TAKEAWAYS
Charities and non-profit organisations (collectively “NPOs”) can differ in size but most are usually stretched for adequate resources to maintain their operations. While most would have embraced technology and various online platforms to further their cause and to canvass for more funds, defending against cybersecurity risks might usually have taken a back seat to driving the mission of the NPO.
Cyber risks that threaten NPOs should not usually be much different from those that affect businesses. The main difference is likely the type of information kept by NPOs, such as more personal data from donors, and reduced capabilities to invest in sophisticated cybersecurity solutions. Some NPOs also rely on volunteers for administrative work and, given such occasional resources, the extent of training may not be as consistent or rigorous when compared with full-time staff.
Cold-shouldering technology tools or platforms is certainly not an option as such advances in technology can help to increase reach and effectiveness of the NPOs in spreading their messages and helping them to raise funds with higher efficiency and effectiveness. In order to embrace such operational models, NPOs will need to find a way to use technology to drive their operations forward without the fear of their data being breached or resources stolen.
The common rhetoric seems to be the affordability of strong cybersecurity, and most also prefer to believe that chances of them falling prey to scammers or hackers might not justify a big investment in stronger IT security defences. Unfortunately, the reach of cybersecurity incidents has been cast far and wide, and it has definitely happened much closer to home than many would expect.
The more pertinent question to ask might be what is at stake, and what it costs to protect themselves. Many think that they are not much at risk because their systems are mostly disconnected from the bigger public Internet but, unfortunately, cyber risks might extend further out to localised systems or more popularly and lucratively, the online bank accounts.
The good news is that there could be various ways to protect the NPOs and, most of the basic solutions might need more finesse and effort, rather than huge system investments.
While security tools can get outdated every time the system gets upgraded, a good cybersecurity training programme will apply to all iterations of the systems and not just the current versions. Most phishing attempts, social engineering scams and malware rely not on the antiquity of the system but on staff ignorance and power; that is, users are ignorant of the risks, and they have power over system assets or bank accounts. Getting employees at the organisation to be aware of such risks would be the important and often effective first step to protecting both digital and physical assets.
Many corporates have fallen prey to phishing emails which come with a link to a bogus website, such as a “banking” website, where username and passwords entered are then stolen and used for fraudulent purposes. Or they could scan a malicious QR code and next minute, they lose control of their system.
The biggest target for such phishermen must be the corporate bank accounts. Most phishing scams rely on creating urgency in the poor respondents, to quickly transfer out the funds. Hence, ensuring that Internet banking transfers must be done by at least two staff becomes a simple but effective way to prevent the bank account from being breached by one single person blinded or misled by the scammer. For bigger NPOs, further restrictions could be placed on online payee details so that creation and any changes to supplier bank information need to be subject to a verification and independent approval process.
NPOs might hold personal data of donors and volunteers. While such information might not be stored online, they could be downloaded from the system by internal staff or transmitted via email or other electronic channels. Any loss of personal data, whether to internal staff or while transmitting personal data, might incur severe penalties especially when the organisation is unable to demonstrate that adequate measures have been undertaken to protect the data.
Bulk downloading or printing of data is a common gap that can lead to both intentional or unintentional data leakage or theft. Such access should be strictly restricted and, in the first place, the need for such bulk downloading or printing should be further assessed. Oftentimes, such actions are not even needed, so system functions for bulk downloading or printing of data can be removed altogether.
Malware refers to software that are illegally installed in the victims’ computer or phone without them knowing. Such malware can do all kinds of things without the user knowing the processes going on in their devices. A more sophisticated malware can track the ongoing computer activities, including user account information keyed into websites or scanning the computer for sensitive files to send back to the perpetuator. Ransomware is a form of malware that can take over the computer and restrict access to the computer folders unless a “ransom” is paid.
In case of dire situations when computers need to be wiped clean to remove malware, having a recent backup could turn out to be a lifesaver. This can, for example, thwart ransonware threats since data can be restored from the backup. Having an effective backup strategy will mean assessing the timing of backups, where the backup files are being stored, and testing the backup files periodically to ensure they are fit-for-use whenever the need arises.
NPOs might usually be quite reliant on volunteers who offer their precious time to help them. Staff movements, which is a high cause for concern for many local businesses, should also be a common and even more acute concern at NPOs. Frequent changes of staff dilute corporate cybersecurity messages and controls since training sessions might not be able to keep up with staff movements.
Hence, key personnel leading smaller-scale NPOs will have to step up to understand the extent of cyber risks and to personally drive or even implement cybersecurity efforts. This will include not just setting the tone at the top but walking their talk as well. The leaders will need to drive cybersecurity measures to avoid relying on staff who come and go, and to ensure constancy of the measures set in place to address cyber risks. Having the right tone and actions driven from the top will also help to convince junior personnel that cybersecurity is not just the IT department’s problem but also theirs to manage.
Cybersecurity can be strengthened with the right mindset and effort. The solutions for smaller NPOs might not always have to mean large unsustainable expenditure on cutting-edge security devices. All these small building steps can add up to create a robust cyber wall for the smaller organisation but more importantly, foster the knowledge and awareness of cybersecurity requirements that will be more pervasive and longer lasting for the organisation.
Willy Leow is Head of Risk Advisory Services, BDO Advisory Pte Ltd, and Victor Lai is Principal Consultant, CitadelCorp.
© 2024 Institute of Singapore Chartered Accountants
