According to the UK government’s Cyber Security Breaches Survey 2021, four in 10 businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. The risk is high for all organisations; email (phishing) remains the most successful method and ransomware the most common technique.
James Field, Customer Strategy Director at charity IT specialists Smartdesc, shares some insight on how to protect your organisation.
A narrated version of this blog is available at the bottom of the page
What is Ransomware?
Ransomware is an attack whereby an attacker gains access to a computer or network and encrypts shared files and/or devices to block your access to them. Once the files have been encrypted the owner is asked to pay a ransom to unencrypt the files and make them available again. This industry is worth tens of billions now and attackers are organized and effective professional entities.
The most important defence against ransomware is backups. Most of the time, the only way to recover from a ransomware attack is to restore your encrypted files from a previous backup.
What happens when you are attacked?
Well over 90% of attacks happen via clicking on a link in a malicious email. Files on the computer may suddenly appear with a strange icon, or the file name changed to a long name with a different extension on the end (instead of the usual .docx or .ppt).
Upon trying to open the file, you may get a pop up to say you cannot access your files unless you pay a sum of money, usually in Bitcoin, and typically starting at around $1,000, doubling every 24 hours.
The attacker will usually publish a list of successfully hacked organisations on their website, and further encourage you to pay the ransom by threatening to publish the information they have encrypted, on the internet (this is known as data exfiltration).
What should we do if we fall victim to this?
Undergoing a cyber-attack is a horrible experience, and it’s important to work through a process. Every organisation should put together a Cyber Incidence Response Process so that everyone is clear what to do during what will be a highly pressured situation. The following steps may be useful to consider and include in your incident response process:
- Inform your staff & stakeholders that a cyber incident has occurred and ask them to shut down devices and stop using systems immediately. They should keep the news totally confidential, and may need to switch to phone calls or updates via SMS etc.
- Inform your IT and disconnect and power off your devices and servers as soon as you can.
- Inform your insurers straight away. They will often be able to provide expertise to assist in the recovery and post-mortem, funded by your insurance policy.
- Within 72 hours you need to make an assessment and decide if you need to inform the Information Commissioners’ Office (ICO) – a tool is available. Not all the answers will be known at this stage but sending a notification to them, if their assessment tool confirms it should be officially reported, is a legal obligation within 72 hours. Note that the ICO can and do fine charities for breaches, so assessing the level of the breach (e.g. is it all computers, only one, or only a few?) early is important in deciding the right course of action.
- Consider reporting the incident to the Charity Commission if you are a registered charity. The same assessment needs to be made as to whether it is serious or widespread enough to warrant reporting the incident to the Charity Commission. There are useful resources available.
- The general advice is never engage with the attacker (often called the “threat actor”) and not to pay the ransom. This decision will depend on the individual circumstances, but in any case, seek the advice of all of the above steps and experts before considering any kind of engagement with the attacker, as it is potentially dangerous.
- Make an assessment on your backup situation. If your data is backed up regularly then the last good backup is likely to be when you will restore from, so everything after that point will be overwritten. Don’t forget nowadays data lives in different places, so you may have shared files that are affected, but emails and other databases like fundraising or CRM are hosted on cloud platforms, hence your exposure may only be to a smaller subset of data rather than everything; this may inform your decision making about what to disclose to the relevant authorities
- Communication to stakeholders and staff while you work through the incident is vital and it may be a good idea to create a “war room” where a team works on the issue collaboratively, and an all-hands phone conference, Teams or Zoom session every 4-8 hours to keep comms open with staff and instructions clear to all until services are restored.
Mitigations and Protection
To protect an organisation against Ransomware and other malicious attacks, a “defence in depth” approach to security is needed, i.e., several security controls are combined to offer a high level of protection.
Get cyber insurance
Recovering from a breach could cost tens or even hundreds of thousands of pounds in lost income and professional service fees, so having Cyber Insurance in place is worthwhile. NCVO has a guide about charity insurance cover.
Two factor authentication (2FA)
It’s amazing how many organisations and systems still don’t have 2FA in place. 2FA is a massive line of defence and it should be in place on all your systems – not just when you log onto your computer or your bank but also your systems like HR, fundraising, CRM etc. as they are all critical. 2FA doesn’t need to be painful; it can be intelligently applied so staff just click “approve” on an app on their phone, and only when logging in from an unusual location, for example.
One of the most important safeguards is effective backups. Having good backups in place means that should the worse happen, you can restore data from a previous point in time. You must be aware how long restores from backups would take and how often data on your various systems are backed up – are they daily, hourly, or constant? Ask your IT about it.
Updating software on computers is a critical process for ensuring that security vulnerabilities are removed from the environment as soon as possible. Computers should be configured with an effective patching process for Microsoft products and third-party vendor updates and updated automatically on a weekly basis.
Having good anti-virus protection on computers is important; we recommend BitDefender which is available for non-profits via Charity Digital very cheaply. Macs should be protected as well as Windows.
Cyber security awareness
Staff awareness is essential. We recommend running a phishing simulation test at least annually, where a controlled “fake” email gets sent to staff and analysis can be done on who clicked what, and training tailored accordingly. Smartdesc can provide this service for a few pounds per month.
IT systems change all the time. Your critical applications should be penetration tested at least annually. If you have a server then the same applies. There are lots of resources out there such as Microsoft Secure Score which can flag any gaps in common platforms like Microsoft 365, or where you use a cloud system you should ask the vendor to send you a copy of their annual security testing.
What more could you do?
The Cyber Essentials scheme is a government-backed certification that is said to block up to 80% of the most common cyber security attacks. See our blog about how to achieve Cyber Essentials or talk to us – we are a Cyber Essentials certification body and can assess and award the certification to charities at reduced rates.
ACEVO members are eligible for a free IT Consultation with one of Smartdesc’s virtual IT directors to discuss any IT security concerns or plans. Please use the contact us form to enter your details to arrange a suitable time.