28 February 2016Some things you never knew about cyber risks and how to prevent them
Well, you might know some of these, but I bet there are quite a few that will come as a surprise to you!
Arthur J. Gallagher Charity & Healthcare team held a client seminar recently on ‘Cyber, Fraud and Risk’ which kicked off with a comment from Sean Finnegan (Managing Director at AJG) that ‘the UK is the most targeted country in Europe. One million malware threats were received every day in 2014 – up 40% on 2013!’*
The charity sector is most often targeted for its data, and Tim Smith of the law firm BLM made the point that although there are many small breaches (rather than the big hits featured in the Press) these often cause some real distress. One way hackers can access your network is when security patches expire and then are not updated. Hackers will keep an eye on sites whose security patches have not been properly updated, and strike when they see a weakness.
Jay Abbott of Advanced Security went so far as to say that you probably may not even spot your attacker - he’s there waiting in the background having previously targeted people by looking at their personal interests to gain access to their online accounts, whether it be their email, website or database. Once there, they will look around your network to see what’s useful to steal.
Ian Morris of The Health Foundation commended the use of penetration testing (whereby information security professionals replicate the hacker’s effort to breach your online security, access a your IT infrastructure and the data contained there, Ian stressed that investment in security needs to go beyond just the perimeter defences which while of obvious importance is by no means the whole story. And finally Ian stressed the essential need to balance investment in technology with investment in staff training and awareness.
Glenn Bluff of Grant Thornton followed this up by explaining the offenders are much more likely to request access than spending hours overcoming your perimeter security. This so-called social engineering/’open sesame’ approach has become the most effective approach being deployed by the cyber criminals. Why spend hours trying to hack security when a targeted email written in the right way, to the right person does the trick?
So the best advice these days is:
- Determine what assets you want to protect and how your current cyber security matches up to it
- Detection is better than cure these days. Assuming your security is pretty good already spend your money on detecting interlopers, and building employee awareness through interesting and personalised training for your work force and volunteers.
As a charity you have a duty of care to monitor your network against fraud, pornography and theft. You don’t want your donors and others on CRM databases to have their data sold on the dark web; you don’t want your supporters scammed by bogus websites, and you certainly don’t need the ‘bad press’ and reputational damage of this coming out into the public domain. So heed our advice and take the two steps above to reduce that risk.