‘Be prepared and be brave’: The Salvos reveal how they prepare for cyber attack
9 November 2020 at 5:31 pm
How does a large NFP operate from a cyber risk perspective? Justin Flower from InfoTrust sits down with the Salvation Army’s executive manager of cybersecurity to find out.
A recent survey by CohenReznick showed 69 per cent of not for profits do not even have a cybersecurity response plan in place, while other research confirmed that a fifth of charities had come under cyber attack in the last 12 months.
The repercussions of even one breach can cause catastrophe for not for profits, which executive manager of cybersecurity Lachlan McGill, from The Salvation Army Australia, knows very well.
To give just one example from hundreds, in 2017, Save the Children was scammed through fake emails by a hacker posing as a staff member, losing US$997,400 to a fraudulent business in Japan.
Since COVID-19 hit we’ve seen a huge spike in cybercrime and charities are particularly vulnerable due to lower cyber awareness, particularly smaller charities. Phishing and malicious emails remain the most common form of attack on not for profits, however hacking and extortion is also a cause for concern.
As a cyber security firm, we work with all types of organisations on their holistic security practices. Our work in implementing incident response services for The Salvation Army led me to want to delve further into how charities are dealing with the cyber security landscape.
Here I interview McGill, who shares some really interesting insights into how their organisation is tackling this ever-increasing threat.
Have you ever had to manage a cyber incident?
Like most cybersecurity people, I have certainly experienced my share of cyber incidents. What I’ve learnt is you need to have capable and knowledgeable people on board reacting to the incident.
Often someone in my role will be caught up in communication channels responding to requests for information and keeping stakeholders updated.
It’s so important to know that the people you have remediating the issue in the background are skilled, calm and collaborative.
The last thing you need is somebody panicking or unable to communicate well with other resources in the investigation team.
Everybody working together across the board will ensure the best outcome.
Another important piece of advice is sometimes you need to make decisions based on limited data.
Understand this, be prepared and be brave!
What would you say are the key areas of cyber risk or concern in not-for-profit organisations?
NFP organisations such as ours often deal with people or situations that require handling of confidential or sensitive information.
It’s critically important to the survival of our mission that we protect that information at all stages of its lifecycle so that we and our clients do not suffer the consequences that can come from data loss or breaches.
That’s why we’ve engaged expert services to help us in the event of a major cyber incident. The quicker we can remediate and determine the cause of the breach, the better the outcome for everyone.
In NFPs we have a serious obligation to spend money wisely and this means we need to have a very good understanding of risk management and which threats are of the most concern so we can prioritise effectively.
Understanding risk management is a critical aspect of my role.
Do you train your staff on cyber security?
We take the cybersecurity education of our staff very seriously and it is a key performance indicator for the security team. We use different methodologies, forums and communication channels to keep all of our staff abreast of threats and secure ways of working.
Have you seen an increase in cyber incidents this year?
There has definitely been an increase in threats since the COVID pandemic struck and people have been forced to work away from the office. Most companies globally will have seen the threat landscape change significantly during this period and The Salvation Army is no different.
We’ve seen a lot of press over the past 12 months of major cyber incidents and breaches across all industries, is there anything you’ve learnt from these?
There certainly has been a large number of incidents over the past year in organisations both small and large. What I’ve learnt from these are that the organisations who communicate quickly, openly and as accurately as they are able to usually come out looking the most competent and concerned about the outcome.
What is also clear from these incidents is that it’s a group effort requiring input from several stakeholders to ensure the best response and outcome for the customers and clients. Cybersecurity, IT, risk, legal, media relations and third party experts all have a part to play.
The best thing the cybersecurity industry can do to help one another is share as much information as possible and within legal constraints about how/why the incident occurred and what was done to remediate. This is of enormous benefit to the whole industry and helps us all build better protections.
Is there any other advice you’d give to charities looking to increase their cyber security protection?
My advice would be that once you have or are working on deploying the foundational technical controls such as endpoint protection, software patching, authentication, IPS, etc, you need to focus on the cybersecurity culture within the organisation.
This is critically important and will have a multi-layer impact on the overall security posture. Enabling all staff to understand the importance of cybersecurity will decrease pushback on security initiatives, increase security reporting of potential incidents, drive down phishing click rates and even eventually have the business approaching you to discuss rolling out further security controls.
A great culture is about much more than stopping staff clicking on phishing emails, it’s about bringing the organisation on the cybersecurity journey and having everyone push that carriage along the tracks instead of the security team doing it by themselves.
Read up on it and engage external help.
A change in culture takes time and energy but is well worth it.