Just over one fifth of charities reported a cyber breach last year, according to the government’s annual survey published today.
The Department for Digital, Culture, Media and Sport published the Cyber Security Breaches Survey 2019 this morning, which found that 22 per cent of charities reported having a cyber security breach or attack in the last 12 months. This is roughly the same as last year when it was 19 per cent.
Nearly a third of businesses said they had experienced an attack, down from 43 per cent the previous year.
The most common form of attack among all types of organisations was phishing attacks. For charities, phishing attacks accounted for 81 per cent of incidents. This was followed by others impersonating an organisation (20 per cent), and viruses, spyware or malware (18 per cent).
The average cost of a breach for charities was £9,470.
The survey was carried out by Ipsos MORI in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth. It involved telephone calls with over 500 charities, which were undertaken at the end of last year.
Increase in awareness
This year 75 per cent of trustees and senior managers said cyber security was a high priority, up from 53 per cent in 2018.
But awareness was still lower for smaller charities. Of those with an income under £100,000, 68 per cent said it was a high priority (though this was up from 46 per cent last year). This compares to 82 per cent of charities with income between £100,000 and £500,000, and 94 per cent of those with income of £500,000 or more.
Larger charities were also more likely to report a breach or attack. Some 52 per cent of those with incomes over £500,000 did so, compared to 32 per cent for mid-range charities and 19 per cent for those with income under £100,000.
Charities tended to delegate managing cyber security risks to staff. Just over 80 per cent of larger charities had staff members in information security roles, and only 35 per cent had a trustee with a cyber security brief.
Some 56 per cent of larger charities said they had sent staff on training in the last 12 months, and 83 per cent believed their staff had the right skills and knowledge.
In medium-sized charities, 65 per cent had staff with a specific cyber role and 36 per cent had a board member responsible for the brief. Some 71 per cent thought their staff had the right skills.
Meanwhile, 43 per cent of the smallest charities had a staff responsible for cyber, and 27 per cent had a trustee with the brief. But 66 per cent felt they had the right skills.