Cyber resilience is just another part of overall business resilience, making sure your organisation can continue to deliver essential services to your beneficiaries when things go wrong. The cyber threat is continuing to grow each year, with the majority of cyber-attacks untargeted and opportunistic, and unfortunately the third sector is not exempt.
To explore how the sector can build cyber resilience, The Scottish Council for Voluntary Organisations (SCVO) spoke to John Stoner, Head of Information Systems at Scottish Action for Mental Health (SAMH), and Ade Worley, Head of Information Technology for the Royal Zoological Society of Scotland (RZSS).
RZSS and SAMH have both been affected by cyber-attacks in 2020 and 2022 respectively. John and Ade discussed their experiences, the impact on their charities and the key lessons learned.
From ransomware to data breaches: the evolving nature of cyber-attacks
Every third sector organisation has its own unique ways of working, staff resources, and vulnerabilities that can open themselves up to a cyber-attack.
John described how SAMH was the victim of a sophisticated ransomware cyber-attack that significantly impacted its ability to provide vital support services to its beneficiaries. A significant volume of SAMH’s data was stolen from its data centre – an external, managed facility storing its data and servers – and the charity was blackmailed with the threat of posting its data to the Dark Web.
John said: “Although we had three different types of back-ups, the hackers managed to delete two of these. Paying the criminals was never an option. Our surviving back-up was all that prevented us from having to start again from scratch.”
As a victim of a supply chain attack, RZSS’s experience was quite different. In 2020, Ade learnt that the wildlife conservation charity’s customer relationship management (CRM) system provider – holding around 250,000 customer records – had suffered a significant data breach.
“Initially, we felt overwhelmingly helpless as there was very little we could do. To compound this, the supplier took two months to tell its clients about the attack,” explains Ade. “We also quickly discovered that large multinationals control the narrative in these situations and obtaining access to information (beyond what they want to tell you), is impossible.”
Restoring operations
By using its external support company, SAMH was able to rebuild everything from its remaining back-up disk relatively quickly. However, it took two to three weeks before the charity was 90% up and running again, and longer to ensure all its systems and hardware were secure. SAMH also employed a dedicated cyber-security company.
“Crucially, the company we used had the necessary expertise to establish what data had been shared on the dark web and work out what actions to take,” says John “Our users were, understandably, concerned about the safety of their data, so we brought in a contractor to mitigate the risk of impersonation.”
Ade explains that RZSS fortunately had an active data management group and a clear action plan for dealing with cyber incidents: “The group helped establish the exact nature and extent of the issue – while no financial information had been lost, a huge volume of customer names and addresses had been accessed. We also reported the breach to the Information Commissioner’s Office (ICO) within the required 72 hours.”
The group provided stakeholders with as much detail as possible about the data breach, documented everything they did, and kept the ICO informed.
Counting the impact
Apart from the obvious business continuity issues, a cyber-attack can have numerous other knock-on effects.
For example, after the attack, local authorities blocked emails from SAMH, although its email system hadn’t been compromised. “We had to work hard to prove to our external stakeholders that our systems were safe again. We had to invest significant amounts of money to ensure the ongoing security of our systems and reduce risk,” says John.
RZSS felt the impact most in its membership base. Ade explains: “Generally, our members were very supportive, but even though we weren’t directly attacked, we lost some people’s trust. We also had to deal with the resultant reputational risk, and that consumes a phenomenal amount of time.”
Lessons learned
So what have SAMH and RZSS learnt from these attacks?
John’s key message is: “Do something now, before it’s too late. It will be a lot easier if you invest in systems, security and processes to safeguard your organisation now, rather than waiting until something happens. Take preventative action.”
Practical tips from SAMH’s experience include using multi-factor authentication (MFA) for everything, across the organisation, and having multiple back-ups. At least one of these must not be connected to anything online, so that it can’t be deleted by hackers.
He adds: “In certain situations, it can be really important to bring in external expertise. For example, we wouldn’t have been able to navigate the dark web without help.”
RZSS now manages all its cloud procurement centrally. This means every internet subscription is risk assessed, with a preference for UK and EU suppliers due to compliance issues.
Ade also emphasises the importance of communication: “We’re all human and will make mistakes. Let staff know that if they make a mistake, like downloading or clicking on something they shouldn’t, they’re not going to get in trouble. However, they need to tell the right people as soon as possible.”
An ongoing battle
John cautions: “Don’t get caught thinking that it’s done – that you spent lots of money on cyber security last year, so you don’t need to do it again this year. There are always new threats to deal with, so cyber security should always be on your agenda.”
Ade explains that RZSS is fortunate to have buy-in from leadership to invest in the automation of its security. “Even with this, it only takes one user, one click. Hackers don’t attack networks anymore, they hack people, and people are the softest spots to your network. So, it’s imperative to train new staff as soon as possible, and to alert your people to the latest risks.”
While both charities have invested lots of time and effort in cybersecurity, they know it can always happen again. They suggest the best approach is to be as prepared as possible, to anticipate the worst, and always be thinking about what else you can do to stop that from happening.
If you would like more information about what you can do to ensure your organisation is cyber resilient, please visit the Cyber Scotland third sector web page, which provides useful cyber advice and support for third sector organisations.
Related content
Since its inception in February 2021, the CyberScotland Partnership continues to improve the cyber resilience of Scotland’s people, businesses and organisations. We are delighted to announce that three new organisations will join the CyberScotland Partnership during CyberScotland Week 2025. The […]
Businesses and community groups across Scotland are invited to sign up to events during CyberScotland Week 2025, running from 24 February to 2 March. In doing this, they will play a vital role in building a safer digital nation and […]
Charities are using digital systems every day to deliver their services and keep in touch but with this capability comes a level of risk. Almost one in three UK charities experienced some form of cyber security breach or attack in […]