Cybercriminals go after data regardless of ethical considerations. Charities are no exception, according to an information security expert speaking at a conference in England last week.
As bank robbers target banks because that's where the money is, today's cybercriminals are increasingly going after the valuable personal information held within the databases of charitable organizations.
The threats from cybercrime attacks against these organizations are increasing, said James Mulhern, chief information security officer at Eduserv, a nonprofit IT provider based in Bath, England, speaking at an IT conference last week hosted by the Charity Finance Group (CFG), which advocates best practice in finance management for its membership of 1,350 charitable organizations.
While acknowledging that "digital is essential," Mulhem warned that the world had reached a "tipping point" and there was a risk of the internet going from “being a net force for good to being a net force for bad,” according to a report on U.K. site, Civil Society News.
“Charities are a big target for cybercriminals,” he said, because that's where the "valuable data" is.
But, it's not just credit card information that these miscreants seek, he pointed out. The personal data is a commodity on the underground market, or dark web, he said. A full record could be worth as much as $28 in U.S. dollars, while a health record sells for $2.50. Meanwhile, a credit card sells for 25 cents.
This new trend is a pressing concern for charities, he told the audience. Last year, half of the alerts coming into the Charity Commission involved cyber threats, he said, and personnel at these organizations are lacking in the needed skills to not only be aware of anomalous behaviors but to do anything to thwart them.
And this is particularly concerning, he said, because the consequences of a cyber attack reverberate beyond the organization. “It's not just about you, it's about the people that you serve – donors, supporters, VIPs, fundraisers, volunteers,” he said.
His advice was to have a plan in place so as to be prepared in responding to an attack. This might involve investing more funds in security implementations and training.
“If you spend more money on a chief executive than on security, somebody is going to be able to make a bad headline out of that,” he said.
When asked why he believed charitable organizations are being targeted, Mulhern told SC Media on Tuesday that charities are a target for numerous reasons. "Beyond the obvious areas, such as fundraising and donations, charities often have valuable information on people," he said. "For some charities, this data is of a sensitive nature and for some the data can be about vulnerable people at risk of exploitation."
As some of this data is shared with other external bodies those charities could also be viewed by attackers as a potential gateway to compromising other organizations, he explained. As well, he added, the activities of some charities may be viewed as contentious and therefore they may be subject to politically motivated attacks.
And educating employees at charitable organizations about the dangers will not be an easy fix, he said, because there's not a single answer. It's a particular challenge in charities where embedding a cybersecurity culture can often be complicated by geographically disparate organizations, he said, with large groups of loosely integrated volunteers and environments where cyberthreats understandably may not be viewed as the most immediate threat.
However, he suggested there are freely available tools, such as “go phish,” that can be used to carry out campaigns to help personnel get practical experience in identifying phishing attempts and gain an understanding of the emotional triggers commonly used in social engineering.
As far as the budgets needed to strengthen security implementations and to train staff, Mulhern said this will be an issue for many smaller charities in particular.
"Skills to defend and deter attacks are in short supply and charities will struggle to compete in the resource market," he told SC.
But, he held out hope. "Charities can, however, benefit from the skills and resources that many cloud providers can provide."
Cybersecurity is the responsibility of everyone in the organization, he added.