Why are charities falling behind on cyber security?

According to latest research, charity leaders are lagging behind their counterparts in the public and private sectors in their understanding of cyber security.

 

This knowledge gap is across a raft of areas, from reporting breaches and providing staff with adequate training to understanding digital threats.

The findings have emerged in a 2022 report into Cyber security skills in the UK labour market, published by the Department for Digital, Culture, Media and Sport (DCMS).

 

This study includes the views of cyber team managers in charities, businesses, and public sector organisations on their leaders’ cyber security knowledge.

 

Just 62% of charity tech leads believe their senior managers understand cyber security risks, compared to 79% among public sector bosses and 81% of business sector leaders.

 

 

Where charity leaders need to improve

 

Training

 

Ensuring all staff, volunteers, and trustees have training in cyber security and the skills to deal with incidents has emerged as a key area where charities are falling behind other sectors and need to improve.

 

Less than half (44%) of charity tech leads say leaders in the sector understand the need to boost the cyber security skills of staff. This compares to almost three quarters (72%) in the public sector and 64% among businesses.

 

Such skills are particularly needed as organisations’ cyber security is placed at greater risk due to Russia’s invasion of Ukraine in 2022. The National Cyber Security Centre says greater risks include fake charity appeals, through bogus websites masquerading as familiar charities, and phishing emails, which attempt to gather financial information from staff and supporters.

 

 

Reporting breaches

 

Charity manager certainly need to improve their awareness of the importance of reporting breaches to the relevant authorities, including regulators and the police. Cyber leads in the charity sector say that only 56% of their leaders are aware of the need to report incidents, which can include ransomware or other malware attacks that can infect end users computers.  

 

Once again this compares unfavourable with other sectors, with around eight out of ten digital leads in the public sector (82%) and among large businesses (79%) saying their managers can grasp this issue.

 

Action Fraud, the police’s National Fraud and Cyber Crime Reporting Centre, is the key organisation to report a cyber security breach to. This has a 24-hour, seven days a week reporting service for charities to call if they are suffering from a live cyber-attack in progress. It can be reached on Tel. 0300 123 2040.

 

When an organisation suffers a cyber attack the Information Commissioners’ Office (ICO) also needs to be contacted. More information on reporting a breach to the ICO can be found here.

 

Lack of awareness of reporting breaches is part of wider failures among charity leaders to manage incidents. According to the survey of tech leads less than half (42%) of senior charity managers know what steps to take to manage a cyber security incident, compared to two thirds (65%) of public sector bosses and three quarters (74%) of heads of large businesses.

 

 

Preventing incidents

 

Charity workers are also behind their counterparts in other sectors in putting in place measures to prevent further incidents.

 

A third (33%) of charity staff surveyed are not confident they can perform basic tasks such as configuring firewalls. Among large businesses only 5% of digital leads are as unconfident and the proportion is 12% among those working in the public sector.

 

A similar proportion (30%) of charity staff lack confident in detecting and removing malware. The proportion is only 8% of staff among public sector organisations and only 5% in large businesses.

 

The charity sector is also behind other sectors in terms of having the skills to store data securely, restrict software, set up automatic security updates, and control who has administration rights.

 

Overall, the basic skills gap needed to prevent cyber security breaches is “on a par” with figures from 2018, warns the government’s survey.

 

 

Ten-point plan to minimise risk

 

To help charities improve their cyber security the ICO’s has produced a ten-point plan to help minimise the risk of personal data breaches happening.

• Store data securely – make sure no one has access to personal information without authorisation. Measures such as strong passwords should be in place
• Have a clear desk policy – charities need to minimise the risk of sensitive information being left on desks and unprotected devices
• Have a remote working policy – staff and volunteers need a good understanding of how personal data is handled out of the office. Mobile devices can be made more secure through measures such as two-factor authorisation
• Keep records up to date – this is especially important for donor information to ensure they are being targeted at the correct address and in the way they want to be contacted
• Label documents clearly – this ensures that files and data is not incorrectly sent to the wrong people
• Use blank document templates – sometimes personal and security details can be sent if documents are reused, and information is kept on the page by mistake. Using blank templates removes that risk
• Review access controls – it is important that only specific staff and volunteers have access to information and is not widely available across the organisation
• Training staff – all staff need a good understanding of the cyber security risks they may face and how to prevent them
• Back-up systems – Ensure any back-up of personal data is stored securely
• Watch out for former employees – if staff leave the charity make sure they do not still have access to financial accounts and other sensitive information