07 May 2019
New figures from the Department for Digital, Culture, Media and Sport [DCMS] show that 22 per cent of charities were subject to a breach or attack in 2018.
Larger charities, those with an income of more than £500,000 a year, were among the most common targets, with over half (52 per cent) reporting breaches or attacks over the past year. In stark contrast, 32 per cent of businesses and 61 per cent of large businesses were breached over the same period.
The most common form of attacks involved phishing, which was cited by 81 per cent of charities that had been breached. Meanwhile, 20 per cent of breached charities said they had been targeted by criminals impersonating an organisation in emails or online and 18 per cent said they had been targeted by viruses, spyware or malware, as well as ransomware attacks.
Kate Sinnott, head of charity engagement at the National Cyber Security Centre, said: “We know that cyber security breaches can be costly and disruptive for charities, and this year’s report backs that up. The average cost of all breaches or attacks identified in the last 12 months by a charity is now £9,470. However, the costs of a breach vary, with organisations quoting figures between £300 to £100,000 depending on the severity. At the top end, this amount could be crippling for some charities.”
Sinnott added that phishing remained the most common form of attack on the charity sector, with 81 per cent of those who identified an attack or breach listing fraudulent emails as the cause. “Technical measures are important in stopping these attacks but the strongest link remains staff, trustees and volunteers,” she said.
“It’s vital to help them to understand their critical role in protecting the organisation and give them the information on how to report a phishing email.” However, it was not all negative news.
GDPR was found to have helped organisations to improve their cyber awareness. In addition, more than a third of charities (36 per cent) said they had made changes to their cyber security policies or processes as a result of GDPR and 47 per cent sought external advice on cyber security over the year.
“This is very positive news but we shouldn’t be complacent,” Sinnott added. “There are still many charities who are yet to take action and, even for those that have, they still need to keep up to date with advice as the cyber crime threat to charities continues to evolve.”