It is, unfortunately, the case that more charities are being targeted by cybercriminals than ever before – a recent government report revealed that 26% of charities had identified a cyber breach in 2020, that figure was up from 18% in 2018. And while nearly three-quarters of charities say that they consider cybersecurity a high priority, only just over one-third actually had a cyber security risk assessment in place.
It is clear that the problem is twofold then; charities are more at risk from cybersecurity threats than ever before, and at the same time they are not doing enough to defend themselves. If a charity has a computer system that is vulnerable, it could be targeted at any time by criminals and this is increasingly likely, as shown by the recent Blackbaud data breach, where charities like The National Trust and Crisis had the details of their donors leaked.
It is also worth noting that charities have a particular responsibility in regards to data protection and compliance. Charities will naturally hold the personal details of donors and take regular payments, meaning that they need to have defences in place in order to remain compliant with the General Data Protection Regulation (GDPR) and PCI DSS.
Thankfully there are many techniques that charities can use to sure up their defence – and a big part of this is in uncovering vulnerabilities before the criminals can. One of the most important methods of uncovering vulnerabilities is penetration testing.
What is penetration testing and how is it carried out?
Penetration testing involves getting a qualified person or team to use the kind of hacking skills that cybercriminals utilise in order to test the defences of your systems. The idea is to uncover the kinds of vulnerabilities that cybercriminals could exploit so that they can be fixed before an attack can take place.
There are two different options when it comes to having the testing carried out: you can use a member of your team with the appropriate skills and expertise, or you can work with an outside business which specialises in penetration testing.
Doing it in-house can theoretically be cheaper – however, individuals with the necessary skills and experience to carry out competent penetration testing are uncommon. The vast majority of charities – even those with large cybersecurity budgets – do not have appropriate professionals in-house to carry out the work. Besides, it can actually be far more effective to have outside eyes on your system who are unbiased.
With this in mind, many charities prefer to choose external penetration testers – doing so requires careful planning, but it can be extremely effective.
How to find the right penetration company
Clearly trust is the most pressing issue with finding a company to carry out your penetration testing – ultimately, this company is going to be using the techniques used by cybercriminals and hackers to find the vulnerabilities in your system. You need to feel secure in the people that are doing it. As such it is important to get testimonials and references. This not only ensures that you are working with a company that you can trust, but also one that has been able to help charities and other organisations in the past.
It is also important to work with cybersecurity companies with appropriate credentials. Look for companies that are accredited by CREST. This shows that they are experienced industry professionals and have undertaken a thorough vetting procedure by an independent industry body. It is important to know not only that the company is able to carry out the penetration but that it also has the expertise to help you understand potential remedial steps to fix any vulnerabilities encountered.
Understand the scope of your needs
In order to organise effective penetration testing for your charity, it is vital to understand the scope and the boundaries of the testing that you need to have carried out.
It may be the case that you are looking to have the whole of your system comprehensively tested to look for vulnerabilities, or it could be that you are specifically interested in a certain aspect of your defences. For example, due to the UK Lockdown many charity workers are having to operate remotely – this may have inadvertently created new vulnerabilities or challenges for your cybersecurity.
Once you have established what you are looking to test you can begin the process of scoping out the specifics of which systems need testing and what level of access the penetration tester is given. This can be done with the help of the penetration testing company. A good security partner will help you get the most value from your investment in a pen test and ensure that the work provides sufficient coverage.
Penetration testing is an increasingly important aspect of a thorough cybersecurity plan. When a charity understands the vulnerabilities in its system it is in a far better position to be in. When you’re able to address the relevant areas to ensure that risk is minimised and these vulnerabilities are fixed it’s better than leaving them wide open. As cybercriminals become more advanced, there is an increasing onus on organisations in the third sector to take steps to improve their defences.
Dakota Murphey is a Brighton-based tech geek, writer, and mum to two young scamps. With the tiny little bit of time that’s left after tending to said scamps and geekery, our Dakota is a bit of a film buff and loves a box set, a fine-dining experience, and the odd glass or five of vino.