Three in 10 charities experienced cybersecurity breaches or attacks last year, according to government figures published this week.
The annual cybersecurity breaches survey reports that 30% of charities experienced a cybersecurity breach or attack in the previous 12 months, equating to around 61,000 registered charities.
This is a decrease from last year when 32% of charities reported having experienced some form of cybersecurity breach or attack.
Phishing attacks the most common
The report by the Department for Science, Innovation and Technology and the Home Office says phishing attacks remained the most “prevalent and disruptive” for charities last year.
Phishing attacks, in which staff receive fraudulent emails or are directed to bogus websites, affected 86% of charities that reported a cybersecurity breach or attack.
This was followed by people impersonating organisations in emails or online (35%) and viruses or other malware (14%).
Around two in five of the affected charities said they experienced a breach or attack at least every month while a fifth said they had one every week, which remains in line with last year’s findings.
The report notes that one charity reported an unusually high cost of £350,000 to the organisation of its most disruptive cybersecurity incident.
453,000 cybercrimes
Looking at cybercrime specifically, 14% of charities reported being victims of at least one in the past year, which amounts to around 29,000 charities and is consistent with the year before.
Phishing remained the most prevalent type of cybercrime, with 95% of those affected experiencing it.
On average, charities affected experienced 16 cybercrimes of any kind in the last 12 months, with the median being four.
“This indicates a high level of repeat victimisation amongst organisations experiencing cybercrime,” the report says.
It adds that UK charities have experienced around 453,000 cybercrimes of all types in the last 12 months.
Priority among manager and trustees
In line with the previous two years, the report says cybersecurity remained a high priority for 68% of charities’ senior management.
Three in 10 charities had board members or trustees “taking explicit responsibility for cybersecurity as part of their job”, it says.
Charities with an income of over £500,000 were more likely to see cybersecurity as a high priority (88%), a pattern observed since 2020, “where larger organisations tended to treat cybersecurity more seriously”.
However, the report adds: “Board involvement in cybersecurity didn’t necessarily equate to cybersecurity expertise.
“Business and charities frequently mentioned that only one or two board members appeared to possess any technical knowledge of cybersecurity, and in some cases, the board member with responsibility for cybersecurity had little understanding of it.
“This is an important knowledge gap because board members may be making decisions, such as on budgets, without realising the full extent of their impacts.”
Decline in action among larger charities
The report also says that in the past 12 months, 21% of charities had provided some form of cybersecurity staff training compared with 47% of high-income charities.
In line with the previous year’s findings, 34% of charities reported being insured against cybersecurity risks in some way.
The report says charities overall had “remained consistent with last year on the majority of measures relating to approaches to cybersecurity”.
However, charities with incomes over £500,000 had declined on a number of measures compared to the year before.
This includes a decline in deploying activities to identify cybersecurity risks from 86% to 75%, reviewing immediate supplier risks (from 36% to 21%) and having a formal cybersecurity strategy in place (from 47% to 39%).
The number of larger charities having a formal cybersecurity strategy in place fell from 47% to 39% while 35% of charities reported having formal cybersecurity policies in place.
The survey’s findings were based on a random probability telephone and online survey of 1,081 UK-registered charities carried out between August and December 2024 and in-depth interviews.
The data was then weighted to be statistically representative of this population.
Related articles
