Search Google News for the term ‘cyber-attack’ and you will see why cybersecurity has become the top priority for corporate executives and national governments. A report from the cybersecurity firm Sophos found that the average cost to rectify the impact of a ransomware attack in 2020 was over $700,000 (USD) and doubles to over $1.4 million when including ransom payments to criminals.
For small to mid-sized business the cost of an attack drops to $200,000, but that is often enough to bankrupt the victimized firm. While stories of small business cyber-attacks may not make headlines like corporate or government attacks, the effects are often more devastating – one data breach can cost dozens of people their jobs, destroy decades of hard work by an entrepreneur, or force the closure of a family business that has been serving the community for decades.
Not-for-Profit (NFP) organizations face a unique set of cybersecurity challenges. Like small to mid-sized businesses, NFPs must deal with budgetary constraints when considering preventive measures and post-attack rectification. Like corporations and government, NFPs must account for a large and diverse group of stakeholders including donors, volunteers, clients, and staff, all of whom must be educated on cybersecurity best practices to avoid becoming the channel through which cyber-criminals attack the entire organization. NFPs have the added challenge of meeting regulatory requirements for cybersecurity.
Fundamental to the challenges faced by NFP stakeholders is that good, honest people underestimate criminal minds and criminal processes. Good, honest people believe recovery of their backed-up data means everything is back to normal.
Good, honest people need to understand how criminals think.
The criminals do not think this way:
- I will trick someone, and that person will allow me to inject some coding into their IT system,
- I will gain access to some or all of their personal private data,
- I will encrypt that data,
- I will send the person or someone at his/her organization a message demanding a ransom in exchange for returning a copy of their original data, and
- If they refuse to pay the ransom, then I will say “OK” and move on to a more-cooperative victim.
Successful cyber-criminals use the value in your data to make money
When criminals gain access to your personal private data, they have achieved their first major goal … owning control of your data.
Cyber-crime is big business and the industry’s key resource is your data. The global trend is toward organized cyber-crime. Last week, I heard a presenter describe the current state of organized cyber-crime in Britain as comparable to the well-organized business performed by the top 250 enterprises on The Financial Times Stock Exchange (FTSE250).
FTSE250 businesses work to deliver value to their clients and other stakeholders – shareholders, employees, etc. FTSE250-like cyber-criminals work to obtain and sell data to 3rd-parties who place value on data.
Cyber-criminal networks exist – if a criminal gets personal private information, then there are many places it can be sold and many people who want to buy it. To provide a sense of the value contained in your data, here’s a link that illustrates global black market prices for personal data.
Cyber-attacks are escalating
Considering the value of personal private data, it is highly unlikely that ransomware attackers would walk away with no return on the time and effort they invest in infiltrating an organization and getting access to its data.
It is not only major headlines indicating a rise in cyber-attacks – we are hearing about cyber-breaches in our day-to-day discussions with local business leaders.
Online searches provide numbers to help us understand the extent of the problems. For example, a December 2020 report provides a list of statistics, including:
- 43% of cyber-attacks target small businesses,
- 60% of small businesses that are victims of a cyber-attack go out of business within 6 months, and
- 47% of small businesses have no understanding of how to protect themselves against cyber-attacks.
Taking Action to Protect Personal Private Data and People
NFPs are now under, and will continue to be under, increased pressure from cyber-criminal attacks.
Directors of NFP Boards have obligations under Canadian law. Our Canadian Institute of Corporate Directors does an excellent job of informing and educating Directors, including educating Directors on cyber-security risk management.
At Waterloo Cyber, we recommend cyber-risk management processes to help NFP Boards of Directors protect themselves, their organizations, the personal private data under their care, and the people they are working to serve and protect.