Organisations have a tough challenge keeping up to date with cyber security risks, but charities are likely to suffer greater damage to their reputation if they fall victim to fraudulent activity and are less likely to have funds at their disposal to invest in methods of limiting their exposure.
Over lunch we shared our experiences of fraud and how we use social media. We heard from the experts regarding cyber crime trends, the effect of workplace culture and ways to limit exposure to fraud and cybercrime.
Social Engineering is the term given to ways that fraudsters research targets and learn about the organisations and individuals they are targeting.
One area of particular concern was how location tracking apps reveal our whereabouts and how this information can be used by fraudsters. It is therefore important to be aware of what we are putting on social media and to manage privacy settings.
There are various platforms that could be targeted in social engineering including Linkedin, twitter, Facebook, 192.com, Companies House, Charities Commission.
Social media is a useful tool for fundraising and increasing publicity for a cause, but Charities need to be aware of what they’re posting and what information is available on the public profiles of individuals connected to the organisation. Is it necessary? Is it available to all users, or have you restricted access where this would be applicable?
We discussed different types of attacks. Our experts elaborated on specific attacks:
Spear Phishing is a more targeted version of phishing where the fraudster targets a specific individual or organisation. It normally occurs after a period of social engineering where the fraudster has gained enough information about their target to create a convincing email or letter in order to solicit money or information.
Invoice fraud was identified as an issue where charities have a lot of one off payments. We shared our experiences within our organisations. There is more awareness of this type of fraud and best practice is usually followed during the payment process. The challenge for many charities is identifying a fraudulent invoice. Staff education and awareness is key, attackers will often knowingly target during busy periods; at the end of the day or week and require urgent payment. Fraudsters play on natural human error and rely on people being in a rush and not following normal procedures as they are under pressure.
Data theft: This is an area that will grow in importance as the new Data rules come into place (the General Data Protection Regulations). These rules include crippling fines for any organisations found to have inappropriate measures in place to protect data on users, suppliers etc…
We discussed the fact that fraudsters are not after money but data. Ransomware attacks specifically target data and organisations are concerned about their exposure. Charities who may have sensitive data on end users who are categorised as vulnerable feel they have an increased duty to protect that data.
CEO fraud: Although there is a good level of awareness of this type of fraud, charities are still being targeted and are still falling for this scam. The method is where the fraudster pretends to be the ‘CEO’ (or an individual in a position of authority within the organisation) and target people to gain access to systems, action fraudulent payments etc…
This type of scam is normally more successful when it follows a period of social engineering where the fraudster has researched the name of the ‘CEO’ and of the appropriate target within the organisation. Most of us had come across these fake emails shared our experiences.
Staff training helps raise awareness but cost can be an issue for charities. There are free informative events and seminars available as a way of keeping up to date with basic issues and ways to protect your organisation. Eventbrite is a useful resource for finding out what is being held.
The culture and the general attitude of an organisation form part of a charity's protection against cyber crime. It is important that staff feel sufficiently confident to query issues with senior members of the team and that there are procedures in place where proper authorisation is required for transactions. It was agreed that team members need to feel confident that they won’t be rebuked for disturbing others for authorisations and reviews.
Part of this process of encouraging an environment of openness includes having comprehensive cyber protection procedures and policies included in a charity’s workplace documentation.
A useful resource for Cyber security policies that can be tailored was shared by Jack from the LDSC: https://uk.sans.org/security-resources/policies/
The risks associated with mobile working and working from home were discussed. As a basic starting point, charities should have a policy to cover these aspects of working and communicate it to staff. Some of the charities present provide staff with laptops and devices for home working to ensure adequate protection. VPN was agreed as essential to protect traffic and to ensure that the device did not contain data (i.e. it is all accessed in the server through the protected VPN connection).
The vulnerability of public Wi-Fi was discussed and basic awareness surrounding entry of 'pins' and data in public places.
In 2016 ransomware attacks claimed most victims. In 2017 the new trend is towards DDoS (distributed denial of service) attacks.
Ransomware – is where malware program blocks access to a computer system (often by encryption) until a ransom is paid. It is usually targeted at individuals.
DDoS – is where attackers aim to disable an online service by flooding it with traffic from many sources. The targets are often banks or news sites. As a result of such an attack it is a major challenge for an organisation to publish or access important information.
How often should we be changing our passwords?
We discussed our views on this issue. There was a general consensus that strong, hard passwords were essential but that it is ultimately up to the individual to have a method of remembering their passwords that is not easily accessed by fraudsters (eg: a diary on the desk, a spreadsheet saved as ‘Passwords’). Helen demonstrated how surprisingly easy it is for basic passwords to be hacked. One recommendation that was made was to use two stage authentications where possible.
Barclays offer a free webinar to organisations on cyber security. If you’re interested contact Andy Rosamund
Alliotts are jointly hosting a Cyber Security seminar on 16th May in Guildford which will include a live hack.
If you’d like to know more please contact Mary Kacigeras