UK charities face increased cyberattacks, but few do risk assessments and do not follow government guidance.
There is a distinct lack of cyber resilience in the UK’s charity sector, especially with an increase in attacks.
According to the Cyber Security Breaches Survey, released this week, a third of charities (32%) report having experienced some form of cybersecurity breach or attack in the last 12 months, compared to 50% of businesses, with phishing the most common type of attack faced.
Among the main findings, only 26% of the charities surveyed have undertaken cybersecurity risk assessments in the last year, compared to 63% of medium-sized businesses, and 72% of large businesses.
Asked if this is an endemic problem of a lack of funding and resources, Yossi Rachman, director of security research at Semperis, says charities operate under a constant state of limited resources, “and so must prioritise how they are allocated.”
Rachman tells SC UK that many charities do not see the cybersecurity as a high priority in terms of business and operational risks, and as result, fewer resources are allocated to it.
Michael Man, DevSecOps evangelist at Veracode, says that this could be a particular mindset from the charities, or it could be the perception that they will likely not have the time or investment to address any of the findings from such an exercise.
“Many charities have limited resources when it comes to specific domain knowledge, so it can be extremely difficult to know if the advice given is correct for their business and if the findings and remediation work is of suitable standard,” he tells SC UK.
The survey also found that 43% of businesses report having some form of cyber insurance, a rise from 37% in the 2023 report. In the charities sector though, only a third of charities report taking our cyber insurance, which Rachman says is down to a lack of awareness amongst charities “who choose not to have cyber insurance coverage.”
Rachman says there are only a few people who are responsible for cybersecurity in most charities, “and usually these are the same individuals responsible for the entire IT operations.”
This can involve all elements of cyber defense, and in the case of a breach, these individuals will have to manage the incident response investigation, defense and cybersecurity hygiene costs, perform data recovery, provide technical guidance around legal proceedings and civil damages lawsuits.
“I believe that the managers of those charities should ask themselves whether they’re willing to take the risks involved in cybersecurity breaches without proper insurance which otherwise would save them substantial time, resources, and money,” he says.
Despite the increase in attacks, the majority of organisations continue to be unaware of government guidance on defense, such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard.
The survey found 87% of businesses and 82% of charities were not aware of the 10 Steps guidance, and only 12% of businesses and 11% of charities admitted they are aware of the Cyber Essentials scheme, representing a decline over the last few years.
Asked if he felt UK government needs to do more to increase knowledge and awareness of these guidance frameworks, Man says more visibility of government campaigns around cyber awareness is vitally important, especially as “cybersecurity is still seen as a specialist area and many people outside of this technical domain will shy away.”
Meanwhile Rachman says increasing such knowledge and awareness of these frameworks - as well as general awareness campaigns - would benefit not only businesses and charities, but entire society also.
The report concluded stating that cybersecurity as a high priority factor has increased slightly among businesses, and has remained stable among charities, after an apparent drop in prioritisation observed in 2023’s report.
“The qualitative interviews suggest that, despite economic conditions, many organisations have continued to invest either the same amount or more in cybersecurity over the last 12 months,” the report claimed. “This is in part a response to the perceived increase in the number of cyber attacks and their sophistication.”
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
