I know I should be worried about cyber stuff...
" Are you worried whether your access control mechanism can resolve an advanced persistent threat with active content? "
Or have you just completely glazed over at that last sentence?
You’re not alone.
So here's a straightforward guide to cyber...
Cyber terminology can be confounding, bizarre (anyone fancy a malicious payload?), or cryptic (you might have a Trojan horse: disappointingly though no horses are involved).
The language used in cyber security can undermine awareness of real threats and the ability of staff and organisations to respond. A common feeling for many NGOs is “Cyber is going to be the next big thing to hit us. I know I should be worried about this stuff, but I’m not sure why or how.”
So: in the next three articles we’re going to look at: why cyber security matters; how cyber attacks happen; and most importantly what you can do about it. And I promise there won’t be an SQL injection in sight…
Cyber threats can be summarised in the following way:
NGOs currently face threats in each of those three areas:
Steal -NGOs hold financial data of direct interest to criminals as well as other data such as medical records which could be used to ransom organisations or individuals or could be exposed to discredit services NGO’s offer.
Often the theft is not immediately obvious. In the physical world if an object is stolen it is physically removed and is no longer there. In cyber the data usually remains in place so it’s not immediately obvious it’s been stolen.
The criminal industry involved in stealing financial data is prolific. According to the Office of National Statistics in 2017 over half of all reported fraud incidents were cyber related. But it’s also complex with lots of different groups and experts in the criminal chain. So to make it profitable criminals need to target large data sets in sectors which have poor security. Sound familiar? A recent study commissioned by the UK government showed that only 32% of charities spent money or resources on cyber security, compared to 67% of businesses. Even then spending tended to be expensive reaction to successful cyber threats.
Spy -NGOs often operate in countries where their activities run against state doctrine. Advocacy of human rights, electoral reform, anti-corruption and transparency have made NGOs the subject of state cyber attacks. That includes spying on activity in country and in your HQ in order to undermine NGOs’ activities and potentially to identify (and disrupt) who’s helping you deliver your objectives.
Sabotage -Not everyone loves what NGOs do. In the past NGOs involved in delivering medical aid such as birth control or advocating rights of minority groups have had websites defaced, removed or redirected and phone networks disabled.
The damage from these three forms of attack will include financial, reputational, disruption to operations and undermining donors, beneficiaries and the public’s confidence in organisations. And if the organisation shares some of the blame through lax security the penalties can be hefty: up to 4% of global annual income.
So the threat is real and can be categorised -that’s important because it allows you to start thinking which type of activity is the most damaging for you (for example is your website being defaced as bad as staff records being stolen?) and to start prioritising your resources effectively.
Next up: how do these things happen and why does that matter?
Safer Edge can help you with your cyber strategy, cyber awareness training, incident reporting and cyber security. We specialise in helping NGOs and Charities and in making sense to a non-technical audience. Contact us at firstname.lastname@example.org.