Data breaches a major threat to not-for-profit sector

Following the Optus and Medibank mega-hacks, not-for-profits are on higher alert for cybersecurity threats, but many should be looking closer to home.

While many are focused on the real threat of Russian criminal hackers, the Office of the Australian Information Commissioner (OAIC) told Our Community Matters that data breaches in the charity and education sectors were far more likely than those in other sectors to be caused by human error.

Data from the OAIC’s Notifiable Data Breaches Report: January to June 2022 shows human error was behind 63% of breaches in the education sector and nearly 50% of charity breaches. That’s compared to 33% for all Australian organisations.

According to the report, 54% of human error breaches involved personal information being sent to the wrong recipient by various methods including unintended publication, email, post and data storage devices.

But not-for-profits should not think that they aren’t vulnerable to hack attacks, with more than half of all charity breaches and 27% of education breaches caused by malicious or criminal attacks.

In the latest attack, Legal Aid ACT refused to pay a ransom to cybercriminals who stole its data on vulnerable clients, including domestic violence survivors.

While the cause of the latest cyberattack is unknown, the OAIC says that even in malicious attacks, human error was often a factor, such as where people were tricked into handing over their credentials.

The latest data reveals that breaches in the health sector – which has many NFPs – accounted for one in five of all breaches.

In the six months to June, and before the Optus and Medibank hacks, the top three sectors for breaches were health service providers (79), finance (52) and education (35).

The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, said recent data breaches were a wake-up call for every organisation.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.”

“Organisations in the not-for-profit sector can reduce the risk of human error by promoting staff awareness about secure information handling practices,” she said.

She said organisations should look to technology solutions such as multi-factor authentication and email filtering to help staff.

“It is also important that organisations anticipate the risk of human error and design systems and processes to reduce the likelihood of mistakes occurring.”

Survey shows too few NFPS are prepared for cyber threats

In another study showing the extent of the problem, a national survey by NFP tech support agency Infoxchange reveals 54% of not-for-profits have no staff training in cybersecurity and 45% don't have a response plan in case of breaches.

The Digital Technology in the Not-for-Profit Sector study of 600 Australian and New Zealand not-for-profits showed only half had an information security policy in place.

Infoxchange CEO David Spriggs said the sector should make data protection a top priority in the wake of recent cyber attacks, and said groups could take simple steps to protect their systems.

“Perhaps they do not fully understand the importance of ensuring their client data is safe and secure, and the potential consequences of a breach, or maybe they are unaware of the simple steps they can take to protect their systems or the support available at the Digital Transformation Hub,” he said.

How big is the problem?

Last year, the OAIC reported 910 “notifiable” data breaches.

The biggest case to shock the sector recently was an attack on UnitingCare Queensland by a notorious ransomware gang in April 2021. It was not until November that the organisation said it was “pleased to advise that our key business systems have been returned to full functionality”.

ICDA has previously profiled the impact of a serious data breach affecting Family Planning NSW, in which a ransomware attack exposed the sensitive data of 8000 clients. The Red Cross accidentally released the information of 550,000 blood donors in 2017.

Those organisations are just a few of the not-for-profits targeted in recent years, but the real number in the community sector could be higher, given not-for-profits with revenues less than $3 million aren’t required to report under the Privacy Act.

A recent study by ICDA found that thousands of crimes targeting NFPs were going unreported. The Fraud & Cybercrime report surveyed 1900 community leaders and found one in five had been affected by fraud or cybercrime, yet two-thirds had not reported the incident to police. A UK study found 41% of charities experienced a cyber attack last year.

Amid a crackdown on breaches, the Community Council for Australia warned of unintended consequences for the sector. CEO David Crosbie said the organisation – which is the peak representative body for the community sector – was concerned that proposed new federal data security laws proposing fines of up to $50 million or 30% of turnover might “spell the end of most charities”.

But Ms Falk said organisations must put accountability at the centre of their information handling practices.

“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said.

How to protect your organisation

The OAIC urged better awareness about information handling, better technological solutions such as software updates and email filtering, and better systems and processes to minimise human error.

