Cybersecurity experiences and practices in charities

Abstract: This study investigates the security practices of nonprofit organisations in Sweden. Nonprofit organisations are organisations with a social mission. They collect sensitive and critical information, use ICT like other organisations, and face threats from cybercrime. But we know little about how nonprofit organisations protect their assets. The method used for the research was an explorative and descriptive study using a survey methodology with interviews and a questionnaire as the instruments of data collection. Interviews were conducted for five weeks beginning in March. The questionnaire was distributed at the beginning of April to 421 charity organisations. Of those, 58 charities provided valid responses after four weeks. Based on the interviews and questionnaire responses, this research describes charity experiences and practises of cybersecurity. It describes the charity's use of both organisational and technical measures. It also describes the importance that the charity places on cybersecurity, previous experiences of breaches, and challenges with trust and transparency. The results are compared to previous research on nonprofits and small business security. The findings indicate that the current cybersecurity practice in charities is weak—most of the respondents report only using standard technical measures like anti-virus and firewalls. Less frequently, other standard technical measures are used. Charities are split on their use of organisational measures. A slight majority have identified attacks in the last 12 months. Charities respond that their level, knowledge, and budget for cybersecurity are either insufficient or sufficient. Interview findings are that charities are incentivised to prioritise money towards the mission, which prevents them from making investments in cybersecurity. Further research looking to make an impact should explore how society can incentivise charities and donors to invest in cybersecurity.