As CFG has repeatedly said, being a type of organisation that people consider ‘good’ does not prevent you from becoming a victim of cyber-attacks. Despite the inherent risk for patients, the group that committed the attacks did not take into account this when the NHS was attacked.
How did this attack come about?
WannaCry, a group of hackers, exploited weak code in Microsoft to spread “ransomware”. Ransomware is often delivered through emails with false links that tricks a recipient into opening an attachment and releasing the malware onto their systems. This is known as phishing, and is a common type of fraud. What was unusual about the international cyber-attacks last weekend was that the ransomware did not come from a user error within an organisation, instead it was an outside source attacking weak areas of code within Microsoft’s Windows operation systems. This area of vulnerable code was previously discovered by US’s National Security Agency (NSA), and then was stolen and made public when another group called Shadow Brokers released it.
What steps can charities take to help reduce their risk of becoming a victim to a ransomware attack.
As previously noted, the global attack over the weekend was unusual as it did not come from emails or other types of internal errors (dodgy downloads etc.). Therefore, the advice below will focus on ways to prevent the risk from these types of attacks. It is important that your charity still exercises caution and remain vigilant over suspicious emails, attachments, downloads etc.
Microsoft released an update to fix this weak code in March 2017, and most of the computers that were affected by the ransomware attack were because the computers had not been updated. Having old operating systems, or an operating system that has not updated with the most current software, or out-dated virus software can make you particularly susceptible to cyber-attacks. While it is time consuming to set aside an hour or two for your organisations computer to reboot, this will be time well saved if you come under cyber-attack. It is not uncommon for a cyber-attack to stop business continuity for a few days. If you cannot afford to update your charities operating systems, then at least keep your virus software up to date.
In light of the attack over the weekend, Microsoft has released updated protection to customers. We recommend anyone that uses Microsoft to check whether their computers are up to date. Keep your data backed up and secure Your charity should have a clear policy for backing up data in a secure manner. This data should be externally backed up, i.e. not on a device that is still connected to your network. This could mean storing files on a cloud based system. It’s also important that any data that is backed up externally should be encrypted and there should be clear organisational policy about who can have access to the backed up data.
If you have followed the step above and regularly back up your data securely, then it could seem very obvious to you not to pay. However, if you have not backed up your data and your data is being held to ransom the Charity Commission still recommend not paying the ransomware. Similar to a house that has been burgled repeatedly, a company that pays for data release is seen like an easy target next time and you could find your organisation stuck in a loop of continuously having to pay ransomwares. Another important incentive for not paying, is that there is no guarantee that you will get your data back!
Business continuity management plan (BCM)
While charities will have a risk plan, it is important that when thinking of cyber security they don’t just think about how to prevent it, but also what to do when it occurs. A business continuity management plan (or BCM) is common in the business world, and is a way for an organisation to identify and plan what do to in the face of potential threats. Though this might sound similar to a risk plan, they are different. Risk plans look at the preventing negative events, rather than the responding to negative events. Both require a holistic and integrated approach within the organisation. A BCM can be something as simple as: who and how your organisation will access any backed up files; a crisis communication plan detailing who should be informed of a breach (the Charity Commission, Action Fraud, any donors and/or beneficiaries whose personal information might be at risk); and who’s responsible for each action. For some charities, it might be appropriate to have cyber insurance to mitigate the costs of any breaches.
For an organisation to take the risk from cyber-attack seriously, it is important that the organisation has support of the Trustees, CEO, and of other senior management. Organisations might find it useful to have someone at Board level who has the responsibility of monitoring this risk, or in a larger organisation maybe part of a risk committee. As Trustees are ultimately legally responsible for their charities, obviously they should take their charity's cyber-security seriously. You can find more information about preventing cyber attacks at charitiesagainstfraud.org.uk, at the Charity Commission and the National Cyber Security Centre.
If you have been a victim of a ransomware attack, or other types of cyber fraud you should report it to Action Fraud by calling 0300 123 2040, or visiting ActionFraud. Trustees are advised to also report suspected or known fraud incidents to the Commission by emailing RSI@charitycommission.gsi.gov.uk
« Back to all blog posts