Breaches most often found among organisations that hold personal data or where staff use personal devices for work
Seven in ten large UK charities have experienced cyber security breaches in the last 12 months.
The Cyber Security Breaches Survey 2018 carried out by Ipsos Mori on behalf of the Department for Culture, Media and Sport, found that large charities are often exposed to greater cyber risks than businesses.
This is because over half (53%) of them allow people to donate online and just under half (49%) enable beneficiaries to access services online.
Of the large charities that had identified breaches or attacks, 37% needed new measures to prevent or protect against future breaches, 40% used additional staff time to deal with breaches and 28% said that breaches had stopped staff carrying out day-to-day work.
The estimated average cost of breaches identified and reported in the last 12 months by large charities was £1,460.
Breaches were more often identified among organisations that hold personal data or where staff use personal devices for work.
The survey found that the use of personal devices was much more prevalent in charities (65%) than in businesses (45%).
Only half (53%) of all charities said that cyber security was a high priority for their organisation’s senior management and just a quarter (24%) had trustees with a specific responsibility for cyber security.
Only two in ten charities (21%) said they had a cyber security policy or policies and just 8% said they had a cyber security incident management process in place.
Sheila Pancholi, a technology risk assurance partner at auditing firm RSM, said: “This survey very clearly shows that charities are incurring considerable cost and disruption from cyber security breaches, yet there appears to be a degree of complacency when it comes to preventing and responding to cyber-attacks.
‘There is much more that charities need to do when it comes to raising staff awareness through training, identifying and managing cyber related risks and adopting good-practice technical controls. Cyber security must be made a Board level issue to ensure it gets the required level of focus.
‘It’s particularly interesting that the survey found that cyber breaches are more prevalent when staff are allowed to use their own personal devices for work. This is an area of particular risk for charities and one that we have been warning our clients about for some time.
“Personal devices should be managed and controlled via a formal bring your own device policy will includes ensuring that controls applied to systems which are managed and owned by the charity are also consistently applied to personal devices which staff want to use for work related purposes.
“This is ever more important given the impending 25 May deadline for GDPR coming into force to strengthen personal data governance. The reality is that charities are only as strong as the weakest link in their network.”
