Just under a quarter of charities have suffered a cyber attack in the past year, according to government figures.
The Cyber Security Breaches Survey 2023, published by the Department for Science, Innovation and Technology last week, found that 24% of charities have been victims of cyber breaches or attacks in the last 12 months compared with 30% in 2022.
This drop is likely to have been driven by smaller organisations undertaking less monitoring and logging of breaches or attacks in the current economic climate as cyber security is not viewed as a priority, the report said.
Higher income charities were significantly more likely to record breaches or attacks, at 56% for those earning £500,000 or more and 76% for those with £5m or more, in line with previous years.
Sector regulators and membership bodies said charities could do more to protect themselves from cyber attacks.
Prevalence of cyber crimes
Based on a sample of 1,174 UK charities, the survey said that the sector experienced around 785,000 cyber crimes of all types in the last 12 months.
The most common breaches or attacks were phishing attacks (83%), followed by others impersonating the charities in emails or online (29%) and viruses, spyware or malware – excluding ransomware (9%).
The average cost of the most disruptive cyber attack or breach was £2,310 compared with £3,770 for businesses.
The survey highlighted a shift in the proportion of charities seeing cyber security as a high priority in recent years. In 2019, 75% of organisations said it was a “fairly” high priority compared with 72% in 2022 and 62% this year.
Only a third of charities have board members or trustees taking explicit responsibility for cyber security while 31% are insured against cyber security risks.
Similarly, 36% of high-income charities have a formal cyber security strategy in place.
The survey concluded that “while directors or trustees are likely to be informed of cyber incidents, they may lack training to know what their roles should be in these circumstances”.
Sector has a ‘long way to go’
The Charity Finance Group (CFG) said that the sector still “has a long way to go in recognising and planning how to respond to risk of attacks and breaches”.
“Many security threats are fairly unsophisticated. Successful attacks can be simple to prevent with basic knowledge and timely reminders. We would urge charities to do all they can to help staff and volunteers understand the nature of attacks and breaches, how to recognise attempts, and feel confident to act and protect their organisation when they encounter attempted attacks,” said Clare Mills, director of policy and communications.
“Fortunately, there are plenty of free and affordable resources available for charities, from training events and webinars to workshops and toolkits. Developing a training plan and keeping the issue front of mind are important first steps in stopping fraudsters and cyber criminals from more successful attacks on charities.”
Regulators: Take cyber security ‘seriously’
The Fundraising Regulator told Civil Society that it “advises all charities, large and small, to take their cyber security seriously”.
“While fraudsters are creative, and may often seek to impersonate charities, charities can take certain steps to lessen their chances of falling victim to a cyber security breach,” a spokesperson for the regulator said.
“Charities should ensure they are protected by high-quality cyber-security software, and ensure that staff members with access to their online accounts or payment systems are trained to recognise malicious attacks and phishing emails.”
They added: “The Fundraising Regulator does understand the financial constraints impacting charities at present, but it’s important for trustees to consider the potential financial and reputational risks of a breach, as well as the impact on donors and service users.
“Trustees should also familiarise themselves with the guidance for charities from the National Cyber Security Centre, developed in conjunction with the Charity Commission, on how to improve their cyber security.”
A Charity Commission spokesperson added: “We expect trustees to do all they can to ensure every penny given to charity makes a positive difference and isn’t lost to potential fraudsters. Having clear processes in place to help prevent and tackle fraud is essential.
“Online services have provided a great opportunity for charities but it’s important that these are safe and secure. Simple steps such as using strong passwords and two-factor authentication can help make sure you’re protected as a minimum.”