Charities have been urged to improve their cyber security, after a government study concluded voluntary sector organisations are just as vulnerable to cyber-attacks as businesses.
The research, by Ipsos MORI for the Department for Digital, Culture, Media and Sport, found many charity staff are not well informed about cyber risk. Thirty interviews with charities of varying size, cause, and location found considerable variation in awareness levels.
A report presenting the study’s findings found that those in charge of cyber security, especially in smaller charities, are often not proactively seeking information and relying on outsourced IT providers to deal with threats.
Where charities recognised the importance of cyber security, this was often due to holding personal data on donors or service users, or having trustees and staff with private sector experience of the issue.
Charities also recognised those responsible for cyber security need new skills, the study found, and general awareness among staff needs to rise.
The research was released alongside a study of FTSE 350 companies, which found 10 per cent operate without a response plan for a cyber incident. Almost 70 per cent of boards had not received training to deal with a cyber incident, despite 54 per cent of boards reporting cyber risk was a top risk to the business.
Minister for Digital Matt Hancock said the reports showed there is a long way to go until all the UK’s organisations are adopting best practice on cyber security. Hancock urged executives to work with the National Cyber Security Centre and take up the Government’s advice and training.
“Charities must do better to protect the sensitive data they hold and I encourage them to access a tailored programme of support we are developing alongside the Charity Commission and the National Cyber Security Centre.”
Charity Commission chief executive Helen Stephenson CBE said the potential damage of a cyber-attack is too serious to ignore, risking financial loss, reputational damage, and a charity’s ability to operate.
“Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cyber security,” Stephenson said. “We want to make sure charities are equipped to do this, and we encourage them to use the advice on our Charities Against Fraud website. We also continue to work closely with the Department for Digital, Culture, Media and Sport to help charities protect themselves online.”