One fifth of charities have been hit by a cyber attack in the past year, according to the Cyber Security Breaches Survey from the Department for Digital, Culture, Media and Sport.

81% of charities were targeted by email phishing scams, 20% by people impersonating them online, and 18% by viruses and malware.

Though the most common targets were larger, more well-known charities with an income over £500,000 per year (52% of whom had been affected by a breach or attack), all charities and VCSE organisations need to consider the growing threat of cyber attacks.

The survey of 1,566 businesses and 514 charities also found that:

• The average cost for charities that lost data or assets in breaches was £9,470.
• Charities were more likely than businesses to have cyber security policies in place, to have made changes due to GDPR, and to have done a cyber security risk assessment in the past year.
• 49% of charities reported their directors and trustees were only updated on cyber security once a year, if that.
• Only 29% of charities said staff had been trained in cyber security.

Attacks and data breaches not only cost money, but they cost staff time, slow up workflow and cause potential problems for service users.

“It’s vital to help staff, trustees and volunteers to understand their critical role in protecting the organisation and give them the information on how to report a phishing email,” said Kate Sinnott, head of charity engagement at the National Cyber Security Centre.

How can we improve cyber security in VCSE organisations?

These are some of the most common actions that voluntary, community and social enterprise (VCSE) organisations could take:

• Arrange internal or external training for staff, trustees and volunteers
• Add a list of cyber security protocols to staff, trustee and volunteer policies, and go through them in inductions.
• Remind everyone to set different and complex passwords for each online account and for their work login; secure password storage (such as Lastpass) can help with this. Revoke access once someone leaves your organisation.
• Ensure trustees use individual email addresses, not those shared with partners or colleagues.
• Keep your firewall and anti-virus software updated.
• Regularly back up data on cloud computing systems and on external hard drives.
• Don’t use unsecured Wi-Fi networks when working remotely in public places; use a VPN (such as TunnelBear) instead, to encrypt your data.
• Keep up to date with the latest phishing scams, so you know what to look for. Tell everyone to forward (without opening) any suspicious emails to the person or people leading your cyber security, including emails from existing contacts whose accounts may have been hacked.

Cyber security is just one aspect of improving your digital skills. The Department for Digital, Culture, Media and Sport recently funded a major Digital Leadership programme run by Voscur, Dot Project, 3SG, CVS South Gloucestershire and WeSport, which covered this topic alongside digital fundraising, digital tools for productivity and other technology concerns for the VCSE sector.

If you want to improve your organisation’s digital skills but don’t know where to start, contact Voscur for more information.