How to protect your charity against hacking

  • Being hacked can be a traumatic experience for a small charity
  • With technology evolving rapidly, many charities do not have the training or experience to deal with a major cyber attack
  • We look at how you can minimise the risk of a breach occurring, and what to do if it does

Hackers use a range of methods to access data, but updating software, setting unique passwords and being aware of security are some of the ways companies can minimise risk.

In 2015 the Women’s Resource Centre suffered at the hands of cyber-criminals, after its website was hacked and replaced with pro-Isis messages.

The British Pregnancy Advisory Service was another victim back in 2014, and was fined £200,000 by the Information Commissioner’s Office (ICO) after a hacker broke into the charity’s website and stole personal details of thousands of women who had sought advice.

The ways in which hackers can attack

The first thing to understand is the range of methods that hackers may employ. Some are very technical – hackers may identify vulnerabilities in (often out-of-date) software which allow them access to your system.

Without your knowledge they install software that records the buttons you press on your keyboard, allowing them to find out your passwords and access your system and files.

Other more technical approaches involve the use of programs known as viruses, worms and Trojan horses. Viruses are malicious programs which when clicked, replicate themselves into other programs, data files or areas of the hard drive.

Worms can spread themselves between computers and across a computer network without even being clicked. Trojan horses trick people into installing them by appearing as something routine or useful like a form or a warning message.

However, other methods are more simple – hackers may set up spoof websites that trick people into giving their details, they may guess user passwords, or simply talk people into revealing information on the phone or in person (known as social engineering).

How to minimise the threat

When it comes to fighting back, Charities Security Forum chair Brian Shorten offers a six-point plan to prevent hacking:

  1. Review your security. Use ISO 27001 as a guide – it’s really simple, but it sets out where you should be across the various areas of information security management.
  2. Encrypt your data.
  3. Keep your software up-to-date.
  4. Change default passwords on all your devices. Online, hackers can find lists of default passwords, which allow remote access to everything from routers to servers.
  5. Raise awareness of security issues among staff.
  6. Build a support network via the Charities Security Forum.

Shorten draws particular attention to the fifth point, as he believes charities can benefit greatly from a joined-up approach including both technological protections and proper staff training to ensure they understand how to minimise cyber security risks.

He adds that the most effective way to do this is through an engaging, practical approach: “We tend to talk about ‘education and training’,” he says, “but that’s like going back to school. I prefer ‘raising awareness’, where you talk to people about the consequences of doing things or not doing things. That’s preferable to running through a checklist.”

Responding to a breach

If all these measures fail, you may find that you do get hacked. In this scenario, you need to recognise the warning signs.

If you suffer a denial of service attack, where an attacker is trying to stop your systems from functioning, you may find you are unable to access your email or your website.

Alternatively, if someone has accessed your confidential data, they may call up demanding a large sum of money for its safe return. Or, in the case of many of the threats outlined in this article, you may simply notice unusual activity on your network or unusual files and folders on your servers.

In these situations, you need to have a strong business continuity plan in place, according to Chris Greaves, senior strategic risk consultant at Zurich.

“These are vital for ensuring prevention measures are in place and for providing an action plan if a problem occurs. Defined triggers need to be in place so it is clear when a breach has occurred, along with control mechanisms such as communication plans and procedures to close systems down.

“All of this needs to be tested in practice so that the plan can be modified as necessary.”

Who to speak to

If the breach includes the loss of sensitive data, it is particularly important to consider who should be informed.

“If a large number of people are affected, or there are very serious consequences, the ICO will expect to be notified,“ says Greaves.

“It will want a description of how and when the breach occurred, what data was involved, what security measures were in place and what has been done in response. In cases of illegal activity, the police also need to be informed.”

Fortunately, cases of hacking in the charity sector are still fairly rare. There isn’t a hacker hiding around every corner.

But the consequences of failing to protect yourself can be extremely serious, so now is the time to review both your technological protections and your procedures for raising staff awareness.

Learn more on how charities can manage risks with our free guides: