Traditionally criminals have tended to focus on making money. However in this digital age, this is no longer the ultimate goal – sophisticated criminals have realised the value of information that can be stolen through a cyber-attack. Large businesses are not the only organisations at risk of a cyber-attack. Not-for-profits (NFPs) actually hold more sensitive information than most, from confidential and personal client records to donor information, and their credit card details in particular. At a recent event, Paul Byrne, Deloitte’s Cyber Attack & Response National Director, confirmed that the struggle for NFPs lies in the lack of expertise, resources and capacity to deal with cyber security. The threat to cyber security is among the top ten risks for all organisations – no matter how big or small – and given the impact on both financials and reputation, it needs to be a top priority. Without being seen to offer real protection against cyber-attacks, NFPs – more than most – risk their reputation and loss of donor confidence. Given the discretionary nature of giving, this loss of confidence, on top of huge financial loss, puts a strain on not-for-profits. This is a considerable difference between NFPs and for-profit entities. The evolving threat landscape The cyber threat to Australia’s digital economy is growing in severity with the average cost of a data breach per Australian organisation amounting to more than AU$2.5 million a year and rising, according to Ponemon Institute’s 2014 Cost of Data Breach study. With constant technological advancements, this is an ongoing issue. In 2014, attackers released more than 300 million new variants of malware. Outdated security tools are unable to detect these new attacks effectively. At the same time, organisations are eager to take advantage of technological improvements and digital reach, which in turn add layers of vulnerability to their risk profile. Not only are these external actors more and more sophisticated, but increasing your digital reach adds layers of complexity, volatility, and a reliance on infrastructures that are not always within your control. As cybercrime increases in frequency, size and sophistication, it is clear that traditional controls such as firewalls that focus only on the perimeter are no longer sufficient. Cybercrime has evolved from being a vertically integrated, individualistic activity, to an extremely sophisticated, well-organised, distributed operation, where stolen data is traded and matched on underground markets, and highly skilled criminals are orchestrating the action. Knowing what to expect The most common types of attacks on NFPs come through ransomware via phishing campaigns to extort payment. Other approaches include planting backdoors and remote access Trojans to access finance systems, siphoning off money, and in particular denial of service – shutting out an online service. Another invidious attack approach is sending an email purporting to be from a key executive such as the CEO or CFO requesting a transfer of money to a seemingly ‘legitimate’ recipient. In addition, there is a ready trade in compromising the network and stealing market sensitive information to sell on the black market to competitors or other interested parties. This frightening array of attacks are happening globally to some of the most well-known NFPs. Case studies In 2013, the website of World Wildlife Fund China was hacked and user login credentials were stolen and leaked. In 2015, CareFirst – an American health services NFP company – had its database hacked in which 11 million records with personal information were obtained along with some bank account information. In 2016, the United Kingdom’s National Childbirth Trust experienced a data breach, which exposed expectant parents’ information. The average cost of a breach involving 1 million records will be between US$892,000 and $1.8 million. For many NFPs, these are unsustainable costs with huge financial impact. Customers increasingly want to be informed as to how their data is accessed and used. Consumers expect organisations to take them seriously. According to the Deloitte Australian Privacy Index 2016, 94% of the 1000+ Australian consumers surveyed believe trust is more important than convenience or the ease of use of a website, app or device. So who is responsible for cyber security and protecting privacy? The answer is everyone – agencies, the public, organisations, and third parties. But if we ask who suffers the biggest impact from privacy being mishandled or breached? Then our answer is almost always organisations. It is critical for organisations to be aware of how central security is to maintaining consumer trust and loyalty, and including cyber security as an essential part of business planning and risk management. The Australian based Deloitte Cyber Intelligence Centre provides cyber security services to help organisations protect their critical data and services, and in particular anticipate threat. Our ‘Secure, Vigilant, Resilient’ approach helps organisations get ahead of cyber risk so their business can keep moving forward. Be Secure: Take a measured, risk-prioritised approach to defend against known and emerging threats. Be Vigilant: Develop situational awareness and threat intelligence to identify harmful behaviour. Many organisations are not able to have the staff or the tools to be able to meet the current and emerging threats; in which case, a trusted partner that can deliver an advanced, managed security service would be critical. Be Resilient: Have the ability to recover from and minimise the impact of cyber incidents by being prepared for the worst case cyber scenarios. Businesses should have cyber insurance and cyber incident plans and most importantly, practice these plans. Be aware, be prepared and react fast. The time to resolution is essential in a cyber-attack and in this case time is worth a lot more than money. Your reputation is on line.