More than a fifth of charities reported a cyber security breach over the last 12 months, a government survey has revealed.
The Department for Digital, Culture, Media and Sport's Cyber Security Breaches Survey 2019
found that 22% of charities had been breached. This is similar to the proportion affected in 2018.
Larger charities, with an income of more than £500,000 a year, are among the most common targets, with more than half (52%) reporting breaches or attacks
over the last year. In comparison around a third (32%) of businesses, and 61% of large businesses were breached over the same time frame.
The most common form of attacks involved phishing, which was mentioned by 81% of charities that had been breached.
A fifth (20%) of breached charities said they had been targeted by criminals impersonating an organisation in emails or online and 18% said they had been targeted by viruses, spyware or malware, as well as ransomware attacks.
Cost of cyber breaches
In 21% of attacks charities lost either data or assets. The average cost of breaches charities faced was £9,470 in 2019, but the survey report suggests the cost may be much higher.
“The quantitative survey highlights that the costs of cyber security breaches can be substantial, states the report.
“However, our qualitative findings suggest that, outside the survey, the indirect costs, long-term costs and intangible costs of breaches – things like lost productivity or reputational damage – tend to be overlooked.
“This means that, when organisations reflect on their approaches to cyber security, they may be undervaluing the true cost and impact of cyber security breaches."
They survey also found that charities are much more aware of cyber security than they were last year. In 2019 75% of charities said cyber security is a high priority for their organisation’s senior management, compared to only 53% in 2018.
Written cyber security policies are also more common among charities, with 36% having these in place in 2019, compared to 21% last year.
Charity staff are also more likely to attend training to prevent and deal with cyber attacks, mentioned by 29% in 2019 and only 15% in 2018.
GDPR has increased awareness
“GDPR has played a large part in these changes,” states the survey report.
“Three in ten businesses (30%) and over a third of charities (36%) say they have made changes to their cyber security policies or processes as a result of GDPR.
“Our qualitative findings suggest that GDPR has encouraged and compelled some organisations over the past 12 months to engage formally with cyber security for the first time, and others to strengthen their existing policies and processes.”
Catch up on Charity Digital webinars: