Over the past number of years cybercrime has become a menace to the global economy. Ireland has seen a dramatic spike in cyber crime activities in recent years. In 2014 the cost of cyber crime in Ireland alone was €498,000. By 2016 this figure jumped to €1.7 million and will rise in the coming years. Industry sectors such as financial services and government agencies have had their battle with cybercrime well documented. But charities have not been immune to this for example with the Trinity Foundation, the fundraising arm of Trinity College Dublin, suffering a cyber security attack in April 2017.
The impact of cyber security is two-fold. When an organisation falls victim to a cyber attack the immediate concern is generally the financial impact it would have. However, the long-term damage a cyber attack can have on a charity’s reputation is of much more concern. The protection of personal data is at the forefront of the public’s concerns when dealing with companies and charities alike. E-mail addresses of donors being passed on to 3rd parties is a simple example of a breach of the GDPR that many charities could fall foul of unwittingly and show the gaps in a charities cyber security. As well as the loss of donor trust, failure by a charity to adhere to the incoming GDPR could result in fines of up to €10 million or 2% of annual turnover for serious breaches of the regulations. Cybercrime can take many forms and it is critical that charities are aware of the threats so they can take corrective action to minimise the threat.
Types of Cybercrime
Ransomware is a type of malicious software that encrypts data in a user's PC so that it is no longer accessible. Fraudsters demand a fee in order for the affected user to receive an encryption key and free up access to their data once more. Ransomware attacks most commonly occur because an unsuspecting employee inadvertently opens a mail attachment.
Ransomware attacks have the ability to cripple an organisation's ability to operate and so preventative action must be taken in advance to avoid such a scenario:
- Charities must securely backup their data. If such an attack was to occur the charity could restore their network from the backed up data and continue to operate.
- Proper staff training on what to look out for. It also important to remember that a charity’s volunteers are treated the same as full-time staff members in relation to GDPR. This means that it is the responsibility of the charity to train its volunteers the same way it trains their staff.
- Develop a comprehensive response strategy to a ransomware attack. The old saying ‘Fail to prepare, prepare to fail’ comes to mind.
Spear phishing is the use of highly personalised fake e-mails that are targeted at a specific individual in an organisation. A fraudster masquerading as the CFO or COO of an organisation instructing an employee to transfer funds to another bank account is example of how such an attack can affect an unsuspecting victim. In October 2016, Meath County Council fell victim to a spear phishing attack. Cyber criminals masqueraded as a chief executive of Meath County Council and instructed a junior staff member to transfer funds to an oversea account. In all, €4.3 million was stolen from Meath County Council. In this case the transfer was flagged as suspicious and with minutes to spare a bank account in Hong Kong was frozen that had secured the funds from Meath County Council. This was a lucky escape and should be a lesson to all organisations regarding e-mail communication of financial and sensitive information and how it should be communicated securely. This was also the tactic employed in the aforementioned Trinity Foundation case earlier this year.
Once again the best and most cost effective measures to prevent such an attack is to inform, train and educate staff and volunteers on the signs to look out for. Have a specific protocol in place and stick to it when discussing sensitive or financial information via e-mail. That way any unusual e-mails should jump right out at you, be flagged and acted upon immediately. This combined with utilizing an e-mail protection solution should have you well prepared for such an attack..
Protecting Your Data
The implementation of the much discussed EU General Data Protection Regulation (GDPR) is fast approaching. All charities operating in Ireland will be affected. It is being enforced so that EU citizens data is protected correctly and ethically. This will ensure companies and charities alike are protected against potential cyber threats. The key thing to remember about the GDPR is that you must be seen to actively working towards being compliant. Previously you would only be inspected by the Data Protection Commissioner if they was data breach or a suspected one. Under the GDPR you can be inspected at anytime, you don’t have to be perfect but if you’re not seen to be working towards being compliant then you will be in trouble.
For charities here are a number of specific challenges you will face when becoming compliant with the GDPR:
Resourcing challenges - For most charities they will not have the resources to employ a full time Data Protection Officer to ensure compliance with the GDPR.
Training challenge - Having access to the correct and most up-to-date data protection laws and having the staff available to mentor others in the organisation on compliance with these regulations will be a challenge for many charities.
Policies - Having the correct policies and procedures in place will be another time-consuming challenge. The GDPR will require charities to show evidence of their updated policies in order to be compliant.
Employee and Volunteer data - Charities are reliant on their employees and volunteers to ensure they can provide the services and supports they do. With this all employee and volunteer training must be correctly recorded and securely stored. All those who volunteer must be trained in data protection protocol. This will be another strain on resources.
Data breaches - Any breaches of data security must be reported within 72 hours under the GDPR. Without the resources available for a Data Protection Officer charities could potentially struggle to identify and take the necessary actions required to rectify such a breach.
Outsourcing/ 3rd Parties - Many charities use 3rd parties to recruit volunteers for fundraising activities such as door-to-door and direct mail campaigns. It will be the charities responsibility to ensure that they know where this data is stored, that they keep processor logs and that the relevant processor agreements are in place.
Getting ready for the GDPR may appear quite daunting but the key thing to remember is that you need to seen to be compliant. The worst thing would be to have a data breach and not have policies, training and proper record keeping in place when you have to report the breach to the Data Protection Commissioner. However, if you are seen to be working towards being compliant with the GDPR you will be in a much stronger position.
So how to prepare for the GDPR? LIKECHARITY have partnered with Ireland’s leading data protection service provider Sytorus to offer the charity sector a customised solution called LIKECHARITY Privacy Engine. The partnership came about as we are using Privacy Engine to prepare for the GDPR and found it indispensable.
This tool allows charities to:
- Maintain all mandatory logs.
- Train staff and measure their awareness.
- Maintain all relevant policies and procedures.
- Identify risks and assign tasks to others.
- Interact live with an actual Data Protection expert to answer your ‘how do I’ questions.
The deadline for GDPR is only around the corner and you need to be preparing now, not after May. Click here to find out more about the reduced charity rate we have available for Privacy Engine.