In June last year, The Big Issue magazine, a Cape Town-based non-profit organisation (NPO), was hit by a phishing attack. The publication, which has created jobs for scores of unemployed people across the Western Cape, got an email purporting to be from its printers announcing a change of bank details. It came with convincing looking verification credentials, and the hackers appeared to have gained access to emails from both printers and the publication. By the time the management realised their mistake, four months later, they’d transferred some R600,000 to the fraudsters. It nearly sank the publication which could have upended the lives of the 120 or so vendors it supports.
If you’re working in the NPO sector you’d be forgiven for wondering ‘why would anyone attack us?’ After all, charities, NGOs and other organisations that exist to help others aren’t an obvious target. For that reason, many treat cybersecurity as a lower priority than commercial organisations, considered a nice-to-have or a secondary concern, right up until it becomes the most important thing in the world.
Yet many NPOs handle sensitive information from donors, including financial details. Cyber-attacks can result not only in data breaches but in material losses, damage and destruction of systems and databases, ransom demands, and, potentially, a reputational crisis, litigation, legal liability, damages and fines.
A 2021 Interpol report painted a grim picture of cybercrime in Africa. It quoted a finding by Accenture that South Africa had the third highest number of cybercrime victims in the world, at a cost to the economy of R2.2 billion a year. Interpol also highlighted another report from Kenyan cybersecurity firm Serianu that South Africa had the highest rate of cyberattacks in the continent at 230 million – three times the number suffered by Kenya and Morocco, which was next on the list.
A 2022 UK survey by the Department of Culture, Media and Sport (DCMS), found that almost one-in-three charities had identified a cyber-attack in the previous 12 months. Of the attacks outlined in the DCMS survey, 38% had an impact on the service provided by the organisation, with 19% “resulting in a negative outcome”.
The CyberPeace Institute carried out a research study in Geneva in 2023 and found 41% of local non-profits had been the victim of a cyberattack in the previous three years, but that more than half of NPOs had no cyber-security budget.
It begs the question: how can charities and NGOs innovate and grow safely in our digital world if they don’t prioritise security?
These five tips from AWS for NPOs wanting to enhance their cybersecurity are a great start, most of which can be implemented at little or no cost.
- Document your security policy – Give all your employees a clear and simple reference point. Outline a set of standards to which everyone must adhere to maintain good cybersecurity. Communicate your policy throughout your organisation and make it easily accessible to everyone. The policy should include the following four tips as actions for all employees.
- Everyone must use unique login credentials – You wouldn’t have 1234 as your bank PIN number, would you? We should be no less diligent at work. All employees must be required to use unique credentials with passwords that are strong, both in length and complexity, for all work-related login functions. Set rules for good password creation and stop bad actors unlocking multiple doors across an organisation using just one set of credentials.
- Keep admin rights, permissions and privileges tight –Make sure that you only give colleagues privileges to the IT systems and functions that are necessary for their business role. Start with an audit of existing privileges, establish a system for documenting any new permissions and perform regular access reviews. Charities and non-profits can use cloud services such as IAM and Cognito to manage and monitor access rights easily.
- Back up your systems on the cloud – If you’ve ever had a device fail on you and taken all your pictures, conversation and emails with it, you’ll know how devastating that can be. Using a cloud backup is essential for all non-profit organisations and ensures data is secured, recoverable and can’t be easily deleted by bad actors. AWS Backup provides cloud-native back up services for non-profit organisations’ key data stores, such as buckets, volumes, databases and file systems, across AWS services.
- Foster a blame-free culture – Good cybersecurity requires that everyone in your organisation feels able to come forward if they think there’s a problem or if they have potentially been compromised. So, avoid blame when things go wrong. Phish-testing, where the organisation sends employees fake phishing messages, does little for security and can seriously damage morale. Instead, drive greater awareness and encourage a positive, security-orientated mindset.
The BCI’s Cyber Resilience Report 2023 found that 74% of respondents across all sectors see ransomware attacks among the top threats to their organisation over the next five years. Following the five above tips can help reduce security risks. Ultimately, however, an organisation’s leadership needs to see the value of good cybersecurity and be prepared to invest in the culture and solutions that underpin it.
“If you really want to drive change, look to your leadership. Cybersecurity isn’t just about technology, it starts at the top,” says Orlando Scott-Cowley, public sector tech and business development manager at AWS. “Leadership must own and foster a culture which supports cybersecurity.”
INFO SUPPLIED.
