Cyber Security for Charities and NFP

What do Australian Charities and the NFP sector need to know about Cyber Security?

Paul A. Watters, Senior Cyber Solutions Consultant, Ionize (99+) Paul Watters PhD | LinkedIn

Jacob Muller, Director, Technology Solutions & Social Impact, WorkVentures https://www.linkedin.com/in/jacob-b-muller/

The low down: Charities need to secure themselves against cyber attacks which are primarily financially focused attacks, secondarily attacks to steal the PII of their donors and/or clients, and thirdly, as backdoors to government networks and systems.

Charities are high value targets for cybercriminals, since they take in very significant amounts of revenue through donations and For Purpose enterprises, often retaining large cash surpluses to fund capital intensive activities. Charities also hold very large donor and client databases, often containing very significant amounts of Personally Identifying Information (PII) about their clients and donors. To make it easy for people to donate, charities often have public facing internet sites, where the public can make donations. Most charities operating frontline services to the most vulnerable people in society – including the elderly, people with a disability, and children – hold significant amounts of PII in order to operate. Many charities also hold significant government contracts, and hold privileges access to government computer systems.

Case Study: Australian charities have been the target of significant cyber attacks in the recent past. In 2020, Anglicare Sydney suffered a ransomware attack, where 17G of PII data was encrypted by an overseas attacker1. The PII was associated with some of the vulnerable people in society, including those involved in foster care and adoption. It was also reported that Anglicare had direct access into the NSW Government FACS computer system, providing a pathway for cybercriminals to execute a “lateral movement” attack, identifying and breaching even more sensitive systems.

In cybersecurity, sometimes it is helpful to view the problem through a number of lenses. For charities, we believe that the best two lenses are “Compliance” and “Pragmatic”, ie, what are the cyber activities that should be taking place to meet the legal and regulatory requirements associated with operating a charity, and what are the practical steps that should be taken to protect charities against cyber threats. In this blog, we further describe how to use these lenses to maximise benefit from cybersecurity costs, acknowledging that every dollar spent on cyber is a dollar not spent on delivering frontline services. Yet if cybercriminals successfully hold a charity to ransom, or extort them, then there will be no money to provide these services.

The Compliance Lens

The sector is regulated by the ACNC. The ACNC do not mandate the use of any particular standard or methodology for charities to secure themselves. This is potentially a weakness – other sectors, such as the federal government, have mandated security controls and maturity levels to which Commonwealth entities must achieve. According to the Australian Signals Directorate (ASD), achieving compliance with these standards eliminates 85% of cyber attacks.

Nonetheless, the ACNC does provide a Cybersecurity Checklist2 which is extremely helpful as a guide to what the regulator expects. At any time, charities must be able to demonstrate to the regulator how they meet these requirements.

The key requirements are as follows:

• How will you prevent cyber attacks that steal donor funds by having clear policies, procedures and guidelines?

• How will you protect the PII of your donors through clear policies, procedures and guidelines?

• Have you trained all staff and volunteers on dealing with cyber issues, such as anti-phishing training?

• Have you conducted cyber assessments on your systems, such as penetration tests?

• Do you have a plan on how to deal with data breaches, and have you ever tested the plan to see if it works?

• Do you protect all endpoints – such as PCs and mobile devices – with security software?

• Do you update and patch all of your software?

• Have you enabled two factor authentication?

• Do you backup all critical data?

• Do you seek help from cyber specialists?

8 Step Guide

The Pragmatic Lens Turning these requirements into a clear plan is a practical task. We provide an 8-point, step-by-step guide below:

1. Appoint a Chief Information Security Officer (CISO), either an internal staff member, or a part-time consultant, to oversee the cyber program, and report to the Board.

2. Conduct a cybersecurity assessment to identify your biggest and most significant risks, and address these first. Generic advice will only get you so far in cyber, context is everything.

3. Establish a policy and procedure base, aligned to one or more international cyber standards, such as NIST or ISO27001. This base should document everything that anyone involved in handling PII, or donor data, or funds, needs to know to prevent, detect and/or respond to cyber attacks.

4. Establish an annual training program for all staff and volunteers.

5. Conduct vulnerability assessments on every external facing system, especially those which process donor transactions, or hold donor PII.

6. Establish a data breach recovery plan, including offsite backups of all critical data, and test that it works annually.

7. Install a security software baseline on all endpoints, including anti-virus protection, and – for officeholders and executives – 24×7 “eyes on glass” monitoring through a Security Operations Centre (SOC).

8. Patch all systems and set updates to be automatic. Sometimes, this will mean testing that your critical systems work in a staging environment before applying the patch to full production.

WorkVentures and Ionize are working together to support charities and the For Purpose sector, and can provide support around each of these eight items. In summary – don’t be the charity that loses donor funds to cybercriminals, or lose the PII of your donors or clients, or be the source of a significant downstream attack on government computers or systems.