Cyber Security and Why Charities Cannot Risk Ignoring the Dangers of Malware06-Nov-2019
The domain of the cyber-criminal can seem shadowy and cryptic. The offenders themselves are essentially a danger without a face, and a threat to charities whose work can occupy them on the here and now, as they carry out their day to day operations and work to make a positive difference.
But weapons such as malware do not distinguish or categorise - anyone can get stung. So in this feature we’re looking to provide you with some helpful information about malware.
Derived from the term malicious software, malware is now one of the most common tools that criminals would use to get inside devices in order take control of them or steal information.
This form of electronic attack continues to evolve, getting faster and getting smarter, finding new ways to access your charity’s devices or network. And just like a common cold, which is easily caught and always evolving, it’s much easier to prevent it than it is to deal with its effects once it’s taken hold.
And yes – Charities are at just as much risk from malware than any other organisation out there today.
Whether they provide a service or produce something to help benefit or better people that need their help, charities will hold valuable data and information that cyber-criminals would want to trade for a high price, and malware is a common way - and sometimes easy way - of stealing that data.
Last year it was reported that 1 in 5 charities were affected by data breach or some similar form of cyber-crime, which cost an average of over £9000 to put right; astonishingly though it would have cost a fraction of that to prevent the attack.
The aspect of the cost though would not normally be the issue.
It is a given that charities exist on a principle of trust, this is one of the values which our sector can normally ensure and safeguard; so whether or not data is stolen or recovered, charities can’t afford anything that would damage their reputation in the eyes of the public, their stakeholders, the people they are serving or their supporters.
And with charities doing their best to deliver much needed products or important services to their communities (sometimes with limited resources..) and with service users often relying on the use of data and computers; the downtime that could be caused from dealing with a malware infection really is not an option.
There are many ways how malware can spread. The methods of delivery are constantly changing, and these are defined and characterised by the way the malware would get introduced to and infect a device: And what they do once inside.
Ransomware is a type of malware that locks your files and demands you pay a ransom to unlock and access them again. Ransomware is rapidly becoming more advanced, where some have been reported to immediately start deleting files as soon as a system is infected, and so users are under pressure to pay up. A recent victim of this type of attack was St John’s Ambulance.
One of the most common ways that ransomware can access your computer is through a method called phishing. Phishing uses email as a weapon, disguising itself as a legitimate email and tricking the user into opening the email or attachment. Other types can sneak onto your computer from a website, from social media or even through a vulnerability in the software you use.
Trojans behave like the Trojan horse in Greek mythology, where the soldiers hid inside a large wooden statue of a horse to gain entry to the city of Troy and waited till it was dark to attack. A Trojan works in a similar way, disguising itself as a trusted software program or application to get into your system and attack at a later time.
A Worm is a type of malware that uses a computer network to make copies of itself and spread from one device to another, but unlike a virus does not need human action to quickly spread through a computer system, or even an entire network. Again, worms can often gain entry to a computer through a security vulnerability or weakness – this can sometimes include outdated software.
It’s not just computers or mobile devices connected to the internet which can be prone to malware attack. It is important to note that any digital device can potentially be a target; this can include debit card readers and Point of Sale systems (POS), which is a method of attack that is starting to become commonplace.
Once infected, malware can be very difficult to detect on a device until it’s too late, allowing cyber-criminals to execute files, steal information, modify configurations or alter software settings. Even install more malware.
WannaCry is probably one of the most striking attacks to have happened to date. It affected over 200,000 computers across 100 countries. In this country alone it cost the NHS £92Million, and although it upset services across many NHS organisations, the NHS was not a specific target.
Avast is one of the largest computer security organisations around, providing protection against a range of potential threats, including viruses, spyware and malware. They have an infographic explaining more about the risk from ransomware and what to do about it. They also have an eBook that gives an outline of some of the most common types of malware, including worms, spyware and bots.
There are different ways to stop malware, but prevention would normally be seen to be the best option, and a lot of infections can be prevented from ever reaching a device, sometimes through obvious but harmless changes to our approach and in the way we interact with technology we use.
In doing this we could make sure staff and volunteers are easily attentive, aware and use caution before they click on that link, open a message or download anything.
Detecting, disrupting and ultimately preventing a cyber-attack in the first instance would limit the impact on a charity and the potential damage to a charity’s name.
As an example, there are guides on how to spot phishing attacks available and various sources of information on how to prevent a phishing attack, where these types of malware attack are becoming more evolved and deceiving; looking like genuine web links or a looking like legitimate emails.
There was a recent example from the Charity Commission which warned of a spoof email scam. Because of incidents like this, it pays to be prepared and stay alert.
Automated software put in place such as an antivirus (software for your computer that is used to prevent, detect, and remove malware) is also an essential weapon in the fight against software infection.
Patch management should also be used. This is also known as bug fixes or software updates which are used to fix security vulnerabilities and other computer bugs. This should be practiced as often as possible to help keep software up to date and secure. Secure Web Gateways should also be considered for keeping out any threats from the internet.
Economic and affordable security software is important for growing non-profit organisations, especially if they handle large amounts of sensitive data but don’t have additional IT resources to stay on top of security.
North Kent Training Service (NKTS), the training arm of MVA, are currently developing a Cyber Security course, which looks to explore some of the aspects discussed here. For more information you can call NKTS on 01634 818 036.