Ipsos MORI was commissioned by the Department for Digital, Culture, Media and Sport (DCMS) to carry out qualitative research with UK registered charities to explore their awareness, attitudes and experiences around cyber security. The research was undertaken alongside the Cyber Security Breaches Survey 2017, which was a major survey of businesses’ approaches to cyber security.
This is part of the Government’s National Cyber Security Strategy, which aims to make the UK the safest place to live and work online. The research informs the developing work in Government and the National Cyber Security Centre to help organisations in the charitable sector to be secure and resilient online, and able to protect their important data.
The research highlights that Britain’s charities may need to do more to protect themselves from online threats, but also shows the good practice among various charities in making themselves secure.
The research found that charities are just as susceptible to cyber attacks as businesses, with staff often not well informed about the topic. Awareness and knowledge varied considerably across different charities, and those in charge of cyber security, especially in smaller charities, were not often proactively seeking information on the topic, or were relying on outsourced IT providers to deal with threats.
Where charities recognised the importance of cyber security, this was often due to holding personal data on donors or beneficiaries, or having trustees and staff with private sector experience of the issue. The charities interviewed also recognised that the staff responsible for cyber security may need new skills and that general awareness among all staff needed to rise.
- A total of 30 in-depth interviews were undertaken in February and March 2017 with UK registered charities, sampled from the respective Charity Commission databases for England and Wales, Scotland and Northern Ireland.
- Within each organisation the main person responsible for cyber security was interviewed, which included a mix of Chief Executives, Trustees, Treasurers, Chairs and in some cases more junior staff members.
- The sample profile included a wide range of charities, by income, location, charitable function, organisational status (including Charitable Interest Organisations, CIOs, as well as charitable trusts), service provision, and past experience of cyber security breaches.
- The sampling approach excluded unregistered charities (not registered with the Charity Commission) and unincorporated associations. In addition, certain types of registered charities were excluded including private schools or colleges, UK universities, community halls and churches.
- This research was conducted before the global Wannacry ransomware attack in May 2017. For example, see this news coverage on the BBC News website: http://www.bbc.co.uk/news/technology-39901382