Almost a third of charities experienced a cyber breach or attack in last 12 months, survey finds

Melanie May | 12 April 2024 | News

• Tagged with:
• cybercrime
• Research / statistics
• security

Around a third of charities (32%) have experienced some form of cyber security breach or attack in the last 12 months, according to government data. This is much higher for high-income charities with £500,000 or more in annual income (66%).

The Cyber Security Breaches Survey questioned 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions between 7 September 2023 to 19 January 2024. It found that for both charities and businesses, the most common type of breach or attack was phishing: experienced by 83% of charities. This was followed by others impersonating organisations in emails or online (37% of charities) and viruses or other malware (14%).

Among those identifying any breaches or attacks, the government estimates that the single most disruptive breach from the last 12 months cost charities approximately £460.

In comparison, half of businesses (50%) have experienced some form of attack or breach in the last 12 months, and the cost is estimated to be much higher for the single most disruptive breach from the last 12 months. This is estimated to have cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830.

Taking action

The government advises that charities and businesses protect themselves through “cyber hygiene” measures, and says that a majority of both have a broad range of these measures in place. The most common are updated malware protection, password policies, cloud back-ups, restricted admin rights and network firewalls – each administered by around half of charities or more.

Businesses, it found, are more likely than charities to take actions to identify cyber risks. 26% of charities have undertaken cyber security risk assessments in the last year, compared to 31% of businesses.

In addition:

• 23% of charities have deployed security monitoring tools, and a third of charities (34%) report being insured against cyber security risks. Compared to the 2023 survey, the proportion has remained stable.

• 9% of charities say they review the risks posed by their immediate suppliers.

• More than six in 10 charities (63%) report that cyber security is a high priority for their senior management. This proportion is higher for high-income charities (93% of those with income of £500,000 or more, vs. 63% overall).

• Three in ten charities (30%) have board members or trustees explicitly responsible for cyber security as part of their job role.

• 47% of high-income charities have a formal cyber security strategy in place, and this has risen from 2023.

• Four in ten charities (39%) report seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants or IT service providers.

The survey also found that only 19% of charities have formal incident response plans, rising to 50% of high-income charities, and that external reporting of breaches remains uncommon. Among those identifying breaches or attacks, 37% of charities reported their most disruptive breach outside their organisation.

Cybercrime and fraud

The survey also included questions on cybercrime and cyber-facilitated fraud. An estimated 14% of charities have experienced cybercrime in the last 12 months, rising to 37% of high-income charities.

94% of charities that experienced cybercrime experienced phishing, while the least commonly identified types of cybercrime were ransomware and denial of service attacks (2% or less of charities who experienced cybercrime in each case). Just 1% of charities have been victims of fraud as a result of cybercrime.

It estimates that UK charities have experienced approximately 924,000 cybercrimes of all types in the last 12 months, compared to its estimate of 7.78 million cybercrimes of all types and approximately 116,000 non-phishing cybercrimes in the last 12 months for businesses.

The full survey can be read on .Gov.uk.

About Melanie May
Melanie May is a journalist and copywriter specialising in writing both for and about the charity and marketing services sectors since 2001. She can be reached via thepurplepim.com.