We need to talk openly about cyber security

Thousands of organisations are attacked by cyber criminals every day and since the start of the pandemic these numbers have spiked by more than 300%, according to the FBI, as hackers target organisations with large numbers of staff working from home.

 

But you could be forgiven for not being aware of these facts. That’s because the overwhelming majority of organisations, including businesses and charities, are reluctant to talk about their cyber security breaches.

 

If a data breach results in certain types of personal data being compromised then charities may be obliged to inform the Information Commissioner’s Office (ICO). But there is no obligation to report breach more publicly and certainly no requirement to report the police.

 

As a result, there is a huge gap between the numbers published in the Office of National Statistics’ annual crime survey and the number of cyber crimes reported to Action Fraud, the UK’s cyber crime reporting centre. A report from the Institute or Directors found that less than 30% of cyber breaches in the UK are reported to the police.

 

 

Reluctance to speak

 

There are a number of reasons why charities that experience a cyber breach may be reluctant to report a cyber breach. The primary reason may well be a feeling that there is not really anything to be gained by doing so. That’s because many cyber attacks are launched from overseas, so charities may think that there is little chance of the perpetrators being caught and brought to justice.

 

Many security breaches result in the loss of data rather than money, and when that’s the case there may also be a feeling that law enforcement can’t do anything about that. Cash may be recovered, but once data is compromised it can’t be ‘uncompromised’.

 

Charities may also feel that when a breach has occurred their priorities are to get the situation under control, fix the damage, and prevent the same incident happening again. Involving the police, some charities might believe, would only divert resources and hamper remediation efforts.

 

 

Reputational worries

 

But perhaps the biggest motivation for charities staying silent after a cyber breach is the fear that the incident will harm the organisation’s reputation. If a charity’s cyber security measures can’t be trusted then donors might be reluctant to trust the organisation with their money, and other constituents – particularly service users – might worry that the charity can’t be trusted with private information.

 

 

Huge benefits of sharing

 

The problem with a culture of secrecy surrounding charity cyber security breaches is that it misses a huge opportunity for all charities to benefit from sharing information and learning from it. In fact, there’s a very strong case to be made that it would be far more beneficial for charities to be open about cyber security incidents they experience.

 

Just for starters, charities talking openly about cyber security breaches raises awareness that all organisations, including charities, are targets for cyber criminals and that the risks of a cyber attack are real.

 

The fact that charities are targeted with such frequency should help to reinforce that cyber security is a process that needs to evolve constantly to stay abreast of the latest tactics that cyber criminals use.

 

Although it may be tempting for some charities to think that by installing endpoint protection software they have done all they can to prevent being hacked, the free exchange of information about charity security breaches should help disabuse these charities of that notion.