Cyber Threat Report: UK Charity Sector

This is a report from the NCSC that outlines the cyber threat that charities of all sizes now face.

The purpose of this report is to help charities understand current cyber security threats, the extent to which the sector is affected and whether it is being targeted, and where charities can go for help. This report is an update to NCSC’s February 2018 “Cyber threat assessment: UK charity sector”.

This report draws on consultation with experts within the National Cyber Security Centre (NCSC), other government departments and open sources, and was written with the support of The Charity Commission for England and Wales.

The National Cyber Security Centre (NCSC), a part of GCHQ, is the UK’s technical authority for cyber security. Since the NCSC was created in 2016 as part of the Government’s National Cyber Security Strategy, it has worked to make the UK the safest place to live and work online. The Charity Commission for England and Wales registers and regulates charities in England and Wales, to ensure that the public can support charities with confidence. It works in partnership with the NCSC to enhance the cyber resilience of charities.

Charities in the UK range from large, internationally recognised organisations to small, local community ones. The range of activity by UK charities is diverse, benefitting many sections of society, both here and overseas. All charities with an annual income of over £5,000 are required to register with a UK charity regulator.

There are 200,000 charities registered in the UK with a combined annual income of £100 bn. In England and Wales alone over a million people are employed in the charity sector with over 5 million volunteers.

The DCMS Cyber Security Breaches Survey measures the policies and processes organisations have for cyber security, and the impact of breaches and attacks. In the 2022 survey 30% of UK charities identified a cyber attack in the last 12 months. Of those attacks, 38% had an impact on the service with 19% “resulting in a negative outcome”.

Why is the charity sector particularly vulnerable?

• The charity sector faces the same cyber risks as private sector and government organisations but there are some reasons why charities could be particularly vulnerable to cyber attack:

• Charities are attractive targets for many hostile actors seeking financial gain, access to sensitive or valuable information, or to disrupt charities’ activities.

• Charities may feel reluctant to spend resources, money, oversight and staff effort on enhancing cyber security rather than on front line charitable work.

• Charities have a high volume of staff who work part time, including volunteers, and so might have less capacity to absorb security procedures.

• Charities are more likely to rely on staff using personal IT (Bring Your Own Device) which is less easy to secure and manage then centrally issued IT.

• And finally, the impact of any cyber attack on a charity might be particularly high as charities often have limited funds, minimal insurance coverage and, by their very nature, are a supplier of last resort providing services where there is insufficient government or affordable private sector alternatives.

The full report can be read here.