The state of charity cyber security in ten minutes

In February 2021, Charity Digital produced a podcast episode called “Why don’t charities care about cyber security?”. Now, as 2021 draws to a close, we know that they do – 98% of the charity sector told us it was important in our recent survey in partnership with the National Cyber Security Centre (NCSC). 

 

But while the majority are aware of its importance, the survey also revealed that charities don’t feel all that positive about their efforts thus far. In fact, on average, charities rated their cyber security at only six out of ten.

 

This gap between awareness and action is troubling. We’ve known for a long time that charities are at particular risk from cyber threats. A combination of a lack of resources and the high level of data they possess means that they can pose a tantalising prospect for cyber criminals – even more so in 2020 when charities had to prioritise service delivery and fundraising ahead of their cyber security. 

 

But cyber threats are not a pandemic-specific issue. The NCSC’s recent webinar, which detailed the full findings of the State of cyber security in the UK charity sector survey, showed us that more than three quarters of charities had changed their attitudes since the pandemic, yet charities are still suffering the same rate of cyber breaches or attacks this year as they did in 2020. 

 

So, if charities are already aware of the threat, it is time for them to pr better protect themselves. Here, we’ll condense the key findings from the NCSC webinar, presented in full on 21 October.  

 

 

Preparing for post-pandemic security 

 

While the pandemic has certainly provided its own challenges for cyber security (more than two thirds of respondents said they had seen an increase in cyber attacks in the last year), the post-COVID-19 landscape will likely bring more.  

 

For example, the shift towards hybrid working and BYOD (Bring your own device) policies means that previous cyber security procedures need to be reconfigured and endpoint security more heavily invested in. More than two in five organisations say they are more at risk from cyber threats while working from home – though nearly half say they don’t feel there is any change.  

 

The good news is that, on the whole, charities are reacting to the new level of cyber threats. Of the organisations which changed their attitudes towards cyber security after the pandemic, two in five said it was due to the noticeable increase in cyber breaches, while 43% said it was due to more awareness from their peers. 

 

A third said they had received more training and only slightly less (31%) said they had engaged with more cyber security content. 

 

So the appetite for understanding and addressing cyber threats in the charity sector is there. We know the risks. More than nine in ten respondents say they are aware of the effect a cyber attack could have on their organisation and two thirds say that a cyber attack is likely to affect their ability to continue operations.  

 

Despite this, however, only 61% of organisations in the UK charity sector have a plan in place in the event of a cyber security breach. More than a quarter do not have one at all and – concerningly – 10% don’t know if they have one or not.

 

 

Taking the lead on cyber security 

 

It is obvious that there is no lack of knowledge in the charity sector about cyber security generally. Even the minority who said that their attitudes towards cyber security hadn’t changed are not being complacent – more than two thirds said it was because they already take cyber security seriously.  

 

But what should charities be doing with that knowledge now? What barriers must charities overcome if they are to raise their cyber security from a six out of ten to a fully-protected ten? 

 

The biggest barrier to improved cyber security in almost all cases was time and resource. The second most cited reason for an unchanged attitude towards cyber security – after already taking it seriously –was that charities had other priorities or more important areas of focus.  

 

Likewise, of those who said they were not confident with their cyber security skills and practical expertise, 64% said they lacked the time and resource to learn more.  

 

And when it came to training and qualifications, more than a third said they had not undertaken any, with half saying they lacked the time and resource to do so. Other reasons included not knowing what was on offer to them and lacking encouragement from leadership.  

 

The role leadership can play in charity cyber security became very clear in the survey. Four in five of respondents feel that their leadership team values cyber security but fewer (63%) consider their leadership team to be skilled or proficient when it comes to matters of cyber security.  

 

The findings of the survey are both promising and concerning. While it is reassuring to know that the charity sector does care about cyber security after all, it is evident that there are some lengths to go to before it is up to scratch.

 

 

Making the most of free resources 

 

With cyber breaches set to cost us up to $10 trillion by 2025 – and knowing the considerable damage they can do to our organisations – charities need to act sooner rather than later. Time and resource may be hard to come by but cyber criminals are counting on that.  

 

If identifying the next step is the issue, there are some free and easy ways to improve your security. The NCSC has created a free guide for small charities looking to improve theirs “quickly, easily, and at low cost”, while also providing webinars on the five key steps they can take and how to set up a risk management regime. 

 

Charities can find additional guidance from the NCSC’s webinar, the full version of which can be found here. But since time is always of the essence in the charity sector, you can also watch the ten-minute snippet below, covering all the main talking points and next steps for the charity sector in improving its cyber security.