Charities and cyber security
This summary covers the findings from qualitative research with UK registered charities exploring awareness, attitudes and experiences around cyber security. A total of 30 in-depth interviews were undertaken in February and March 2017 with a range of charities by income, location and charitable area. The research was commissioned by Department for Digital, Culture, Media and Sport (DCMS) as part of the National Cyber Security Programme and carried out by Ipsos MORI.
Awareness and attitudes
Pre-existing awareness and knowledge around cyber security varied considerably across the charities interviewed. Those in charge of cyber security, especially in smaller organisations, did not feel well informed about the topic, and several noted that they had not seriously considered it before or proactively sought out any information, often leaving it to an outsourced IT provider to deal with.
In this context, there was often a low awareness of the Government support available on cyber security. This was despite the fact that the Government and other public bodies were considered as trustworthy sources of information. Some participants assumed that if the issue was important enough for them to address, they would hear about it through their established communication channels, via the Charity Commission or voluntary support bodies, such as NCVO.
In some cases, participants assumed cyber security was more of an issue for businesses than for charities. These participant assumed that businesses would be more at risk as they would be more likely to hold customers’ financial details and generally be expected to have more cash in the bank.
On the other hand, there were several instances where charities recognised the relevance of cyber security for their organisations, and this prioritisation of the issue could be traced to many things:
• holding personal data on donors or service users
• having trustees or staff with private sector experience of the issue
• meeting the standards laid out by commissioning organisations (in cases where charities were involved in Government service provision).
Approaches to cyber security
Across the charities interviewed, it was typically the case that organisations did not have internal specialist staff with the technical skills to cover cyber security. Responsibility for cyber security internally was often held by someone with a different core role, or with multiple responsibilities, such as Chief Executives or finance staff. Competing demands on time and resources – with greater focus often given to areas such as fundraising and delivery – meant that cyber security was often deprioritised and could lack investment. As a result, there was often a reliance on outsourced IT providers, as well as informal sources of support such as friends, family or other local charities.
Various participants highlighted that more could be done to raise basic awareness of cyber security among staff and trustees. However, it was uncommon to find charities that had provided cyber security training to any of their staff or volunteers. This reflected the various barriers that charities faced to providing training. Many assumed training would be expensive, and did not prioritise spending on training above other areas that might need funding, such as IT equipment upgrades. Charities also lacked the expertise to put on training by themselves – those that had done so had typically worked with outsourced providers to run training. Smaller charities also found training hard in general given that many of their trustees and staff tended to work remotely. In this context, some were interested in free or low-cost online training options.
Cyber insurance was similarly often seen as too expensive to consider. Some charities noted that they had wider insurance policies such as public liability insurance or business continuity insurance, but were not clear on whether these would cover them in the result of a cyber attack.
Perceptions and experiences of breaches
Charities were often highly concerned with potential loss of funds or of personal data on donors or service users, and these were typically seen as existential threats that helped heighten the importance of being cyber secure. By contrast, the loss of day-to-day (non-personal data) files was less of a concern, with some charities not realising the potential implications for business continuity from losing non-personal data.
Indeed, the research came across examples of charities that had incurred cyber security breaches where non-personal data were lost, and where organisations spent considerable time getting their data restored. There were also examples where charities had incurred a sizable financial cost from a cyber security breach. In these cases, it is worth noting that the experiences of breaches often spurred charities into taking action and protecting themselves against further attacks.
Finally, the research also explored reporting of cyber security breaches. While participants were confident that they would report serious breaches with a financial impact internally to trustees and to any outsourced IT providers, they were less certain of where and when they might be required to report breaches outside of this. Some mentioned reporting breaches with a financial impact to organisations such as the Information Commissioner’s Office (highlighting again the importance placed on data protection). However, none of those interviewed had heard of the cyber crime body, Action Fraud.
This research has highlighted that charities often see cyber security as important, and are as susceptible to indiscriminate cyber attacks as businesses. These attacks can have serious implications for charity finances and for business or organisational continuity. However, the research also flags the many barriers that charities face when it comes to engaging with the issue, including competing priorities for time and resources, and staff not necessarily equipped with the knowledge and skills to deal with the issue.
There is a need for basic awareness raising among staff and trustees, and upskilling of those responsible for cyber security – so they know the basic technical controls they can put in place. It may also help to disseminate Government information and support via the organisations with which charities already have established relationships, such as the Charity Commission. Finally, making use of private sector expertise among trustees may also help individuals within charities to champion the issue.