Over 70 per cent of large charities have experienced cyber security breaches within the last 12 months, a new government survey has revealed.
According to the Cyber Security Breaches Survey 2018, carried out by Ipsos MORI on behalf of the Department for Culture, Media and Sport, large charities are often exposed to greater cyber risks than businesses.
The main reasons were cited as charities’ use of digital for payments, with over half (53 per cent) of charities allowing people to donate online and under half (49 per cent) allowing beneficiaries to access services online.
Of those that had identified breaches or attacks, 37 per cent needed new measures to help prevent or protect against future breaches, 40 per cent used additional staff time to deal with breaches and 28 per cent said that breaches had stopped staff carrying out day-to-day work.
The estimated average cost of breaches identified and reported in the last 12 months by large charities was £1,460.
The survey revealed breaches were more often identified among organisations that hold personal data or where staff use personal devices for work. It also found that the use of personal devices was much more prevalent in charities (65%) than businesses (45%).
Data further revealed only half of all charities said cyber security was a high priority for their organisation’s senior management and just a quarter had trustees with a specific responsibility for cyber security.
Just two in ten charities (21 per cent) said they had a cyber security policy or policies and just 8 per cent said they had a cyber security incident management process in place.
RSM technology risk assurance partner, Sheila Pancholi said the survey “very clearly shows that charities are incurring considerable cost and disruption from cyber security breaches”.
However, she added there also appears to be a “degree of complacency” when it comes to preventing and responding to cyber-attacks.
“There is much more that charities need to do when it comes to raising staff awareness through training, identifying and managing cyber related risks and adopting good-practice technical controls. Cyber security must be made a board level issue to ensure it gets the required level of focus.”