Similar to any other type of organisation, Charities are not immune to cybercrime. We have seen the instances of cybercrime becoming more prevalent during a time of crisis specifically the current pandemic as “opportunistic” cyber criminals seek to take advantage.
Fraud poses a serious risk to valuable funds and sensitive data and can damage the good reputation of charities, affecting public trust and confidence in the sector as a whole. The Charity regulatory authority “CRA” has recently issued a guidance note entitled “Protecting your charity from cybercrime”.
This guidance provides practical advice to charities to ensure organisations are protected against cybercrime and recommends key areas are considered and incorporated in your risk assessment procedures with regard to reducing this risk as follows:
Software & Encryption
- Ensure devices have the latest software installed and the anti-virus software is up to date
- Use specific malware / virus protection software.
- Ensure Sensitive data is encrypted appropriately
- Encrypt sensitive data and install remote locking if device lost or stolen
Password protocols and best practice
- Ensure strong passwords are used and change them regularly
- A strong password is one which is long, ideally 12-15 characters, and contains a random mix of upper and lower case letters, numbers and characters
DATA & Record retention
- Backups of data should be taken regularly
- Regular backups will protect and insulate your organisation in the event of any Ransomware attacks
- Ensure you have clearly documented policies and procedures around data recovery and the taking of backups and are adhering to same
- Technical expertise should be sought around assistance with Data retention and recovery policies if required and can be outsourced to third party
- Ensure Wi-Fi connection is secure
- Never use public Wi-Fi, e.g. that offered on public transport, in cafes, airports etc. or a Wi-Fi connection which does not require any kind of log in or screening before you access it.
Common Types of Cybercrime and how to deal with same
- Beware of phishing- i.e. where you receive an email, telephone or text message from someone posing as a legitimate institute such as revenue or bank. The aim of this communication is to attempt to get you to provide confidential and sensitive data such as pins and passwords.
- With regard to phising, take extra care will all forms of communications received and always verify identity of the person you are dealing with.
- Always be wary of unsolicited communications.
- Be ultra cautious with regard to clicking on links or opening attachments
- Adopt a sceptical approach i.e. if you are contacted about something that looks too good to be true, it generally is.
- Beware and be mindful of Ransomware attacks- i.e. Where a virus attacks your system and encrypts sensitive data. The attacker then demands a ransom to restore access to the data upon payment. Malware protection software and strong data retentions and protection protocols will insulate and mitigate against these types of attacks
Other helpful hints & Final items to consider
- Disable network sharing and folder/file sharing- sometimes your settings allow other computers and devices on the network to find your computer. Usually you receive a prompt when connecting to new network that will ask if you want to automatically connect to devices, for example printers, you should click no to this option.
- Appropriate training should be considered for charity trustees, staff and volunteers, this will ensure that they are able to identify cybercrime and take appropriate action.
- GDPR applies to processing of all personal data so it is important to ensure that data processed is as secure as if it were in the physical office environment.
- Report any suspicious activity to an Garda Síochána
- More information, advice, and tips can be received from National Cyber Security Centre, Data Protection Commissioner, Garda Síochána (fraud prevention brochure), Banking & Payments Federation Ireland (Fraud section)
How we can help
RBK have a dedicated IT department who are able to help your organisation in ascertaining the cybercrime risk in your organisation, working with you to update your software or set up new IT systems and then to ensure policies and procedures are updated to ensure these risks mitigated. Full access to the Charities Regulator guidance note can be accessed here.
For further details, please contact our team on (01) 6440100 / (090) 6480600:
- Ronan Kilbane, Audit & Business Advisory Partner
- Michelle O'Donoghue, Audit & Business Advisory Director
- Evelyn Smyth, Senior Manager Audit & Business Advisory