Why aren’t British charities investing more in cybersecurity?
In this guest article, Tom Kidwell, Co-Founder of Ecliptic Dynamics, discusses why British charities are investing less in cybersecurity, and what can be done to support them.
In April the government released its Cyber Breaches Survey 2023, revealing that 24% of charities have identified cyber-attacks in the last 12 months, a drop from 30% in 2022.
And while this may look like an indicator that things are moving in the right direction, it’s likely more a sign that charities aren’t investing enough in cybersecurity, due to skyrocketing costs and a lack of funds, rather than an actual drop in attacks.
So, what are these government figures around cyber breaches really telling us about the state of security in the third sector? How can charities remain secure and what more can the public and private sector do to support organisations in their uphill struggle to ward off cyber-attackers?
The Cyber Breaches Survey is an annual report which looks to shine a light on the current state of cybersecurity in the UK. This year it included responses from 1,174 UK registered charities. These findings revealed that just 27% of charities have undertaken cyber risk assessments, while less than a fifth (19%) have deployed security monitoring tools – two crucial components to any comprehensive cybersecurity strategy.
On top of this, only 19% were aware of the National Cyber Security Centre’s (NCSC) 10 Steps to Cyber Security guidance, which outlines key steps organisations can take to improve their cybersecurity stature. Of that 19%, just 2% had implemented the measures.
When you couple this with the fact that the number of charities identifying attacks has gone down in the last twelve months, something doesn’t add up. If charities are investing less in cyber protection, leaving themselves more vulnerable, then why aren’t attackers taking advantage of this?
In my opinion, these stats suggest that attacks are being underreported, indicating a lack of knowledge from charities around when and how they are being attacked; many may not even know when an attack occurs. The reality is that most third-sector organisations simply don’t have the budget to invest heavily in cybersecurity, and unfortunately that means that many just don’t know when they’ve been breached.
If you compare how many charities have deployed security monitoring tools (19%) or undertaken cyber risk assessments (27%) against the number that have identified an attack (24%), they all sit at roughly a quarter of charities. This is unlikely to be a coincidence and may be a much more accurate indicator of what the threat landscape looks like for charities.
Identifying real risk
Charities are under massive threat from a cybersecurity perspective, and these threats are growing. It’s been estimated that by 2025 the cost of cybercrime globally will cost businesses $10.5tn. If this is the case, it will be the world’s most expensive crime, and as an economy, will be eclipsed only by the United States and China.
So, the key for charities is understanding their risk, and selecting strategies that are appropriate in terms of response. The first step is to undergo a cybersecurity health check or risk assessment. This will highlight your vulnerabilities, giving you a map of where your security posture needs to improve.
However, it’s important that the response is proportional, especially for cash-strapped charities who want to direct most of their funding into the projects and people they’ve pledged to support. Within the cybersecurity space currently, shiny new technologies and solutions are coming to market all the time, and the pressure on organisations to choose these expensive products can be huge. What is critical though is choosing solutions that make sense, rather than getting drawn into spending big on unnecessary measures.
What many don’t know is that there are lots of different ways to improve cyber stature without breaking the bank, and making changes to your processes can often make a bigger difference than implementing a new tool or product.
Two-factor authentication (2FA) / Multi-factor authentication (MFA)
2FA or MFA requires individuals to provide at least two sets of information to access specific segments of data or online accounts, usually from different devices. Most people will have used this to access social media accounts or emails; after entering their password they’ll be asked to input a code sent to their mobile or email.
This solution often costs very little compared with many others, and it is extremely effective, making it much harder for malicious threat actors to gain access to sensitive data using leaked passwords or compromised credentials, which are becoming ever more commonplace.
Access management and data segmentation
One of the biggest issues facing charities is the handling of endless amounts of sensitive data, while also having lots of staff and stakeholders accessing their networks. In this situation, if just one user becomes compromised, the entire environment could be breached, giving malicious groups access to every piece of information stored within the charity.
One of the most effective ways to stop this is to only give users access to what they need to complete their job. Using an access management solution will allow you to give specific users access to specific things. But, this will only work with data segmentation. This involves segmenting your data into smaller, gated parts, which can only be accessed with the right access. Couple together, these practices will make it much harder for hackers to move freely across your network.
Staff training and investment
The unfortunate reality is that most breaches happen due to human error. A report published by Verizon last year indicated that as many as 82% of cyber-attacks were caused by some sort of human element, and while this is a high number, in many ways it isn’t surprising; investment in cybersecurity training must improve for all types of organisations.
Your staff should be considered a part of your assets, and are something that also need protecting, and that’s why giving them the training and knowledge they need to remain safe and secure is crucial. It’s impossible for employees to stop something they don’t know about, and training can be key to changing this.
Following the pandemic, it has been a tumultuous time for charities, with budgets being stretched further and further. And with the growing threat of cyber-attacks, it’s important that they invest in the right areas of protection. It’s also important that the private and public sector work to aid third-sector as much as they can; even if it’s just slightly reduced rates, or a free cyber health check – these can go a long way in improving the landscape for struggling charities.