Many of the UK’s charities lack awareness of and resources to address cyber-threats, despite being as vulnerable to attack as private sector businesses, according to a new government report.
The Cyber security among charities report is based on qualitative research into the UK’s third sector.
Unsurprisingly it revealed that awareness of cyber-threats can be lacking and often left to the outsourced IT provider to deal with.
There’s a perception in the sector that businesses are actually more at risk from attack, despite many charities holding sensitive information on donors.
Part of the issue here is that many such organizations don’t have the resources to fund a permanent IT security expert in-house, with responsibility in some cases handed to CEOs and even finance staff.
Cybersecurity training is rarely given to staff and volunteers as the perception is it’s too expensive and difficult to arrange given the large number of remote workers. Cyber-insurance is also largely eschewed in the industry because of financial pressures, the report claimed.
Although many charities are concerned with the loss of sensitive information associated with donors or service users, the loss of non-personal data apparently causes fewer sleepless nights.
This is despite the fact that the research uncovered several examples of non-personal data loss where the charities involved “incurred a sizeable financial cost” from the breach, although the experience of such an incident is more likely to spur them on to taking action, it claimed.
It concluded:
“There is a need for basic awareness raising among staff and trustees, and upskilling of those responsible for cyber security – so they know the basic technical controls they can put in place. It may also help to disseminate government information and support via the organizations with which charities already have established relationships, such as the Charity Commission. Finally, making use of private sector expertise among trustees may also help individuals within charities to champion the issue.”
The government backed its Cyber Essentials scheme and the National Cyber Security Centre’s 10 Steps to Cyber Security guide as good places to start in helping organizations get a baseline of best practice security in place.
Helen Stephenson, CEO of the Charity Commission for England and Wales, also promoted the organization’s Charities Against Fraud website.
“Charities have lots of competing priorities but the potential damage of a cyber-attack is too serious to ignore,” she added. “It can result in the loss of funds or sensitive data, affect a charity’s ability to help those in need, and damage its precious reputation. Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cybersecurity.”