Cyber security can be an item on a long to-do list that many organisations don’t focus on until they experience a security threat or breach first-hand.
One not-for-profit found themselves in this position and unfortunately lost over $20,000 when a staff member’s email account was hacked.
The organisation had been diligent in keeping their IT systems up-to-date, having recently moved to the cloud with Microsoft 365 and had implemented Sharepoint for secure file management. They had Mailguard in place and had trained staff in password vigilance and how to spot a phishing email. They also had approvals processes for financial transactions.
But the organisation had not anticipated the sophisticated ways in which hackers can infiltrate systems to steal money or data.
In this instance, cyber criminals gained access to the login details of a staff member, possibly when the employee logged into their work account from a different computer whilst overseas, quite a few months earlier.
Hackers used the employee’s email address to ask an admin officer to update a supplier’s bank details in the finance system and to pay an invoice into that new bank account. Not only did the hacker infiltrate the email account, they also set up an email rule in the RFF feed that prevented the bogus emails going to the employee’s sent-box and the employee’s supervisor. Infoxchange found this on investigation.
The admin officer knew the ideal process was to check with the finance manager, but had access to the system to change the bank details, so in an effort to be helpful and not create delays, carried out the bogus request. Human errors like this are understandable and, unfortunately, very common.
Managers at the organisation quickly realised the mistake and were able to halt two further, larger invoices from being paid to the same bank account.
The theft was reported to the police, the organisation’s bank and ReportCyber but it was too late for the money to be returned as the bank account was untraceable.
The organisation has taken several steps to make sure this won’t happen again.
- The most critical change was to implement multi-factor authentication for systems that contain sensitive data. This means each login is confirmed via a secondary method, such as a pin triggered by an SMS. The internal finance system has been included in this. The Infoxchange Group supported the organisation to make this change.
- Permissions have been changed in the finance system so that only two, senior staff members are authorised to change bank account details.
- A process step has been mandated so that changes to account details must be confirmed via a phone call to the recipient.
- All staff have been fully trained in cyber security, with mandatory refresher training taking place quarterly.
Advice for other not-for-profits
We asked the organisation what advice they would give to others thinking about upgrading their security. Here are their tips:
- Have someone on staff to be the security champion to own it and stay abreast of technology as it evolves.
- Staff training is critical. Staff need to know how to recognise phishing emails and need to know how sophisticated cyber-crime is becoming. Run refresher training at least three times a year to ensure constant vigilance.
- Put rigorous processes and checks and balances in place and stick to them. It can be tempting to cut corners when people are busy, and especially when staff are working flexibly from home, but don’t take any risks.
- Keep your software up to date and get professional advice if you’re not sure how to do this.
To find out more about cyber security and make sure you have the right systems and processes in place to protect your organisation, see our guide to cyber security essentials.