1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

8/30/2017

0 Comments

6 Barriers to Improving Cyber Security for Nonprofits and Charities

 
Cyber security for non-profits and charities

6 Barriers to Improving Cyber Security for Nonprofits and Charities

​Charities and nonprofit organizations aren’t immune to cyber attacks.
 
In the NetDiligence 2016 Cyber Claims Study (PDF) – a study that provides comprehensive analysis of insurers’ claims on losses sustained from data breaches and other kinds of cyber events – showed that out of the 176 cyber claims submitted for the study, 11% of the claims were from the nonprofit sector.
 
“Breaches are not just for the Fortune 500 companies anymore," NetDiligence said. "The majority (87%) of claims submitted for this study are for organizations with revenues less than $2B."
 
The recent "Cyber security among charities" study commissioned by the UK Department for Digital, Culture, Media and Sport and carried out by Ipsos MORI revealed that charitable organizations aren’t considered as off-limits by cyber criminals. Charities interviewed in the study shared that they experienced a wide range of cyber breaches or attacks.
 
In one case, a charitable organization reported substantial financial loss after the CEO's email was hacked and the malicious hacker sent out a fraudulent message to the charity’s financial manager with the instruction of releasing funds to pay for new equipment.
 
Another case involved the taking down of the website of a mid-sized organization on numerous occasions. The first attempt to bring the site back took the hosting company 10 days.
 
In another case, one charity found that its website was injected with a malicious code. Although the organization eliminated the malicious code two years ago, the organization felt the incident had a negative impact on its online reputation as a warning about its website saying it could have been hacked shows up in the Google search results.
 
The Ipsos MORI study revealed that cyber breach isn’t enough to motivate some charities to enhance cyber security. When breaches such as websites being taken down or staff emails being hacked made no impact on their operations, charities continue “without any changes – highlighting that charities were not necessarily learning from these attacks,” according to the Ipsos MORI study.
 
Here are the 6 barriers to improving cyber security for nonprofits and charities:

1. Cyber Security Viewed as an Unaffordable Luxury

​The study found that some charities consider cyber security as an unaffordable luxury. Some stated that if their budgets increased, they would rather spend the money on other areas such as core service provision and fundraising.
 
“We need to make sure we are taking the right precautions to safeguard our information … but we have other priorities – difficulties with cash coming in, and a restructure last month,” a £500,000+ annual income, international aid charity said.

2. Cost-Cutting Culture

​Many of today’s charities, according to the study, have a strong cultural emphasis on cost-cutting, which makes it difficult or challenging to justify cyber security cost. This emphasis on cost-cutting led some charities to value cost than quality, for instance choosing the cheapest cyber security provider at the expense of sacrificing quality service.
 
This cost-cutting culture is also evident in charities’ reluctance to upgrade to the latest software or hardware. When the WannaCry ransomware was released to the wild by cyber criminals last May, many nonprofit and charitable organizations fell victims to this malicious software.  
 
A number of UK’s National Health Service (NHS) Trusts – nonprofit organizations that are part of the NHS but have more freedom in how they run their hospital – were affected by WannaCry ransomware for using outdated or unsupported desktop operating systems.

3. Deprioritizing of Some Cyber Risks

​The study showed that charities consider loss of funds and loss of personal data (for example donors’ list) to be a major risk as they’re viewed as an existential threat. On the other hand, loss of non-personal data files (for instance data lost to ransom attack especially when the data is backed up) and loss of business (for example a website take down) aren't considered as major cyber risks as they aren’t viewed as an existential threat.

4. Cyber Security Viewed as a Common Sense Issue

​The study found that some charities view cyber security as a common sense issue and, therefore, shouldn’t need much thought or investment. Instead of taking pre-emptive action, these charities would simply ask their staff to be sensible and to take a common sense approach.

5. Lack of a Central Office

Some small and mid-sized charities have no central office. This is an offshoot of the cost-cutting culture of nonprofit and charitable organizations. Organizations with no central office allow their staff to use personal devices – opening up susceptibility to breaches via personal devices. These organizations also change their board of trustees every year, resulting in regular change of the base of the organization.

6. Lack of IT Awareness and Skills

​The study found that most charities don’t have an internal specialist who has the technical skills to cover cyber security. Hiring an internal IT specialist is seen as unaffordable and unnecessary as the organization views itself not as a target of cyber attacks. Most of these organizations leave the cyber security responsibility to individuals who have existing duties and responsibilities in the organizations, such as fundraising, finances, communications or general operations.
 
Many of the smaller and long-time running charities are also often run by older trustees, who might lack IT awareness and knowledge. This may limit the organization’s engagement with cyber security professionals or to find people inside the organization who could advocate for the organization’s better cyber security.
 
In Canada, the implementation of the Digital Privacy Act may spur cyber security awareness among nonprofit and charitable organizations. The law requires “organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner.”
 
An organization that knowingly violates the breach notification requirements may face fines of up to $100,000 per violation. The implementation of the Digital Privacy Act – passed into law on June 18, 2015 – is seen as the country’s first step of bringing its data protection law in line with the rest of the world.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit