Charities lack skills and understanding about cyber security and “must do better”, the government has said.
The Department for Digital, Culture, Media and Sport today published a report, Cyber Security Among Charities, as part of its National Cyber Security Strategy.
The government commissioned Ipsos Mori to carry out 30 in-depth interviews with a range of charities, and said the findings show that in general the sector does not feel well informed about cyber security issues.
The research was published on the same day as analysis of the FTSE 350 companies, which found that one in ten FTSE 350 companies operate without a response plan for a cyber incident.
The charities report concludes that “there is still a need to raise basic awareness of cyber security among charities”.
It says that smaller charities are more likely to “not feel well informed about the topic” and that there is low awareness of current support available.
Charities also “assumed cyber security was more of an issue for businesses than for charities”.
The report identifies a number of barriers that mean charities do not prioritise cyber security, including competing demands and lack of skilled trustees.
“Responsibility for cyber security internally was often held by someone with a different core role, or with multiple responsibilities, such as chief executives or finance staff.” It says. “Competing demands on time and resources – with greater focus often given to areas such as fundraising and delivery – meant that cyber security was often deprioritised and could lack investment.”
Charities also thought training would be expensive and “lacked the expertise to put on training by themselves”.
The report also says that charities struggle to find trustees with the right skills.
“Participants noted that smaller and long-running charities often tended to have older trustees, who might lack IT skills and work only part-time, as well as in multiple roles,” it says. “This made it particularly hard for these charities to get engagement with cyber security among trustees and also to find people internally who could champion the issue.”
It also highlights that charities often have a “strong cultural emphasis on costs and cost-cutting”, making it hard to justify spending in cyber security.
“This had significant implications in terms of the outsourced providers that charities used, and how much outside help they would ask for,” the report says.
Lacking a central head office and having trustees based around the country is also highlighted as a barrier to delivering face-to-face training in some smaller charities.
‘Must do better’
Matt Hancock, minister for digital, said the report highlights that charities “must do better”, but also committed to working with the Charity Commission to produce more tailored guidance.
“Recent attacks have shown the devastating effects of not getting our approach to cyber security right,” he said.
Hancock added: “Charities must do better to protect the sensitive data they hold and I encourage them to access a tailored programme of support we are developing alongside the Charity Commission and the National Cyber Security Centre.”
Helen Stephenson, chief executive of the Charity Commission, said: “Charities have lots of competing priorities but the potential damage of a cyber-attack is too serious to ignore. It can result in the loss of funds or sensitive data, affect a charity’s ability to help those in need, and damage its precious reputation. Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cyber security.
“We want to make sure charities are equipped to do this, and we encourage them to use the advice on our Charities Against Fraud website. We also continue to work closely with the Department for Digital, Culture, Media and Sport to help charities protect themselves online.”