Today’s threat landscape is constantly evolving, and new areas of cyber-threat are discovered daily. With virtually every individual and organisation at risk of falling victim to cyber-attack and subsequent heavy losses, cybersecurity has become an integral part of protecting our lives and business processes.
But what is the significance of cybersecurity for the Not-for-Profit industry, and Community Housing Providers more specifically?
Cybersecurity is of critical concern for not-for-profit organisations as they are increasingly targeted by cyber-criminals and oftentimes do not have suitable security controls and response plans in place prior to attack. This can make it incredibly difficult to withstand the debilitating effects of a breach and swiftly recover operations. Moreover, cybersecurity is crucial because like all Community Housing Providers (CHPs), each of PowerHousing Australia’s members hold a vast amount of personal employee, donor and patron information. Vicious hackers are after this type of sensitive data, and due to the industry’s reputation of lacking in security measures, cyber-criminals see not-for-profit's as easy and lucrative victims.
In order to provide some context around the aforementioned debilitating effects of an information security breach, it is essential to look at the overall financial damages that can occur. According to IBM’s Cost of a Data Breach Report 2020, the average cost of a data breach in Australia is just under $3 million – a 9.8% increase from last year’s figures.
Australia also ranked in the top 3 countries with the highest percentage of breaches caused by malicious attack, with 57% caused by an external attacker and notably, 22% of incidents caused by human error. It is important to note that many don’t recognise that outsider attacks are not the only source of cyber-threat and major risk is caused by a lack of internal security awareness. This is particularly concerning because this industry operates on valued federal and state government funding and each dollar of these valued resources must be justified. Not-for-profits - and CHPs more specifically - cannot risk their missions being halted and funding drained by internal mistakes that are so easily avoided.
What happens when data is breached?
In April of 2018, reproductive and health services not for profit, Family Planning NSW (FPNSW), was hacked and the information of over 8000 individuals was stolen and held ransom. While Family Planning ensured that their website was secured by 10 am the morning post-attack, the hacker had already stolen over two and a half years of client's personal data.
FPNSW refused to pay the ransom. To this day, the adversary has the power to expose sensitive information of thousands of vulnerable members of the community, including women who sought contraception, abortion, and other health services. It is widely known that victims of ransomware should not pay their attacker's ransom demands. Even if the attacker successfully extorts both the money and data, they are still likely to sell this vital information on the black market. The whereabouts and ways in which this information is used is thereby untraceable and this is all the more worrying for the individual victims’ security.
What are the true costs of not having a cybersecurity framework in place?
A breached organisation will face lasting financial, compliance, reputational and operational repercussions that will hinder their functioning and ability to provide for the community they seek to serve.
As previously mentioned, the average cost of recovering from a data breach is $3 million. However, true costs are much more extensive. Under the Notifiable Data Breach Scheme, all organisations covered by the Privacy Act 1988 must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) of a breach. While the organisation’s reputation is tarnished with a stain of security incompetency and untrustworthiness, they also can face a further fine of $2.1 million if they do not comply with proper reporting criteria.
Data breaches have more than just financial repercussions. They are an existential and operational issue.
Society is growing increasingly intolerant towards security breaches. People are hesitant to work or be associated with organisations they cannot trust with their data. This means that patrons may be cautious about reaching out for support and moreover, donors and partners may be reluctant to continue funding operations. Losing funding avenues can make carrying out the mission of providing housing to low income earners and struggling community members even more difficult.
As with FPNSW’s incident, the implications of data theft are widespread and can affect the individual victims on an extremely private level. The effects this could have on the lives of the individual victims are more uncertain and exist at a granular, deeply personal level. Privacy will forever be a tentative issue for the victims. Once their information is disclosed, they are forced to take action, change personal details and stay on high alert for suspicious activity. This can be daunting and exhausting process.
Top Threats for the Sector
The three most common ways for hackers to compromise an organisation’s network are as follows:
1. Email Scams or ‘Phishing’
According to the OAIC’s Notifiable Data Breach report – January to June 2020, phishing is the top method by which credentials are compromised. Email scams are a top threat vector because they are so easy and cheap to deploy. They are also highly effective because they hinge on manipulating the trust of one of your best security defences – your people.
The hacker will pose as a trustworthy entity or colleague and compose a seemingly legitimate email. The email may contain links to fraudulent sites, malware attachments or encourage users to divulge credentials or monetary transfer.
2. Malware - Ransomware
The term ‘malware’ refers to malicious software – such as ransomware, viruses and spyware – used by cybercriminals to damage their target’s network and disrupt operations. Ransomware encrypts files which are then used to extort money and spyware is deployed for espionage and data theft purposes.
3. Exposed Systems
While hackers have taken a new focus on compromising human defences, this does not mean they neglect targeting your technological security perimeters. New system vulnerabilities are found daily and security gaps in unprotected and outdated systems allow cybercriminals a backdoor into your network and applications.
This is why it is imperative for Community Housing Providers and the entire not-for-profit industry to review and implement cybersecurity frameworks.
It is essential to audit your people, processes, policies and technologies to keep your organisation and the people you support safe.
Proactive cybersecurity efforts can help you avoid extensive repairs and huge losses. Implementing the proper protection and mitigation framework will fortify your systems and be more cost-effective in the long term. Effective cybersecurity will make it more difficult for adversaries to breach your information, reduce response time in the event of a security incident and optimise your reparation efforts.