About one-third of British charities experienced some form of cyber security breach in the past year, according to new government data.
The Department for Science, Innovation and Technology published its Cyber Security Breaches Survey this week, which explores approaches to cyber security across different sectors.
Almost one in three (32 per cent) of charities experienced some form of cyber security breach, equating to “approximately 924,000” cyber crimes, in the past 12 months, the report said.
It said: “It should be noted that these estimates of scale will have a relatively wide margin of error.”
According to the report, the most common type of cyber attack faced by charities was phishing, at 83 per cent, followed by fraud emails at 37 per cent and viruses or other malware at 17 per cent.
The report found that charities are less likely to undertake cyber security risk assessments than their counterparts in the private sector, with 26 per cent of charities doing so compared to 31 per cent of businesses.
And fewer charities deployed security monitoring tools (23 per cent) than businesses (33 per cent).
But more than six in 10 charities (63 per cent) said cyber security was a high priority for senior management, with three in 10 (30 per cent) having trustees who were explicitly responsible for cyber security as part of their role.
About half of the charities surveyed protected themselves using “cyber hygiene” strategies. The most common forms of defence were updated malware protection, password policies, cloud back-ups, restricted admin rights and network firewalls.
Almost 40 per cent of charities reported seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants or IT service providers, according to the data.
More than one-third of charities in the sample said they were insured against cyber security risks.
“While a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this,” the report said.
“The most common processes, mentioned by around a third of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.”