Crooks Grabbing Nonprofit Websites, Demanding Ransom
May 8, 2017 Andy Segedin
Joy O’Neal, executive director of The Red Barn, received an unexpected telephone call from her brother early one April morning in 2015. He had been out with a friend and talking about the Leeds, Ala.- based organization, when they visited the website. It had been hacked and taken over by a terrorist sympathizer group.
The organization was not specifically targeted, according to O’Neal. The server The Red Barn’s site and others was located on was attacked and all of the websites were affected. By coincidence, a story about two area students becoming radicalized was receiving national attention. Local news organizations sensationalized the hack, O’Neal said, making it seem as if the Christian nonprofit was targeted by a radical Muslim group. Supporters remained firm, understanding the situation.
The hosting company was able to quickly take the website down. O’Neal’s concern was that someone would Google the organization and see information that didn’t represent it. That left The Red Barn without a website. Complicating matters was that the organization was preparing for a fundraising concert, with people buying tickets and checking for information online.
O’Neal conceded that The Red Barn, which aids those with emotional, cognitive or physical disabilities by using horses, has always been a low-tech operation. As she endeavored to pick up the pieces and rebuild the site, some asserted that there should have been more security on the site — a notion that O’Neal countered with the fact that government agencies and major corporations have also been victims of hacks.
“We didn’t do anything wrong,” O’Neal said. “Even our hosting place didn’t do anything wrong…This is a risk we all live with in today’s day and age.”
The Red Barn has high-level peers when it comes to security concerns.
NetHope is a connector with 50 of the largest international organizations in the world. All of the 50 have staff dedicated to organizational technology and leaders overseeing such work. Yet when group members meet, the single most talked about topic is security, according to David Goodman, chief information officer in residence.
Most nonprofits do not have dedicated information technology (IT) security staff, according to Goodman. Such duties are typically tacked onto a staffer’s other chores. Existing security frameworks can also be cumbersome for organizations lacking staff members who are tech-savvy. NetHope is in the process of developing a security framework designed for easier use. Goodman said that NetHope will publish the framework when completed and will seek both audit partners to identify potential gaps and those looking to adopt it.
Another challenge facing nonprofit workplaces is the consumerization of technology. A few decades ago, technology served business. These days an employee can waltz into an Apple store and walk out with better technology than they can find at their workplace. There is a desire to have that same high-level capability on the job.
Organizations have to adapt, Goodman said. Applications such as the Google toolset and Box can be embraced, perhaps with enterprise-levels purchased to ensure more organizational control. Consumerization can also mean that staff members walk around with sensitive organizational information on their phones, subject to potential compromise if stolen.
“When you blur the line between your personal technology footprint and your work technology footprint, you do raise issues that can be complicated,” Goodman said.
Oxfam is a large international organization taking a long, serious look at security. There are 19 Oxfams throughout the world, according to Jim Daniell, chief operations officer at Oxfam America. Each has its own threat levels and security needs. In the U.S., it might be credit card scams. In war-torn areas overseas, laptops might be stolen at gunpoint and politically comprising material might be specifically sought.
Two common exposures at the moment are ransomware and determined actors. Ransomware lures users into clicking on an attachment that locks up systems. Daniell referred to it as a multi-billion dollar industry in which there is honor among thieves, with systems unlocked in exchange for a payment — typically a few hundred dollars.