Within the UK, it is our charities who suffer the greatest threat from successful cyber attacks.
While the overall reasons behind this are many, there is one overarching issue which stands out: lack of security awareness training.
A new study from Tessian found charity workers are among those with the highest susceptibility to successful phishing attempts due to their lack of cyber awareness.
This is unfortunate news, and is backed up by the number of successful data breaches within the charity sector, which has doubled in the last year.
The UK’s Information Commissioner’s Office (ICO) noted in the final quarter of 2018/19 that the amount of successful data breaches affecting charities had risen 100% over the previous year.
According to the UKs Department for Digital, Culture, Media & Sport (DCMS) one in five charities suffered a successful data breach last year and 81% of them resulted from phishing emails.
This figure is simply too high.
The research discovered that only 11% of employees at UK charities receive regular security awareness training. This figure is significantly below the average for all UK employment sectors, which currently sits around 34%.
Adding further weight to this lowly figure was the fact that 37% of charity workers had never received any cyber-security training of any kind. Consider for a moment that charities often house databases containing sensitive information pertaining to wealthy donors. Then consider they also have some of the lowest rates of security training and it becomes all too obvious why they are becoming the “target du jour” for modern social engineers.
“When you consider the wealth of some charities and how much valuable donor data they hold, including the personal data and payment information of high net-worth individuals, it is little wonder why hackers target this sector.”
Tim Sadler
Around 26% of organisations provided what they described as “Basic cyber security training”. This is a single training session given at the beginning of employment, with no refresher or extra learning encouraged. Out of the employees receiving just basic training, only 22% say they can remember the training.
The approach by which many charities are run, keeping business expenses as low as possible, is now having a significant and detrimental effect.
This extends not just to the fiscal damage caused by data breaches but also the reputation damage of such events.
“Through sophisticated phishing attacks, criminals can not only cause significant financial damage but they can also erode public trust in the charity and potentially expose donors’ private interests. With so much at stake, and as phishing attacks continue to grow in frequency and severity, charities need a more proactive approach to email security training.”
Tim Sadler
At Phishing Tackle we are acutely aware of this problem which is why we pro-actively work with not-for-profit organisations to help them become more secure. In addition to this, we offer free seats for eligible organisations to help with this desperately needed culture shift.
Security awareness training should not cost the earth and it doesn’t with Phishing Tackle. We hope the UK’s charities and not-for-profits will make the transition to regular security awareness training for their entire workforce soon.