You are probably all too aware that your organisation may well experience a cyber security breach at some point. But what types of threats should you look out for? And how can your organisation best respond to an incident?
Fraudsters often use phishing emails to trick recipients into clicking malicious links or disclosing personal and sensitive information. According to the Charities Aid Foundation, these messages can look as though they have been sent from a legitimate organisation or address. While most phishing attempts are untargeted in their approach, some contain personal information about the recipient or claim to be sent from a trusted source or position of authority.
However sophisticated they may appear, phishing emails are identifiable. The email address of the sender might be different from the domain name.
Grammatical errors and misspellings can litter phishing emails. The emails also often include a request to complete a task such as clicking on a suspicious link or attachment within an urgent timeframe. Educating staff and stakeholders of these common traits can help them spot the majority of cyber scams before they cause damage.
But, if phishing attempts succeed, they can allow hackers to gain unauthorised access to computer systems and the attack on your charity may escalate.
Commonly, hackers steal personal data and threaten to release the information or lock your systems until you pay a ransom.
Data can also go missing through the loss or theft of electronic or physical data such as a stolen laptop or lost paperwork.
Or, through human error: someone can email, post or fax to the wrong recipient.
If you find evidence of unauthorised access, the National Cyber Security Centre (NCSC) recommends first ensuring that your computer systems are up to date. Installing the latest versions of software helps your organisation limit its exposure to bugs and vulnerabilities.
Your IT team can then take steps to monitor networks for suspicious activity, using anti-malware software to detect and remove malicious codes.
Next, the NCSC recommends taking steps to block the avenues through which hackers can access your computer systems. An IT expert will help you close any gaps in your defences by removing unnecessary software and limiting rights to access certain data and applications.
How you communicate news of a breach to stakeholders is another crucial consideration. Discussing appropriate responses and lines of responsibilities during an incident can help contain a breach and prevent further attacks. And, when you’ve resolved a breach, these discussions provide opportunities to learn how to bolster online security.
Alongside any internal actions, new GDPR rules mean that it is now particularly important for charities to tell the Information Commissioner’s Office about any breaches. You can also report any cyber incidents to Action Fraud and the Charity Commission.
While these steps should help any organisation tackle breaches, your defences will be stronger if you have effective cyber security tools in place before these events occur.
"Having the right upfront security as well as training staff to spot potential threats such as phishing emails can help prevent a cyber incident," said Liam Greene, professional and management risks manager at Markel UK.
"Also ensuring there is a robust incident response plan in place will mean that if a cyber attack does happen, your organisation can respond as swiftly and efficiently as possible," Greene concluded.