Charities are not immune to cyber attacks

Following recent ransomware guidelines issued by the Charity Commission after Friday’s NHS malware attack, Nick Sladden, head of charities at audit, tax and consulting firm RSM, comments on why charities and not for profit organisations must not be complacent about cybercrime.

‘Last week’s ransomware attack has emphasised the fact that we now live in an age where cybercrime threat is the new normal. It has become part of our digital working lives, and as such, all systems and operational processes demand constant security assessment.

‘The Charity Commission’s guidelines offer a useful checklist to help organisations get the basic safety measures for this right. From installing effective security software, keeping devices updated and regular file backups, to not opening or responding to suspicious emails, so charities can select a number of ways to protect themselves. This is particularly pertinent in the aftermath of the malware attack, where criminals can exploit the incident by creating phishing scams, posing as the NHS.

‘Most crucially, charity status will not safeguard against ransom attacks. Morality is just not a factor. As proven by the NHS attack, cybercriminals often operate indiscriminately, in a way that the vulnerabilities exploited by the hackers are the same for everyone. Therefore, not for profit organisations must not consider themselves immune to threats, and must remain vigilant.

‘The guidelines also highlight the importance of establishing a process of formal incident management, and how to react if an attack does take place. Paying a ransom to fraudsters will only serve to increase online crime and terrorism, and encourage more to use ransomware as a successful means of attack.

‘Protecting customer data is becoming increasingly important. From May 2018, the new General Data Protection Regulations, known as GDPR, will impose hefty fines on organisations who experience a data breach, so the future financial risks to not for profit organisations with poor cyber security management could be substantial.’