Last week the government urged charities and UK businesses to improve cyber security practices, following publication of the 2022 Cyber Security Breaches Survey by the Department of Digital, Culture, Media & Sport (DCMS) on 30th March.
The survey reveals how the frequency of cyber-attacks continues to increase, with 30% of charities reporting attacks or breaches over the last 12 months.
26% of those suffering attacks say they experience attacks or breaches at least weekly. One in five experienced a negative outcome, such as a loss of money or data. Even breaches that did not result in negative financial consequences or data loss had a significant impact - most commonly having to redirect staff to deal with the problem and introduce measures to protect against similar future situations.
Smaller organisations take little proactive action on cyber security, according to the survey, driven by competing budgets priorities and a lack of internal knowledge. It mentions a particular issue with charities lacking focus, where the absence of enforcing regulations means that charities can feel there is no immediate need to prioritise cyber security. Boards were more receptive to action when recognising it as a threat to continuity which carries an operational or financial risk, which of course it is.
Since the UK GDPR in 2018, it has been a legal requirement for charities to ensure appropriate security for personal data. This covers protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
They are required to have technical and organisational measures ensuring “a level of security appropriate to the risk". Last year the ICO took enforcement action for the first time against charities and not-for-profit organisations, including a case in Scotland, where there continue to be reports of significant data breaches in the sector.
Practical tips: What are charities required to do?
Data protection law does not prescribe specific standards: there is no one-size fits all approach to security. But for starters:
- Charities should follow the Small Charity Guide to boost cyber security operations
- 10 Steps to Cyber Security is a piece of government guidance. It helpfully breaks down the task of protecting an organisation into 10 key components intended to mitigate against the majority of attacks.
It is essential to remember ‘appropriate’ measures will involve more than just technological and cyber-security measures. They must also include organisational measures, like allocating responsibilities internally, having appropriate policies, and training staff on handling personal data.
There are some risk issues particular to the charities sector, such as for example facilitating volunteer access to sensitive personal data. Home-working and hybrid working also involve increased security risks, since usually it means facilitating remote unsupervised access to confidential and sensitive personal data about service users. Staff using their own personal device for work has historically been more prevalent in charities than in other sectors, especially in smaller charities with more limited budgets for IT equipment and office space. Nearly 64% of charities in the DCMS survey mention staff regularly do this.
More practical tips:
- The ICO recently updated its guidance on working from home, listing issues to consider when staff are using their own device with a view to compliance with security and data protection requirements generally.
- Charities working to overcome challenges and their own lack of expertise in this area should consider joining networks of CEOs or other organisation leaders (for example ACOSVO, for Scotland’s voluntary sector leaders) to share insider knowledge and resources.
Sean Morris (Solicitor) is a Legal Manager at Navigator Law.