Charities more vulnerable to cyber attacks than private and public sector

Limited resources, a part-time workforce and personal devices contribute to the vulnerability of the UK charity sector, new research finds, and it’s a similar affair closer to home.

Charities are more vulnerable to cyber attacks than private and governmental organisations, despite each sector facing the same risks, new international research suggests.

The 2023 Cyber Threat Report, which analyses the extent to which charities in the United Kingdom (UK) are targeted and affected by cyber attacks, found three key reasons the sector is more susceptible to online data breaches:

1. Charities prioritise directing limited resources into work that achieves its mission over enhancing cyber security.
2. Charities have a high volume of staff who work part-time, including volunteers, and have less capacity to upskill in digital areas.
3. Charities are more reliant on staff using their own devices, which are harder to secure and manage compared to a central IT system.

See more: NFP leaders say they are vulnerable to cyber attacks

The report also reveals that charities are more likely to be impacted by a cyber attack, as the nature of the sector is often to fill a crucial gap in services and support where government or private business alternatives are not sufficient.

Technology not for profit and social enterprise Infoxchange’s CEO David Spriggs says this experience is just as rife in Australia and follows a spate of recent cyber attacks targeting high-profile organisations including The Smith Family and Medibank.

See more: New governance principles in wake of Medibank cyber attack

“It is pleasing to see the UK National Cyber Security Centre shedding a light on the vulnerabilities of the charity sector,” Spriggs told Pro Bono News.

“We are facing similar challenges in Australia and must urgently address the significant shortcomings of the sector in relation to information security.”

Infoxchange’s 2022 Digital Technology in the Not-For-Profit Sector report highlighted similar vulnerabilities, with only 49 per cent of organisations having an information security policy in place. The main reason for this outcome was a lack of budget or resources (50 per cent), as well as being unsure about how to approach the matter (33 per cent) and not thinking a policy is necessary (26 per cent).

However, resourcing in this area is increasing, with Australian charities spending 30 per cent more on digital technologies in the last 12 months compared to 2021.

See more: Cyberattack hits not-for-profit sector

As charities become increasingly reliant on technology to run services, raise money and connect with others, the sector is more attractive to attackers seeking financial gain and information – both from the organisation itself and its broader supply chain.

Phishing, ransomware, fake organisations and websites, and Business Email Compromise – a specialist form of phishing that targets work email addresses – were identified as the top methods of cyber attacks across the UK and also pose threat to Australian charities, says Spriggs.

“The UK report also reinforced the importance of providing training to staff and volunteers to avoid ‘phishing’ or similar attacks,” continued Spriggs.

“In Australia we found that only 47 per cent of organisations provide information security awareness training.”

See more: New book aims to make sector more data-savvy

Infoxchange’s Digital Transformation Hub aims to help not for profits become more digitally resilient. It provides a range of free cyber security resources as well as an online assessment tool to determine how charities can improve information security.

The 2023 Cyber Threat Report was produced by the National Cyber Security Centre (NCSC), a UK government agency that provides technical authority on cyber security, with support from England and Wales’ charity regulator.