Kate Sinnott is the head of charity and public engagement at the National Cyber Security Centre (NCSC). Kate leads a team dedicated to helping UK charities and the public be less vulnerable and more resilient to cyber attack, empowering them to stay secure online. Previously Kate was head of partnerships at the National Crime Agency, leading a team working with global technology companies and children’s charities to protect young people from online exploitation.
Charity sector cyber security is improving
It’s welcome news that more charities than before have taken positive steps to improve their cyber security, according to the Cyber Security Breaches Survey 2019[1].
Since launching the Cyber Security: Small Charity Guide in March 2018, the National Cyber Security Centre (NCSC) has worked in close partnership with bodies across the sector. Together we are working to raise awareness about the cyber crime threat and provide practical actions charities of all sizes can take to protect themselves. The survey results are the first indication that collective efforts across the sector are contributing towards a positive change.
Amongst charities, the biggest statistical shift in the survey has been how cyber security is viewed by trustees and senior managers, with an overall 22-point increase over 2018’s results. Strong increases are seen across small, medium and large charities, with cyber security now being seen as a high priority in 68% of charities with an income under £100,000; 82% of charities between £100,000 – £500,000; and 94% of charities with an income over £500,000.
I think it will become more of a priority. Thinking of the phishing emails, they are going to get harder to spot.
– High income charity
Cyber security breaches can have huge costs
We know that cyber security breaches can be costly and disruptive for charities, and this year’s report backs that up. The average cost of all breaches or attacks identified in the last 12 months by a charity is now £9,470. However the costs of a breach vary, with organisations quoting figures between £300 to £100,000 depending on the severity. At the top end, this amount could be crippling for some charities.
Phishing remains the most common form of attack on charities, with 81% of those who identified an attack or breach listing fraudulent emails as the cause. Technical measures are important in stopping these attacks but the strongest link remains staff, trustees and volunteers. It’s vital to help them to understand their critical role in protecting the organisation and give them the information on how to report a phishing email
The introduction of the General Data Protection Regulations (GDPR) in May 2018 has influenced the sector’s approach to cyber security. A third of charities made changes to their cyber security as a direct result of GDPR. Most commonly, these changes were new policies and staff training. The report also indicates that GDPR will have sustained impact as charities continue to adjust their approaches to cyber security.
There has been a change in mindset. Whereas information security was something that sat in a little team and they used to come along at the end of a project and say, ‘no, no, no’, now it’s fundamental to the start of any decisions we make.
– High income charity
Ensuring robust cyber security for the future
47% of charities have looked for external help with cyber security in the last year, up from 36% in 2018. This is very positive news but we shouldn’t be complacent. There are still many charities who are yet to take action and, even for those that have, they still need to keep up to date with advice as the cyber crime threat to charities continues to evolve. We will continue to work with our partners across the sector to share our advice and guidance in places that charities know and trust. We will be providing even more local training and workshops with sector partners over the coming year and beyond.
[1] The Cyber Security Breaches Survey is an annual report by The Department for Digital, Culture, Media and Sport showing how businesses and charities are responding to the cyber security threats they face.
Posts written by guests who have contributed to NCVO projects and events. 
