More than seven in 10 large charities have fallen victim to cyber attacks or breaches in the past year, new research from the Department for Digital, Culture, Media and Sport has found.
A report based on the research, the Cyber Security Breaches Survey 2018, found that 73 per cent of the charities with annual incomes of more than £5m that took part in the survey had fallen victim to cyber attacks or breaches over the past year.
The report says that, despite the prevalence of cyber security breaches in the sector, only 21 per cent of all charities have a cyber security policy in place, and only 8 per cent have an existing cyber security incident management process.
But 53 per cent of charities in the research said that cyber security was a high priority for senior management, with the average cyber security breach that leads to financial loss costing a charity £1,030.
The report, which was also produced by Ipsos Mori and the University of Portsmouth, is based on a "random probability" telephone survey of 569 charities and 1,519 businesses between 9 October and 14 December 2017, as well as 50 in-depth interviews with organisations featured in the survey.
The report says that of the 44 per cent of charities in the research that said they held personal data electronically, 30 per cent said they had experienced a cyber security breach.
The research also found that only six in ten charities that had experienced cyber breaches had taken preventive action to prevent a re-occurrence.
Only 42 per cent of charities had sought any guidance or advice on cyber security, and 5 per cent of them recalled using government guidance on the subject.
Staff training on cyber security was also poor among charities, the research found, with only 15 per cent of respondents sending their staff to any form of internal or external cyber security training in the past year.
More than half of charities were found by researchers to have no rules and controls around encryption.
Three in 10 charities had implemented all of the five basic technical controls that feature in the government’s Cyber Essentials scheme, the research discovered.
Of the Cyber Essentials basic technical controls, 75 per cent of charities had applied software updates, 73 per cent had up-to-date malware protection and 69 per cent had effective firewalls.
Only 65 per cent of charities in the research restricted IT administration and access rights to specific users, and 42 per cent had security controls on company-owned devices.
Two-thirds of charities said they allowed staff to use personal devices for work. The report says this can make an organisation more susceptible to cyber attacks.
Cyber breaches and attacks were cited as having an impact on the day-to-day running of affected charities in 59 per cent of cases, the report says, including introducing new measures to prevent re-occurrences, staff time needed to deal with the breach and staff being prevented from working as a result of a cyber attack.