Cyber criminals seeking personal data phishing and ransomware opportunities are looking at tightly resourced schools, charities and public sector firms as targets

By editor Katie Scott

Katie Scott Biba

Katie Scott

The continued, rampant uptick in cyber attacks and cyber crime affecting UK businesses has been incredibly well publicised, with the government’s Department for Science, Innovation and Technology reporting in April 2024 that 50% of British businesses have experienced some form of cyber security breach or attack in the last 12 months.

And although we can all agree that cyber attacks have a terrifyingly indiscriminate nature to them, there are perhaps a few sectors where this rise in cyber crime has flown under the radar – for example, schools, charities and public sector organisations.

According to the aforementioned Cyber security breaches survey 2024 published by the government, 32% of charities have faced a cyber security breach or attack in the last 12 months – phishing, in particular, has impacted 83% of these organisations.

The report’s education institutions annex further demonstrates that no sector is safe from cyber threats – 52% of primary schools, 71% of secondary schools, 86% of further education colleges and 97% of higher education institutions in the UK were all found to have dealt with a cyber attack in the last year too.

Arun Banerjee, a cyber risk consultant at Zurich Resilience Solutions, agreed that “cyber attacks on schools, the public sector and charities in the UK have been more frequent in 2024, which reflects the evolving nature of cyber security threats across these sectors”.

Scott Bailey, cyber underwriting lead at cyber specialist MGA CFC Underwriting, also confirmed a recorded uptick in these typically less lucrative sectors being targeted by cyber criminals.

Citing his firm’s global 2023 cyber claims data, Bailey noted that ransomware was the root cause of 37% of education cyber claims – compared to a global average of 18%.

Meanwhile, he identified theft of funds as driving 33% of public sector cyber claims last year, versus a global average of 24%.

Bailey continued: “Schools and public sector risks, in general, have always been targeted by hacking groups.

“Historically, charities have been less of a target – perhaps reflecting the notion that even hacking groups have morals – but in recent years, there have been some high profile incidents involving charities and, seemingly, they are a more impacted class then before.”

So, why are these sectors growing more attractive for cyber criminals?

Delectable data

Primarily, the driver behind cyber attacks hitting these specific sectors is the ability to take advantage of organisational inefficiencies – such as a lack of financial resources or IT expertise – to steal data. This information can then be leveraged by cyber criminals to demand a ransom payout.

Bailey explained: “[These sectors] all hold a lot of personal identifiable information, which makes them an attractive target for cyber criminals as that data has huge value on the dark web.

“Cyber criminals will typically seek a greater ransom demand as a result and, increasingly, they’ll exfiltrate the data and threaten to release it if their demands aren’t met. This is a particularly sensitive area for public service organisations.

“Cyber criminals tend to target those that are vulnerable and – unfortunately – many schools, charities and public sector organisations fall into this net.”

David Epstein, director of West Sussex-based broker Sturdy Edwards – which provides insurance for independent schools and charities – agreed: “[One of] the things that schools in particular need to worry about is the infiltration of their data where they’ve got sensitive data, [as well as] the cost of informing everyone that they may have had a breach.”

Too good an opportunity?

Both Bailey and Banerjee agreed that schools, charities and the public sector face a number of IT challenges, hampered by tight budgets, that can work to lay out the welcome mat for scammers.

Bailey said: “Regrettably, with public purses more stretched, there is sometimes less depth of cyber security protection in these industry areas than some others.

“It’s generally the case that organisations in these sectors don’t have the budget to engage outsourced cyber security measures or [do not have] the internal expertise to be able to translate complex technical information from these [types of] providers into practical business operations.

“[CFC] recently carried out some detailed analysis of the costs to an SME of outsourcing the cyber security services that our policyholders benefit from for free as part of our cyber insurance product.

“It amounted to an annual spend of £59,566. That’s a significant sum – not to mention the burden placed on in-house resources to actually manage them.”

Banerjee added that other cyber security challenges for these sectors included integration issues ”between legacy IT systems and modern security solutions”, the ”reliance on third party services” and volunteers who may not have undergone cyber security training, as well as a shift to remote learning linked to the Covid-19 pandemic.

Coverage considerations

For Epstein, cyber cover for these sectors “varies wildly”.

He said: “The problem is we read the wordings, look at the conditions on the policies and narrow it down to a few insurers each year that we’ve got confidence [in] – but every year it changes dramatically.”

Citing examples, Epstein noted that one insurer Sturdy Edwards works with has reduced its sums insured for cyber provision, another has pulled out of offering this cover, while a third insurer has introduced a “whole range of different conditions that nobody complies with” into their policies.

“We will sell [cyber insurance], but it’s difficult to get it right,” he adds.

Bailey added that there are further coverage “nuances” to consider too.

He explained: “Most cyber policies reimburse profit plus recurring costs, so coverage for charities does need to reflect their differing earnings pattern – they don’t profit, hence reimbursing loss of revenue is more the indemnity sought by a charity.

“Charities may feel morally compelled to pay a ransom demand to avoid publication of donor data, while the public sector is sometimes prevented by governmental legislation from paying ransom demands, meaning that the ability to recover from backups and utilising system rebuild techniques is of utmost importance to these organisations.”

On a positive note, Epstein explained that insurers are aware that phishing is a particular threat for these sectors. He said: ”We’ve got insurers now that are much more relaxed about [their] conditions because they accept that human error will occur.”

Solutions

Bailey believes that due to the IT infrastructure and financial challenges faced by schools, charities and the public sector, cyber insurers and brokers have an even more important role to play across these industries – especially when it comes to preventative action and supporting these organisations to strengthen their cyber defences.

“Leading cyber insurers like CFC believe the blend of proactive attack prevention, in-house expert incident response and dedicated cyber claims management is particularly relevant for schools, charities and public sector organisations that may not have the resources to invest in cyber security measures,” he said.

“We also find these sectors need more handholding from a technical perspective, usually because their IT departments are often under resourced and perhaps less sophisticated.

“We’ve experienced a higher need for ‘boots on the ground’ assistance in responding to an attack.”

He urged brokers working in these markets to “encourage every client to test their incident response plans and don’t assume [these plans] will [just] work”.

Banerjee agreed: ”In addition to strengthening defences, it is crucial to understand key cyber risks and develop a resilience strategy to minimise the impact of any cyber attack. Regularly testing this resilience is essential.”

The ever-evolving cyber market is a fascinating one – industry commentators define it as the next systemic risk, while many businesses think a cyber attack will never happen to them.

This juxtaposition is why the cyber insurance arena will remain in its infancy for longer than most other markets, as its pace of change is like no other line.

Both brokers and insurers must step up to the plate to ensure that all business sectors can be sufficiently protected against burgeoning cyber risks.