The Department for Digital, Culture, Media and Sport has published its latest annual survey on the epidemic proportions of cyber attacks on charities. Phishing attacks, impersonation frauds and malware are now an every day feature for anyone working for a charity - not just for IT professionals. 

And it hits charities financially when donor money could be better spent elsewhere: the average cost for breaches was over £9,000 (although there must be a huge level of variability.) Perhaps more telling was that it took an average of 4 days to deal with the most serious breaches; trustees need to consider the implications for beneficiaries and staff of that level of disruption.

In assessing the risk, trustees need to be aware that a cyber attack consists of 3 parts: 1) the direct cost of the attack; 2) recovery from the attack; and 3) long term changes. The last one is often forgotten, because it covers alterations to procedures and practices that go on far into the future, but the survey shows that on average it is 25% of the total cost of a breach. 

Plus, a serious breach needs to be reported to the Charity Commission as a Serious Incident and can lead to a fine from the Information Commissioner. 

So what can be done? Well, don't think that just having all the latest anti-virus software is going to provide comfort: 70% of the most disruptive breaches in charities were spotted by a human being and shows the vital need to have your teams and volunteers vigilant at all times. 

Trustees need to be assured that good practice is being implemented: both prevention and response. But only 51% of charities with income over £5m could say they had a cyber incident response plan in place. 

Grant Thornton's cyber-security capability works to allow organisations to take control of their security in a way that isn't masked in jargon or doesn't require investment in expensive, complex solutions. It can be scaled for charities depending on their size and requirements and it focuses as much on recovery as it does on prevention.