In my previous blog, I explored the risks that come with donations to charities and not-for-profits, or NFPs. Cyberattackers may steal donors money and data, as well as damaging the reputation of the charity – a serious issue for groups that depend on public goodwill.
In the second part of my series on NFPs, we continue our journey of uncovering the ‘treasure trove’ of data NFPs hold, and why they’re a candy shop for hackers and cybercriminals. By looking at the vulnerabilities suffered by so many charities, we'll explore how better patch management can help boost their cybersecurity.
Why charities and not-for-profits are irresistible to hackers
Cyberattacks are pervasive across all industries and verticals, but like many smaller organisations charities and NFPs often assume that, because there are bigger fish who are worth a lot more, they will fly under cyberattackers’ radars. This expectation, coupled with tight budgets, means they generally have less sophisticated cybersecurity systems guarding their stash of donor data. The result? Charities and NFPs are a prime target for cyber criminals looking for an easy buck, with Oxfam Australia’s recent data breach being just one example.
The cyber threats charities need to watch out for
The Australian Charities and Not-for-profits Commission (ACNC) has compiled a list of the sector’s most common cybersecurity risks, namely:
Unauthorised access to a device, network or system
Viruses or other malicious software that can collect, change or delete information and spread throughout a network
Fake emails or websites set up to trick someone into revealing personal or sensitive information
In part one of this series, we covered both fake charities and spoofed websites for genuine charities. In those cases, the risk of fraudulent activity can be mitigated using an email security solution like DMARC. Organisations conscious of the potential of reputational damage have also been moving to brand monitoring tools like Brand Exploit Protect, them to take down websites imitating their branding and misusing their intellectual property.
Attacks from malicious software (malware) and unauthorised access require different solutions – and software patching is a vital part of the equation.
Why patching matters for charities and not-for-profits
Today we’re looking at a facet of risk mitigation that is very much in the control of IT teams: patching applications and updating operating systems. It’s part of the Australian Signals Directorate (ASD) Essential Eight, which you can read more about here.
A patch is a free or paid software update that updates an existing application to account for any previously unknown vulnerabilities. If not patched, these weaknesses could allow cybercriminals to find a way into your network. Patching both the applications and the operating system (such as Windows) that your organisation uses is vital from a security perspective, and can also add new features and remove unwanted bugs.
How criminals exploit security flaws
The answer seems obvious, doesn’t it? Every organisation should be working on the latest and greatest version of their applications and operating system, right?
But patching isn’t always simple, and takes time. That can be a problem in the charity and NFP space, where cyber resources are generally limited. Security vulnerabilities, in particular zero-day (recently discovered weaknesses), pose a huge threat to the sector.
The Australian Cyber Security Centre’s (ACSC) 2021 report notes a continuing trend of state-sponsored actors and cybercriminals exploiting publicly reported security vulnerabilities to compromise large numbers of organisations. In terms of how hackers exploit these vulnerabilities, the ACSC notes that:
the cybercriminal may directly target vulnerable servers to access systems
exploits may drop malware onto vulnerable systems
they may also allow hackers remote access into a network
exploits may also be delivered via:
social networking sites
Combined with social engineering scams, unsuspecting users are at a high risk of accidentally becoming malware delivery systems.
Patches need proactive management
In March 2021, the ACSC called out one of the year’s highest-profile security vulnerabilities. Multiple actors had exploited a zero-day vulnerability to compromise on-premises Microsoft Exchange Servers. After Microsoft issued a patch in response, the ASCS observed that malicious actors were still targeting and exploiting this vulnerability in unpatched Microsoft Exchange Servers.
Many organisations did not rapidly deploy the patch. The result? These malicious actors were gaining access to emails and other information stored on Microsoft Exchange Servers.
Yet the solution is not to aimlessly deploy patches every time one is made available. Instead, an effective cyber strategy will consider the impact that patching will have for the wider organisation.
has the patch been properly tested?
does patching a specific application remove its compatibility with an existing critical legacy application?
what if the benefit of patching is marginal to the organisation, but an important workflow is now broken, and all processes come to a standstill?
Good cybersecurity teams understand this, which is why we see patch management software being utilised across organisations as a more strategic approach. Patch management in itself has multiple key steps. It requires vigilant planning, monitoring and documentation to if it is to benefit productivity and mitigate risk.
Resourcing and threat management in an NFP environment
Patch management requires time and resources from a dedicated IT team, which simply may not be an option for some charities and NFPs. These teams are continually asked to do more with less, and patch management typically ends up on the back-burner for overburdened IT teams on a budget.
Even if the resources are available, aimlessly patching applications every time a new patch becomes available is not the best strategy. We have to consider impact a given patch will have for the wider organisation. Has the patch been properly tested? Does patching a specific application remove its compatibility with an existing critical legacy application? What if the benefit of patching is marginal to the organisation, but it breaks an important workflow, making key processes come to a standstill?
IT teams understand this, which is why we see patch management software being used strategically across different organisations. Patch management itself has multiple key steps which require vigilant planning, monitoring and documentation.
The solution is to treat patch management as a critical business requirement, rather than just a matter for security and IT teams to chisel out budget for. Sharing the right information with senior executives can help cybersecurity departments show business leaders just how key this is.
Keeping not-for-profits and charities safe
Cyberattacks do not pass by NFPs and charities or leave them unexploited. Criminals will exploit any opportunities in the sector, and unpatched software offers them a wide open door.
Various approaches can help, including teaching employees to spot phishing scams, but one of the best strategies NFPs and charities can deploy is effective patch management, so that vulnerabilities are addressed in a way that benefits the whole organisation. In the next blog we’ll talk about the role of staff in keeping NFPs safe, with a heavy focus on volunteers – both your greatest asset and potentially your greatest risk. Until then, encourage cyber awareness and practise good patch management!