Meet the Hackers
Data breaches and their associated clean-ups are costly. Given the vast stores of employee and donor data many nonprofits create, use and maintain, they can be particularly appealing targets for a range of hackers; and, given their often limited resources, cybersecurity may not be a top priority for boards and stakeholders.
In order for nonprofits to protect themselves and mitigate against cyber risk, it’s crucial that decision-makers and stakeholders understand where threats are originating. According to the Netdiligence 2014 Claims Study, nearly one in three breaches is caused by a hacker. While the term “hacker” might inspire images of sullen techies typing away in basements across the globe, the reality extends far beyond a loner with a laptop. There are many types of hackers with varied motivations.
Below we outline five key types of hackers, and while these categories are broad and often overlapping, nonprofits of all sizes and across sectors should keep them in mind when examining their cybersecurity practices.
Five Hackers Nonprofits Should Watch Out for
Advanced Persistent Threats (APTs) – APTs are organized groups with sophisticated hacking capabilities that allow them to methodically infiltrate a specific enterprise. APTs often include governments or state-sponsored hacking organizations that, because of their advanced capabilities, are able to remain within a network and steal information from target networks over months or even years. These types of hackers can cause some of the greatest damage to organizations.
Organized Crime – “Organized crime” might sound reminiscent of The Sopranos, but the individuals hacking into systems are often spread out, and may not even operate in the same country. Despite this, organized crime hackers are incredibly methodical groups made up of individuals with various roles and talents from coding and website creation to intelligence gathering. Crime rings often target corporations’ data for financial gain, as was the case when a group including individuals in Russia and California exposed the data of 40 million Target customers in 2013.
Hacktivists – Hacktivists are individuals or groups that use highly-visible attacks on computer networks in order to advance or promote social or political agendas. Many hacktivists seek to promote freedom of speech or information and human rights, often by defacing public websites of groups or corporations. The most widely known hacktivist group is Anonymous, which has conducted online campaigns against the Church of Scientology, the Islamic State and the governments of the U.S., Israel, Uganda, Tunisia and others.
Intentional Insiders – An oft-overlooked type of hacker can emerge within companies’ own walls. Breaches can occur when current or former employees or contractors use their access to a company’s computer network to release or ex-filtrate information for personal, competitive or financial gain. While it can be difficult for companies to scrutinize their own employees, internal hacks can be incredibly costly, and data suggests many employees could be bribed into compromising their companies’ systems. A recent survey from information security company Clearswift suggests that 25 percent of employees would sell company data, risking both their jobs and criminal convictions, for less than $8,000.
Employee Error – Another internal threat can be traced back to employee blunder or negligence–rather than maliciousness. Organizations with “bring your own device” policies (common in smaller nonprofits) are particularly vulnerable to cyber-attacks. While employees may not be hackers themselves, a lack of preparedness can make them vulnerable to cyber threats. For example, a 2011 U.S. State Department test found that when flash drives were dropped in the parking lots of various government buildings, 60 percent of people who picked up the drives plugged them into network computers, putting their entire organization at risk. Another example we have witnessed was an IT employee failing to update security patches, which resulted in the loss of confidential information and customer records. In either case, organizations can be vulnerable and should conduct regular training, review IT practices and ensure that controls are maintained appropriately.
Phishing attacks, which we’ve discussed in a previous blog series, are also growing increasingly common. According to Symantec, approximately 156 million phishing emails are sent every day, and over 8 million opened by recipients. These scams rely on human error and can be difficult to protect against without additional training or controls.
Nonprofits should proactively strengthen their cybersecurity practices, educate employees on potential threats and response techniques and carefully audit all partners and vendors in order to mitigate the risk hackers pose to their organizations. Our own Shahryar Shaghaghi notes in a recent Law.com piece, “There is no such thing as ‘prevent.’ Instead, it’s about minimizing the impact of cyber-attacks and maximizing defenses associated with the highest areas of value and vulnerability.”
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” blog (June 2016). Copyright © 2016 BDO USA, LLP. All rights reserved. www.bdo.com