Human intelligence is your best defence against cyber-attack

Dr Clare Mills, Charity Finance Group, explains how, despite its rise, AI hasn’t yet replaced human intelligence when it comes to preventing cyber-attacks, and shares tips on what you can do to improve resilience.

The Department for Digital, Culture, Media and Sport has published the latest Cyber Security Breaches Survey which shows some reduction over the past year in the number of identified cyber-attacks against charities. However, cyber-attacks – whether or not these lead to data and/or financial loss, and other business interruption – remain a significant concern, and should still be firmly on any organisation’s risk radar.

According to the survey report, “24% of charities overall recall any breaches or attacks from the last 12 months” but in larger organisations, with annual income of £500,000 or more, the figure rises to 56%. The overall percentage has fallen (from 30% last year to 24% this year) but for those higher income organisations the level has remained the same.

Of the charities aware they had been targeted, around one third had experienced a successful attack and suffered a loss. Most successful attacks came through phishing (85%) with unauthorised access or online takeovers (hacking) and malware attacks both at around 7%. Ransomware was behind 4% of attacks and Denial of Service (DoS) at 1% – so they do happen.

At CFG, we have a ‘report and remind’ approach to phishing emails, with staff regularly passing on suspicious emails to report@phishing.gov.uk and then reminding everyone to be alert, using our Teams channels. In the last year, more than 7.1 million emails have been reported using this address and, as a result, the National Cyber Security Centre (NCSC) has removed over 220,000 scam URLs (as of March 2023).

The common features we find in scam emails are authority and urgency. Almost all purport to be from our chief executive – authority – and ask for an immediate response by a reply to the email – urgency. Our human intelligence helps us spot, think and challenge the authenticity of these messages.

It’s human intelligence, too, that helped us stay safe when we had a couple of emails to our HR department, allegedly from members of staff asking for their bank account details to be changed ahead of the next payroll run. So, what can we do to maintain our human alertness? NCSC’s Exercise in a Box tools can help your people find out how resilient your organisation is to cyber-attacks and practise your response in a safe environment. There’s a range of scenarios focused on different potential areas for attack.

Some of the exercises can be completed in under half an hour, and you can choose different scenarios for different teams of people. The report generated at the end of each exercise helps identify areas where you are potentially vulnerable, and the discussions also reveal how well-informed your people are about what protection is already in place.

CFG and AIM have a unique partnership, meaning AIM members can enjoy all of CFG’s member benefits. Register your organisation with CFG and explore the Knowledge Hub, which is packed with useful articles, guides and resources. For cybersecurity, take a look at Act now to plug digital capability gaps, with useful tips and thought-provoking questions to help you plan how to stay safe.

And you can join CFG’s network of arts charities and museums at our next webinar on Information and Cyber Security, where we will hear from Adapta Consulting on best practice and practical tips and guidance around risks in relation to staff, volunteers, sub-contractors and suppliers – as well as time to discuss your issues with people from other arts and culture organisations who are likely to be facing the same challenges as yourself.

Click here to find out more about free CFG membership for AIM members>>