Let’s talk about charity cyber security

Charity databases often host highly sensitive information belonging to vulnerable people. We take a look at some ways your charity can prevent and deal with a cyber attack.   

As cyber attacks become more sophisticated and frequent, it’s important for organisations to have the systems in place to come out the other side in one piece. 

Charities are not immune to these attacks, and if anything, may be in a more vulnerable position than corporate organisations which have more budget and resources to nip the attack in the bud.  

Earlier in the month, Anglicare Sydney was held to ransom over a large amount of potentially sensitive information, as part of what the organisation said was illegal activity targeting the Australian health and aged care sectors. 

The charity, which holds records on adoption and foster care as well as counselling and mental health services, came away relatively unscathed from the attack. 

While the organisation confirmed 17 gigabytes of data was transferred to a remote location, there was no evidence that data had been stolen, and the main system relating to its Out of Home Care program, which includes the foster care program, was not impacted. 

With Anglicare Sydney being one of the larger and well-known Australian charities, it was actually in a pretty good position to deal with such an attack. But that’s not the case for all organisations. 

There’s never been a more important time to protect sensitive information 

David Spriggs, the CEO of technology for social justice charity Infoxchange, told Pro Bono News that for larger organisations such as Infoxchange or Anglicare Sydney, investing in keeping data safe was much easier. 

“We’ve got an information security lead on our leadership team. We’ve got a comprehensive information security management system in place. We do regular external auditing and testing of our systems,” Spriggs said. 

“We’re seeing a rapidly threatening landscape which has been further exacerbated during COVID-19… so I guess the question for a lot of smaller organisations is what should they be doing and what can they do in this environment?” 

Multi-factor authentication 

This is when you log into your email and it won’t let you access your account until you are able to validate your identity via a message to your mobile. 

Spriggs said that this is one of the easiest, and most effective ways to control data safety. 

“Broad industry research has found that enabling multi-factor authentication blocks out over 99.99 per cent of the attacks on an organisation,” he said.

“So it’s just about asking your I.T. provider or your cloud provider to help you turn that on.” 

Communication is key 

You can’t spot a threat unless you know what it looks like, so regularly communicating with staff and volunteers about security related threats is a really effective way to stop cyber attacks before they happen.    

Spriggs noted that issues such as phishing attempts had become a big problem, particularly during COVID, when most organisations were working from home and it was harder to cross-check dodgy emails and messages. 

“You might get an email that looks seemingly legitimate and it’s asking you to do a small transfer of money, for example. If you’re in an office environment, you might just turn over your shoulder and ask the sender if they really sent that email,” he said.

“Now that a lot of people are working from home, they’re obviously more exposed to those types of attacks, so it’s really important to just keep communicating and making staff and volunteers aware of these threats.”

Plan for when, not if 

As a general rule, Spriggs said that all organisations (no matter the size) need to have a plan to deal with an attack. 

“Organisations should be looking at when an attack might happen rather than if an attack is going to happen,” Spriggs said. 

This plan should include how clients and stakeholders would be contacted, communicating to them how and what data had been breached; and who takes responsibility for the breach. 

The role of the boards 

Spriggs also said that boards shouldn’t be taking a backseat on protecting data. 

They should be checking in with organisations around their security policy, and any compliance obligations the organisation might have to government agencies for example.  

“A lot of government funding agreements now will have specific requirements around information security and data protection,” he said. 

“Boards should be requesting regular reporting on information security incidents. Even if they are really minor incidents, it gives the confidence that the organisation is monitoring these issues appropriately to avoid anything serious happening.” 

Find more general information on cyber security attacks from the Australian Cyber Security Centre here, or for more charity specific information, check out the Australian Charities and Not for profits Commission’s toolkit here.