Almost a third of charities (32%) experienced some form of cyber security breach or attack last year, according to government figures.
According to the latest Cyber Security Breaches Survey, two-thirds (66%) of charities with £500,000 or more in annual income experienced a cyber incident in the last 12 months.
The most common type of breach or attack was phishing, which impacted 83% of charities.
This was followed by others impersonating organisations in emails or online (37% of charities) and then viruses or other malware (14% of charities).
The figures show an increase from the previous year’s research, when just under a quarter of charities reported experiencing a cyber incident.
Businesses more likely than charities to spot risks
Among those identifying breaches or attacks, 37% of charities reported their most disruptive breach outside their organisation.
Researchers estimated that the single most disruptive breach from the last 12 months cost each charity approximately £460.
The report says: “The most common cyber threats are relatively unsophisticated, so government guidance advises businesses and charities to protect themselves using a set of ‘cyber hygiene’ measures.
“A majority of businesses and charities have a broad range of these measures in place.”
Businesses are more likely than charities to take actions to identify cyber risks, as 31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year.
Some 34% of charities reported being insured against cyber security risks.
The research adds: “The qualitative interviews suggest that organisations have an increasing awareness of the cyber security risks posed by supply chains.
“Despite this, organisations, particularly at the smaller end, tend to have limited formal procedures in place to manage cyber risks from wider supply chains.”
Cyber security a high priority
Some 63% of charities reported that cyber security was a high priority for their senior management.
This proportion rose to 93% of charities with income of £500,000 or more.
Three in 10 charities said they had board members or trustees explicitly responsible for cyber security as part of their job role.
Some 39% of charities reported seeking guidance on cyber security from outside their organisation in the past year.
The report adds: “While a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. These findings are consistent with previous years.”
Some 19% of charities said they had formal incident response plans and this rises to 50% of charities with an income over £500,000.
The survey, commissioned by the Home Office and Department for Science, Innovation and Technology, was carried out in winter 2023-24.
Researchers surveyed 1,004 UK registered charities from 7 September 2023 to 19 January 2024.
They also carried out 44 in-depth interviews between December 2023 and January 2024.
Due to changes this year to the question that seeks to capture the overall incidence of cyber attacks and breaches, it is not possible to make direct comparisons between 2023 and 2024, it notes.
Charity Commission
A Charity Commission spokesperson added: “Charities provide vital services to people and communities who depend on them – this is why it is paramount that trustees do all they can to ensure their funds, services and information they hold are protected. It is important that every penny given to charity makes a positive difference and isn’t lost to fraudsters.
“These latest findings demonstrate how vigilant charities need to be and how essential it is to have clear processes in place to help prevent and tackle fraud. Simple steps such as using strong passwords and two-factor authentication can help make sure you’re protected when using online services.”
Related Articles
