organisations have is that many believe they aren’t big, rich or important enough for cybercriminals to bother with them. Unfortunately this isn’t true. Three quarters (74%) of small businesses reported a breach in 2015, up from 60% the previous year, according to PwC’s Information Security Breaches Survey. Some 38% suffered an attack by an unauthorised outsider, up from a third the year before, and 31% were hit by a staff-related incident.
The financial implications are severe. The average cost of a breach to a small business was £75K-£311K in 2015, more than doubling at the top end from the previous year. But the cost to voluntary sector organisations goes far beyond the headline financial hit that comes from the remediation and clean-up, possible fines and associated legal expenses. The negative publicity could have a serious impact on the reputation of the organisation involved. Trust is such an important factor contributing to the success of our charities that any erosion in this could also have a damaging knock-on effect, both financially and in a wider sense.
To make matters even more challenging for stretched IT teams working in the third sector, they need to start thinking about new European data protection rules. The General Data Protection Regulation (GDPR) might not be landing until May 2018, but compliance is essential and getting there will require a major effort by many. With fines of up to 4% of annual turnover threatened for non-compliance, it should be high on the agenda of any IT leader in the industry, and of course it’ll make your organisation more secure in the process.
Top security tips
It might seem like a tall order, especially when budgets are so tight, but get even the basics right and you’ll reduce the risk of a damaging breach or cyber attack significantly.
Here are a few things to consider:
- Always keep key software and systems patched and up-to-date. The top 10 known vulnerabilities accounted for 85% of exploit traffic last year, according to Verizon.
- Encrypt sensitive data, especially if it’s being taken out of the organisation on a USB or similar
- Educate staff in safe data handling and cyber security best practice and test periodically
- Run penetration tests to check how well defended your IT environment is
- Familiarise yourself with the upcoming GDPR and the implications for your organisation
- Develop and incident response plan so that, if the worst happens, you minimise the fall-out
- Advanced anti-malware, IDS/IPS, log inspection, integrity monitoring, and stateful firewall will help form a good baseline for server security
- Lock down risk on your endpoints with complete user protection for all machines and devices
As part of our efforts to engage with the charity sector, Trend Micro will be hosting an exclusive dinner for IT security managers in the industry, on Thursday 9 June – the last day of Infosecurity Europe.