Cybersecurity is a major issue for many companies and sadly, it’s no different for charities. Action for M.E. CEO Sonya Chowdhury shares what she has learnt from dealing with cyber attacks.
I have often wondered how much easier life would be if I could clone myself to give myself double the capacity (and double the fun) but my musing stopped immediately after my charity email account was cloned.
In 2015, we were the victims of attempted fraud. The matter was spotted immediately and £15,000 retrieved but it was a harsh lesson for the organisation. Swift action saved the day but we took it very seriously and made substantial changes to our finance procedures and, of course, reported it immediately to the Charities Commission as a serious incident.
Over the years I have been the target of a number of email hacks. I’m not sure why: we are not a large organisation either financially or in profile (although I do wish we were both!) but this was different. Last November my finance and accounts colleague received an email request from me to make a £7,000 payment. She checked the email address and it was from my charity email account, and the tone and language mirrored what she would normally expect from me. I had sent a series of payment requests over the last week or two as I had been working away from the office – all had been legitimate and all for much smaller amounts. However, she followed her instinct and phoned me to question my apparent request. It was easy to establish that I hadn’t made the request and action was taken with our outsourced IT company launching an immediate investigation and IT security penetration testing. All colleagues changed their passwords and we reported the matter to Action Fraud UK.
Organisationally, we take a proactive approach to reporting serious incidents to the Charity Commission. On this occasion, we sought legal advice. When it comes to fraud, all incidents should be reported except where they are detected by the charity’s computer system. Under the Fraud Act, the fraud occurs when the false representation occurs (the email) and does not require that any loss is suffered. So the fraud occurred when the account was hacked and the email sent requesting payment. However, it was not our computer system which picked it up, but my colleague and her application of the finance policies. Technically this seems to fall within the Commission’s example of an incident requiring reporting. But the actual guidance is qualified by the word “significant”. Had £7,000 been paid out arguably that would qualify. Here, our internal policies worked to stop the payment.
Despite my colleague’s application of our policies and procedures working in practice, we still took action because we remain vulnerable and as technology continues to advance and hackers and fraudsters become even more able to damage our good work, our good name and take money given in good faith, we have to stay alert. Sadly, I have heard from CEO colleagues who thought their systems would offer greater protection than they actually do and the impact for their organisations has been much greater.
We take lots of action regarding data protection, finance management and cybersecurity. Below I share additional actions we have in place, which may sound simple but are critical:
- Ensure your finance procedures are clear, concise and explicit with regular review, training and auditing. If you make requests for payment via email then have an additional protection system in place, outside of email, to ensure confirmation of expenditure and the request for payment.
- Ensure that you regularly back-up your data (ransom demands for data are on the increase).
- Have an incident management plan in place which can be immediately activated if you are the victim of an attack or attempted attack.
- Understand your responsibilities in relation to reporting a serious incident to the Charity Commission – we have this clearly outlined in our governance framework so that senior colleagues and board members are aware of requirements.
To stay ahead of threats, we must continue to share our experiences, tips for enhancing practice and stay updated with reports like this one from the National Cyber Security Centre (NCSC) and hopefully the next organisation fraudsters target won’t be yours!
For additional information, read this blog about cybersecurity myths