This website uses cookies for anonymised analytics and for core features such as voting on polls and comments. See our privacy and cookies policies for more information.

Get TFN updates
The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Fifth of charities hit by cyber attacks


Three quarters of charities haven't invested in cyber security, despite organisations of all sizes being targeted by attackers

One in five charities have been hit by a cyber attack in the last year.

New figures from the Department for Digital, Culture, Media and Sport have shown 22% of charities were subject to a breach or attack last year.

Just over half of respondents identified cyber security as a key priority, but almost three quarters said they hadn’t invested in cyber security.

The research was published as the latest round of grants to help Scottish charities become cyber resilient were announced.

Larger charities, with an income of more than £500,000 a year, are among the most common targets, with more than half (52%) reporting breaches or attacks over the last year. In comparison around a third (32%) of businesses, and 61% of large businesses were breached over the same time frame.

The most common form of attacks involved phishing, which was mentioned by 81% of charities that had been breached.

A fifth (20%) of breached charities said they had been targeted by criminals impersonating an organisation in emails or online and 18% said they had been targeted by viruses, spyware or malware, as well as ransomware attacks.

Kate Sinnott, head of charity engagement at the National Cyber Security Centre, said: “We know that cyber security breaches can be costly and disruptive for charities, and this year’s report backs that up. The average cost of all breaches or attacks identified in the last 12 months by a charity is now £9,470. However the costs of a breach vary, with organisations quoting figures between £300 to £100,000 depending on the severity. At the top end, this amount could be crippling for some charities.

“Phishing remains the most common form of attack on charities, with 81% of those who identified an attack or breach listing fraudulent emails as the cause. Technical measures are important in stopping these attacks but the strongest link remains staff, trustees and volunteers. It’s vital to help them to understand their critical role in protecting the organisation and give them the information on how to report a phishing email.”

However on a positive note, GDPR was found to have helped organisations to improve their cyber awareness. More than a third of charities (36%) said they have made changes to their cyber security policies or processes as a result of GDPR, and 47% sought external advice on cyber security over the year.

“This is very positive news but we shouldn’t be complacent,” Sinnott added. “There are still many charities who are yet to take action and, even for those that have, they still need to keep up to date with advice as the cyber crime threat to charities continues to evolve.

“We will continue to work with our partners across the sector to share our advice and guidance in places that charities know and trust. We will be providing even more local training and workshops with sector partners over the coming year and beyond.”

It was announced this week that the Cyber Essentials Grants scheme is now reopen to charities, with a total of £60,000 up for grabs. The scheme - funded by the Scottish Government and managed by the Scottish Council for Voluntary Organisations (SCVO) - supports charities with grants of up to £1,000 to help them achieve Cyber Essentials accreditation.

Kate Forbes, Minister for Public Finance and Digital Economy, said: “Charities are increasingly reliant on IT and technology, however some are falling victim to a range of malicious cyber activity which is putting their valuable funds, assets and good reputation at risk.

“This fund offers grants up to £1,000 towards cyber essentials accreditation, protecting against the most common forms of internet-borne cyber-attacks. This demonstrates to supporters, donors and beneficiaries that charities are protecting their data.”

Churches Action for the Homeless is just one of the organisations that has benefitted from the grants. The group’s Alison Adams said: "With the support provided by SCVO and the guidance that we received from our IT Support provider, Churches Action for the Homeless found the accreditation process very straightforward. We hope that this achievement demonstrate to all of our stakeholders how seriously we take cyber security."

David McNeill, SCVO digital director, said: “Charities are increasingly vulnerable to cyber risks so it’s really important that they take action to keep themselves and their data safe. We’re delighted to be launching this new grants round with the Scottish Government, and we’re looking forward to helping dozens of Scottish charities boost their cyber resilience.”

More information on how to apply for the grants is available online.



0 0
James Field - Smartdesc
over 1 year ago
Great article, thank you.We work largely in the sector and find about the same. The best defence any organisation - no matter how small or large - is staff knowledge. IT Security training is so important, but sales people are so keen to sell software and apps that cost more and are less effective!Carrying out an annual penetration test is also worthwhile and needn't cost the earth, because things constantly change in your IT environment.We did a cyber attack "simulation" training event at the NCVO recently with about 13 charities, and the main theme of the day was that if the worst does happen and you do get a breach of some kind, having a pre-prepared plan to follow - even if it's just a checklist - is invaluable, because at the time there will be a lot of (understandable) panic and emotions and the basics can get missed.A few hours just planning out and briefing staff on what your cyber attack response would be, is time very well spent, along with regular training for staff on IT security - there are lots of cost effective eLearning tools that are lightweight and keep IT security good practice at the front of people's minds.