Amnesty International, a well-known and large non-profit with 80 offices worldwide revealed that its Canadian branch was the target of a sophisticated cyber-security breach on October 5 of this year—an attack we now believe likely originated in Beijing, China.
The attack showed signs that the hackers used an advanced persistent-threat group (APT), typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected, lurking in a system for an extended period. The attacker was in Amnesty Canada’s environment for 17 months before being detected.
Many people don’t realize that the average time for an attacker in your IT system is 286, so 17 months is a problem. Amnesty Canada didn’t have enough insider threat detection or a response plan to get the hacker out. But the fact that the attacker was in there for 17 months means they probably made a mistake and set off an alarm.
“As an organization advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work,” said Ketty Nivyabandi, secretary general of Amnesty International Canada, said in a statement.
“These will not intimidate us, and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority.”
Amnesty Canada and all similar non-profits need to look at more of a holistic approach. They will have a good look at their IT network, their endpoints, and their cloud together. NGOs often work with outsourced IT groups, and the IT guys often say, “We’ve got you covered.”
Who wants to hack a non-profit?
That’s where a cybersecurity group is going to complement them. But many times, non-profits don’t have the budget. The management of these organizations feels they have no sensitive information—even though they do—so who would want to hack us?
That’s why they hack into a not-for-profit group and use them as a jump point to attack another company that has donated millions of money. Cybercriminals know this. That’s why they hack into a not-for-profit group and use them as a jump point to attack another company.
Here’s where a non-profit should start looking at awareness training for employees because there are so many ways to hack a company: Through leaked passwords on the dark web and the lack of multifactor authentication. Employees need to learn how to spot a phishing email, what not to click on and the dangers of mishandling their information.
We can help
Most non-profits want more secure networks to protect donour data, which means employee cybersecurity training, impenetrable security defences, and peace of mind. Securing your networks should be manageable, not worrisome. Non-profits provide the world with valuable help. They’ve worked too hard to have outsiders damage their reputation.
It shouldn’t be like this. Some of the most successful cyber-safe companies stay one step ahead of the malicious by staying updated. Our group can reduce stress, help lighten the load, and keep your donour data safe. Please get in touch with us today for a no-obligation consultation www.cybersecuritymadeeasy.com