That’s consistent with information from the Commonwealth Bank’s security outreach and customer engagement team, which believes the three areas where defences must be strong to protect organisations from cyber attacks, breaches and errors are people, processes and technology.

Team members Christopher Sant and Michael Smale provided the following guidance to not-for-profits in a recent webinar.

Do your people care about cyber safety?

Mr Sant said workers and volunteers were essential to good cyber safety, and every organisation should consider:

• training for employees and volunteers
• whether staff and others actually care and understand their contribution, such as by using strong new passwords, and certainly not the same ones they use at home
• whether your people would take the bait with phishing emails, or would instead report their suspicions to IT.

What’s your process?

Not-for-profits must have a good handle on how they’re handling data and what to do if things go wrong. Key issues include:

• knowing where data is stored, on the cloud or elsewhere, and what risks should be considered
• having a handle on your data “lifecycle”, including retaining, protecting or deleting data as needed
• understanding privacy laws and policies
• being aware of third parties with access to your data, such as software developers or suppliers
• having a plan of action in the case of a breach, one that you’ve tested and know that works.

Make your tech work well

Mr Smale said that to protect themselves, organisations should use the right kinds of technology, which will address matters such as:

• how you are transferring sensitive files
• using two-factor authentication (2FA)
• using available email settings to prevent impersonators “spoofing” your emails and to control spam and phishing threats
• using the technology in modern software applications to control permissions, block ransomware, and keep software updated with the latest protections
• backing up critical data to help you recover from any attack
• ensuring you’ve got protocols in place for replacing stolen devices.

He said that boards and leaders must ensure they “ask the right questions”, develop a mindset that understands the risks, and put the right kinds of processes in place.

The advice from Mr Smale and Mr Sant builds on that provided by fellow team member Adam Smallhorn in a cybersecurity webinar last year, in which he stressed that many protective methods were free or easy to implement.

He nominated the top four safety measures organisations should take immediately:

• provide education
• require two-factor authentication on critical accounts
• protect your email
• update software regularly.

Mr Smallhorn said educating staff and volunteers and creating a culture of data safety was often the first big step towards keeping an organisation protected.

Two-factor authentication worked as a second line of defence for critical accounts, Mr Smallhorn said, by requiring users to enter an extra code when signing on, especially onto new accounts or new computers. This helps prevent password attacks.

“If you do one thing, this is going to really help. This is really good bang for buck,” Mr Smallhorn said.

Email “quick wins” include automatically delaying sending important emails to avoid accidental sends (even if delays are set for just one minute), using in-built security tips in email software, and disabling auto-complete functions to prevent emails being sent to wrong addresses or with inappropriate information.

And he said automatic updates on critical software help ensure that anti-virus software, browsers and operating systems are less vulnerable.

Mr Smallhorn warned that “the easiest attack vector for criminals is people”.

In one example, he showed how a would-be hacker could simply look at a founder’s bio, usernames, social media accounts, birthdays and other dates, favourite sports teams, pets’ names and children’s names, and use that information in a freely available password generator.

Password generators can compose 10,000 likely passwords in “milliseconds”, and these can be used to access websites, emails and worse.

“That’s why we say that people are actually a huge component of your cybersecurity.”

He said phishing scams accounted for most successful cyber attacks, and that even though 80 per cent of workers knew the risks, “they click on the link anyway”.

He stressed that raising awareness of the risks – and increasing knowledge about the signs of phishing scams, such as misspellings and requests for personal information – was very important for organisations.

Questions to ask include “Have I talked to my staff, my team about this? Are we vulnerable to attack?”

His top tips?

• Lead by example, and require your organisation to use strong passwords
• Make someone in the organisation responsible for cybersecurity
• Focus on people and processes, not just technology
• Build a cybersecurity culture
• Use the free resources available.

He suggested a good place to start your cybersafety journey was with Damn Good Advice on Cyber Safety and Fraud Prevention, jointly produced by Our Community and CommBank.