Charitable Giving Sector a Major Cyberattack Target
Considering the large sums of money generated in the charitable giving sector along with the potential for access to personal and sensitive information, it is understandable that it’s such an attractive target for cyberattackers. And like many organizations providing critical services, continuous and uninterrupted service is a linchpin of serving their communities: Downtime is not an option.
Now more than ever, it is important to remind decision-makers within the charitable giving sector to take a proactive approach to cybersecurity. If they were to fall victim to a data breach, their reputation, finances, data and ultimately, the ability to effectively serve those in need may be damaged beyond repair.
Phishing for Generosity, Monitoring Cloud Activity and Combating Insiders
To prepare for cyberattacks, organizations in the charitable giving sector need to understand the most common cyberthreats, starting with phishing. Hackers will do their best to trick unsuspecting users into interacting with a fake website or download malware that can steal sensitive information or money. Phishing campaigns are typically conducted via email but in recent times, SMS phishing (or smishing) has become more popular. These campaigns can be difficult to spot as they use very similar verbiage and branding to the company they are trying to mimic. While phishing attacks are common throughout the year, hackers are opportunistic and will look for high-profile events, holidays or disasters to increase their chances of successful attacks. Remember, cybercriminals have no remorse for their victims; they depend on the naivetey of human behavior. With this in mind, semi-annual phishing simulation tests can raise security awareness and help to prevent such an attack from happening.
The pandemic forced the majority of the workforce to work remotely, and those within the charitable giving sector were no exception. Many had to quickly adopt digital transformation technologies and tools. For example, organizations began using the cloud to power applications and store data online to allow continued remote work with minimal disruption. Cybercriminals were aware of this and quickly began exploiting weaknesses and vulnerabilities within the cloud.
It doesn’t take a mastermind hacker to exploit a vulnerability and gain access to charity organizations’ computer systems. Instead, an insider attack will often involve an employee acting as the vulnerability, giving access to passwords or access to the organization’s systems and data to a hacker—whether by accident or on purpose. Implementing a zero-trust model is key to defending against the risk of an insider threat. Instead of focusing exclusively on preventing breaches, zero-trust security aims to keep damage limited if a breach were to occur and build a system that is resilient and can quickly recover. An organization can reduce its attack surface by segmenting resources and only granting the absolute minimum access needed.
Prioritizing cybersecurity with key processes and backup plans
To help avoid common cybersecurity threats from impacting a charitable organization, make cybersecurity a priority by documenting specific procedures and staying up-to-date on software patches and updates. For example, while consistently updating operating systems is a major priority in running safe databases and sites, it is equally important to harden systems using a VPN, antivirus and firewall. A security assessment can also help identify vulnerable points. Be sure to continually conduct patch management, too, because ransomware attacks often use known openings in common software, such as productivity applications, to introduce malware. Stay up-to-date on software as well, as such systems are constantly being patched. In addition to these processes, implement anti-malware tools across the business to proactively scan for malware and prevent its installation.
Charities should also reconsider backup plans that may or may not be in place. Adopting a 3-2-1 backup strategy can help protect company assets using diversified methods. This will involve taking the following actions:
- Keep three copies of data—retaining the original data copy along with at least two backups in case one or more get lost, damaged or breached.
- Use two different storage types—diversifying storage devices can help protect a company in the event of data failure.
- Keep one copy of data offsite—keeping two or more copies at the same location isn’t recommended in the event of a natural disaster, but storing one copy offsite is a reliable protection strategy.
Additional rules charitable organizations should follow regarding backup procedures include these steps:
- Organize a recovery plan in the event of total data loss—attackers will attempt to find any backups and delete or encrypt them.
- Keep backups offline to prevent them from being compromised at the same time.
- Run full daily backups on business-critical systems and lesser-value systems using incremental backups.
- Master the nuances of backup restoration before an active incident hits—learning how to do this before an incident happens will speed up the recovery time.
As we enter the 2021 holiday season, it is imperative to reevaluate the most common cyberattacks to the charitable giving sector and understand how to defend against them. Awareness of such threats and prioritizing cybersecurity best practices will work miracles as charities work their own for those who need it most.
