Ransomware, cyber-extortion and GDPR: Three security headaches ahead for charities

Ransomware and business email compromise attacks could be 'devastating' for charities, says tech security agency.
Written by Danny Palmer, Senior Writer

Charities are a prime target for hackers and are at risk of devastating cyber attacks, the UK's intelligence agency has warned.

The National Cyber Security Centre - the cyber security arm of GCHQ - has set out some of the biggest cyber threats facing the 200,000 charities registered in the UK and advice on how to combat them in a new report.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF)

The Cyber Threat Assessment: UK Charity Sector report describes cyber crime as the greatest threat to the charity sector, with threats ranging from small-scale fraudsters to highly advanced threat groups to even nation-state and terrorist actors.

This, combined with the vast amounts of personal and financial data they potentially hold make charities a potentially lucrative target for cyber criminal activity. The report also warns that charities aren't prepared for the incoming GDPR data protection legislation.

An NCSC spokesperson told ZDNet that ransomware and business email compromise are currently the biggest threat to charities, especially because staff - responding to questions or accepting donations - will regularly open emails and download attachments.

This makes those in the charity sector prime targets for ransomware, especially given how cyber criminals can specifically craft spear-phishing emails to trick victims into downloading what they believe to legitimate attachment, only for it to infect the network with ransomware.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

The NCSC also notes that charities could face extortion in the form of criminals threatening to release sensitive data if a ransom isn't paid.

"Attackers may steal and threaten to release data unless a payment is made," said the report. "Charities involved in the protection of vulnerable individuals or holding sensitive medical data could be particularly susceptible to this form of extortion".

Charities are also particularly vulnerable to business email attacks, the NCSC warns - and the report cites an example of an unnamed charity which lost £13,000 after the email of its CEO was hacked and a fraudulent message was sent to the charity's financial manager with instructions to release funds.

While this type of attack can be successfully carried out via social engineering, the NCSC also warns that more advanced campaigns could deploy malware to secretly siphon funds - or even information which could be exploited for an even greater return.

"Cyber attacks can be devastating both financially and reputationally, but many charities may not realise how vulnerable they are to the threat," said Alison Whitney, Director for Engagement at the NCSC.

It's not just charities themselves which can fall victim to cyber attacks - criminals often pose as charities in an effort to steal money by using fake websites to trick potential donors into handing over their financial details.

"The threat assessment confirms what we often see in our casework - unfortunately charities are not immune to fraud and cyber crime, and there are factors that can sometimes increase their vulnerability such as a lack of digital expertise, limited resources and culture of trust," said Helen Stephenson Chief Executive of the Charity Commission for England and Wales.

The NCSC report concludes by informing charities that the best way to ensure that they don't fall victim to cyber attacks is to invest in cyber security in order to protect their finances, information, operational capability and reputation.

The report also notes that charities will soon be required to fulfil a duty of care to safeguard information under the incoming General Data Protection Regulation (GDPR) legislation, which will see organisations faced with fines if their deemed to inadequately protect data.

See also: What is GDPR? Everything you need to know about the new general data protection regulations

"Good security is essential for GDPR compliance. We consider that some UK charities are unprepared for the introduction of this important legislation, and do not understand the link with robust cyber security," said the Cyber Threat Assessment.

Charities are encouraged to join the NCSC's NCSC's free Cyber Information Sharing Platform (CiSP) to exchange threat information about threats and good security practices.


Editorial standards