Some UK charities are unprepared for the introduction of the General Data Protection Regulation and do not understand its importance as part of strong cyber-security measures, according to the National Cyber Security Centre.
In a cyber threat assessment for the charity sector, the NCSC, which is part of GCHQ, said that despite the risks of a data breach – which it said could even threaten the existence of charities that fall victim – charities are not proficient in digital skills.
The threat assessment, published yesterday, says there is evidence that the charity sector has a "broad lack of specialist staff with technical skills to cover cyber security", low awareness of the government support available and few digital skills, and is therefore unprepared for the GDPR, stringent new data protection law that is due to come into force on 25 May.
Criminals are probably the biggest cyber threat to the charity sector, the threat assessment says, and spear-phishing, which involves the use of bogus emails, and ransomware attacks, where computers are incapacitated unless a ransom is paid, are both widely used and effective ways charities in which can be targeted.
The NCSC has also published a guide to cyber security for small charities in which it recommends measures including backing up data, protecting computers from malware, securing smartphones and tablets, avoiding phishing attacks and using passwords on all devices.
Alison Whitney, director for engagement at the NCSC, said: "The NCSC is committed to supporting charities, and we strongly encourage the sector to implement the advice outlined in our guide.
"Cyber attacks can be devastating both financially and reputationally, but many charities might not realise how vulnerable they are to the threat."
Helen Stephenson, chief executive of the Charity Commission, said: "Charities play a vital role in our society, so the diversion of charitable funds or assets via cyber crime for criminal purposes or personal gain is particularly damaging and shocking.
"The threat assessment confirms what we often see in our casework – unfortunately, charities are not immune to fraud and cyber crime, and there are factors that can sometimes increase their vulnerability, such as a lack of digital expertise, limited resources and culture of trust."