14 Dec 2016
I was recently at a presentation by Gemma Higginson, a fraud risk consultant at RSM. She talked about how new technology means new ways of being scammed and defrauded. It was quite scary to see how organisations such as the third sector organisations that I coach and mentor, can fall prey to ransomware, service denials, mandate fraud, email hacking and a whole host of other ways of separating charities from their hard-earned cash.
Fortunately, Gemma had some words of wisdom to share to help reduce the risk to charities and third sector organisations.
- 95% of cyber attacks are the result of human error. Phishing emails may be inadvertently opened, emails may not be given appropriate scrutiny and bank mandates may not be checked. Make sure that your staff are regularly briefed to be vigilant on anything that might look vaguely suspicious.
- Cyber protection should be a board level issue. This is a particular problem in charities where many trustee boards may be made up of a 'slightly older generation' that does not automatically keep up to date with latest technology issues. Convince your board that this is a VERY REAL problem.
- Use an external organisation (or a very competent internal person) to ensure firewalls and anti-virus protection is up to date. Do not give this job to anyone internally who does not really understand it.
- Think about Cyber insurance. This is still quite cheap and therefore very cost-effective and could cover you for big losses.
- Consider the impact of a breach of your systems on your donating public. They will be wary of donating if they hear that you have been victim of a cyber attack
- Password protect your WIFI. So simple but still not addressed by many people. And change it regularly, even if that is inconvenient to users.
- Consider having 'white hat' attacks on your system. These are simulated attacks by a company you employ, who will find any loopholes in your security that could be exploited by wrong 'uns.
- Be aware that social media is a potential source of information for criminals. Individuals and organisations may post information (date of birth for example) on social media sites that allows criminals to build up enough of a picture of the person to be able to hack into your system, or pass themselves off as the person in your organisation. This is called 'social media scraping.
- Criminals may hack your email system and produce emails that look exactly like your company email. Unusual requests to set up accounts and make payments, EVEN if they seem to come from a legitimate colleague, must be challenged by your employees.
I came away from the presentation feeling quite worried about how damaging this area of security could be. But ignoring it does not solve the problem. It is a real problem and you fail to address it at your peril!