Cyber security for charities 3: Personal information

It can be about information as much as money, writes Martyn Croft

Increasingly, though, the attraction for cyber criminals is not the money. After all, credit card details can be bought from the depths of the web for next to nothing. The big money is in personal information, and about three-quarters of all charities hold information about people on their systems. The donor database, the membership system, records of beneficiaries, even internal phone directories and address books are all valuable targets for hackers and scammers, who will use this information to launch attacks against those people.

Snaffling your data on purpose requires a little more ingenuity than relying on mistaken identities and misplaced trust, not that that doesn't help. With many information systems accessible through the web, the internet is a happy hunting ground for those intent on helping themselves to your data. A technique known as SQL injection has been, and remains, the hacker’s favourite attack on databases. It can simply syphon data out of a web application that has been poorly designed and badly written.

The databases that serve up information to the application might be vulnerable to maliciously crafted SQL (Structured Query Language) statements that are innocently executed by the application. This usually results in a torrent of data being spewed out straight into the hacker's hands. It’s easy to prevent with careful and professional coding, but is often ignored, making it the single most common means of attack on corporate data. The Open Web Application Security Project website, or OWASP for short, is a goldmine of advice on this and other web application attacks.

It’s tempting to think that no one would purposefully target a charity. After all, charities exist to "do good works", don't they? Well, that’s not always the case these days and campaigning for a cause or raising funds to further a noble ideal can attract the attentions of opponents, rivals and even state actors. So-called hacktivists can take down or deface your public website to discredit your charity or silence your voice. The tools to do this are readily available and require little technical knowledge. A distributed denial of service attack (DDoS) that clogs up your network can easily be launched from the kitchen table, directing an army of zombie bots to your website, your remote-access service, your client portal or anything else you have on the web. These robot networks, or botnets, made up of infected PCs or other internet-connected devices, are readily available for hire, bombarding your firewalls and effectively taking you offline as surely as pulling the plug on your IT systems.

Read next: 4 Teach your staff

Special Report

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in
RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners