Charities shouldn't expect reprieve from hackers

Representation of a cyber criminal
(Image credit: TheDigitalArtist / Pixabay)

More than two in five charities experienced a cyberattack in 2021 proving that it’s not just large corporations that are a target for malicious cybercrime. Yet, despite the recent surge in cybersecurity incidents, research shows non-profits are unwilling to direct resources toward fighting cybercrime.

About the author

Jamie Moles is Senior Technical Manager at ExtraHop.

Recently, the Red Cross, one of the largest humanitarian organizations in the world, was hit by a cyber attack that stole the data of more than 515,000 highly vulnerable people. From the perspective of the hacker, infiltrating the Red Cross is no different than infiltrating any other operating entity. Most non-profits have ample cash flow used to fund operations, but are notoriously lagging in preventative cyber security measures compared to other industries - a win-win for cybercriminals looking for a quick pay-day.

While the Red Cross data is yet to be released publicly, it is in the hands of bad actors that hold serious leverage over the charity. This presents a major issue for organizations like the Red Cross, who work with vulnerable populations and have sensitive data that may impede the organization's goals if exposed. As recent history has shown, attackers seem just as likely to target non-profits as they do a for-profit entity. Hoping that these criminals have the same ethical or moral standards as a regular member of society is not an adequate protection against attack.

Why charities attract cybercriminals

Charity is big business nowadays. There is much concern from charity watchdogs about some larger organizations holding significant capital in investments and not spending it on the cause they are meant to be championing. A few prominent charities in the UK have been accused of spending less than 10% of their income on their stated mission - the rest going on salaries, premises and marketing. In fact, news recently broke that The Captain Tom Foundation - a household name after raising more than £1m for the NHS during the pandemic - spent more on ‘support costs’ than it donated to charities. Entrepreneurial criminals view these organizations like any other business.

The Red Cross is reputed to spend 72% of its donations on charitable services, yet this didn’t deter attackers from penetrating its systems. The responsibility of sensitive data is crucial for the credibility of the Red Cross and the trust of the vulnerable people it works with, such as those who have fled conflict or were prisoners. This attack highlights how vital it is that charities have robust security measures in place to stop an attack in its tracks.

No one is safe

Charities aren’t well known for spending money on security, which is a fatal flaw as a reliance on the goodwill of hackers will not suffice. The majority of nation state attacks are purely money-driven or information-driven. Alternatively, hacker gangs are motivated by attention, eager to flaunt their skills to the world. For this reason, attacks are usually claimed within a matter of hours to gain recognition.

Cyberattacks on charitable organizations can play out in a number of ways. If targeted, the charity could - and should - plead their case to the extorters not to release the data - like in the case of the Red Cross. Although, without the promise of payment, it’s unlikely that the attacker will care.

Alternatively, the attackers could be concerned about bad press surrounding attacking a charity and move on to other targets. Interestingly, a gang hasn’t yet claimed the attack on the Red Cross, so this could have been the case.

2021 had some of the biggest cyberattacks in history including the US Colonial Pipeline, the Irish Healthcare System and software provider Kaseya, showing the scope of targets hackers are willing to go after. Whether it's shutting down national infrastructure or a charity, it’s clear these groups don’t discriminate based on business type. So why would charities count themselves safe?

Protecting the cause

Charities, like all businesses, must have a security operations team in place to help protect from attacks. It is necessary to have a team that can use the tools available to increase their ability to detect attacks earlier, particularly unknown threats, and in turn, be able to respond quickly.

Some organizations may already have certain safeguards in place, such as a security information and event management (SIEM) solution which is the primary tool for many security teams. This is a great place to start when investigating and responding to a threat, but a SIEM solution is only as good as the data you put in it. As threats become more and more sophisticated, a SIEM tool is more likely to miss something. Therefore, one of the best steps organizations can take is to tightly integrate a behavioral analysis network monitoring solution with their SIEM tool.

Networking monitoring tools outrival other solutions at detecting unknown threats. They are passive and covert, constantly observing all network traffic in the organization's environment. This type of solution can detect even the most subtle behaviors through machine learning with behavioral analysis.

Also, certain network monitoring tools have additional sophisticated capabilities. While attackers have acquired more advanced techniques like hiding in encrypted traffic, a few select tools can decrypt network traffic to detect malicious behavior.

By upgrading current security and integrating network monitoring solutions with current SIEM tools, charities can make sure they are fully protected, able to detect unknown threats quickly and investigate to make sure they don’t reoccur. Charitable organizations as a result need to put as much care into their own security systems as they do for the vulnerable people they protect.

We also feature the best endpoint protection software.

Jamie Moles is Senior Technical Manager at ExtraHop. He brings more than 30 years cybersecurity experience helping customers understand and mitigate the risk contemporary threats pose to their business.