Cost-conscious steps which charities can take to protect against cyber attacks
The Cyber Security Breaches Survey 2025 found that 30% of UK charities reported a cyber security breach or attack in the past 12 months. Such an attack can create serious operational risk, especially for organisations built on public trust and funded by donations. An incident can interrupt services, delay payments, expose sensitive information about beneficiaries and supporters, and undermine confidence.
Many charities have to deal with a reality that doesn’t affect large corporations. Teams are often lean and volunteers frequently come and go. Technology is typically older and criminals do not need to outsmart a well resourced IT department. All they need is one weak password, a clever email or a system that has not been updated.
The positive news for charities is most breaches start with routes that can be blocked, even with a low budget. Some of the best protection comes from doing the basics consistently, prioritising what matters most and building a positive culture towards cyber risk management.
Email still the easiest way in
For many charities, email is the biggest weakness. If an attacker gets into a mailbox, they can reset passwords elsewhere, impersonate senior staff, redirect supplier payments or target donors with convincing requests. Phishing is a common challenge, with goodwill within charities making them a natural target.
Phishing emails can include impersonations of trusted organisations, such as regulatory or fundraising bodies, tricking staff or trustees into clicking links or acting on bogus requests.
Scammers have impersonated known partners, suppliers or internal colleagues. Emails have requested bank detail changes, payment approvals or invoicing information, leading to significant financial losses.
Another possibility is an email that appears to come from a colleague or donor offering a “review” of a proposal or shared file and tricking staff into entering credentials on bogus login pages, allowing attackers to capture access details.
Tightening identity controls can deliver strong protection without major cost. Multi-factor authentication on email accounts helps prevent access and reduces the impact of stolen passwords.
Tackling permissions is another sensible step. Unnecessary admin access permissions are a common problem. Roles change over time, a temporary project becomes permanent access, a volunteer needs access for a weekend event and keeps it for months. Every extra permission increases risk.
Building a risk-focused culture
Knowledge and culture are crucial to reducing risk. Cyber awareness training is one of the most effective defensive measures that a charity can take. Activity like running phishing simulations to test a team’s ability to spot rogue emails can be incredibly effective.
Building processes or habits around specific activity can help too.
Any request involving large money transfers or to change bank details should have dual sign-off by senior personnel within the charity. Linked to this should be a requirement to verify bank detail changes through a trusted channel, not via email. These should be confirmed using a known phone number for the supplier.
System access control and updates
The risk of someone hacking into a system that holds sensitive data from supporter contact details to beneficiary information increases when access is not tightly managed.
The most important digital systems are usually email, finance systems, donor management, service delivery platforms and file storage. Review who can access each, and whether they actually need that access. Focus on high impact actions like exporting donor records, downloading beneficiary data, creating new users, approving payments, changing bank details and altering security settings.
Many charities find they can reduce access (and therefore risk) without affecting delivery, simply by removing old permissions and narrowing who can take sensitive actions.
Remove dormant accounts promptly when staff leave and when volunteers finish placements. Put a clear step into your leaver checklist to disable access on day one, then tidy up later. It is quicker than trying to trace activity after an incident. If you rely on shared accounts, move away from them where you can. Shared logins erase accountability and make it harder to contain problems.
Updates are another high impact, low cost control. Attackers routinely exploit known vulnerabilities, so automatic patching for operating systems, browsers and mainstream applications is one of the most effective defences available. Switch on automatic updates wherever possible. Standardise devices and software where you can, because variation means more support requirements and risk.
Where devices have reached end of life and no longer receive security updates, risk increases. If replacement is not possible immediately, reduce exposure. Limit what those devices can access and restrict them from sensitive systems.
Consider third-party platforms – another common source of risk. Many charities rely on external systems for fundraising, events, marketing, case management, finance and web hosting. These will often have a route into your system and if they experience a hack, it might affect you. Keep these to a minimum but where they exist, it’s sensible to check what security controls they have in place, what data you hold with them, how they back it up and how they handle incidents.
Resilience when something goes wrong
Even strong controls do not guarantee immunity so a high degree of operational controls within the charity are essential.
Backups are essential but it’s important to understand what is backed up, how far back data can be restored, and how quickly systems can be recovered. Also aim for backups that are protected from everyday access. If a ransomware attacker can reach your backups, they may target them.
Use separate credentials and limit who can manage backup settings. If possible, recovery of data from backups should be tested regularly as it is common for backups to fail to restore properly due to inadvertent file corruption.
Incident planning should be short and practical. Identify who leads in the event of an incident, who contacts suppliers, who liaises with the bank and who handles communications. Clarify how essential services continue if systems are unavailable for a day, or a week. When roles and actions are agreed in advance, you reduce downtime, confusion and the risk of secondary fraud.
Communications are important but need structure. Staff and volunteers should know where to get updates, what they should not do and how to avoid spreading unverified information. Beneficiaries and donors need reassurance and clarity. Keep messages factual, consistent and focused on actions being taken. Avoid speculation. If you do not know something yet, say so and explain what you are doing to find out.
Insurance can support recovery
Strong cybersecurity reduces the likelihood of an incident. Insurance helps when an incident occurs. For charities, the value is often less about a cash payout and more about having a route to timely specialist help, including out of hours. Being able to contact an insurer’s specialist helpline as soon as an incident occurs or is discovered, and to activate early intervention and support from forensic experts is critical to reducing the impact of a cyber incident.
Cyber insurance can help to meet first-party costs, meaning the charity’s own costs to respond and recover from an event. Depending on the policy, that may include incident investigation, forensic support, data restoration, system rebuild costs and professional fees for specialists brought in to contain the incident. For a charity with limited internal IT resource, this can make a huge difference.
Business interruption cover can also matter. Many charities now rely on online fundraising, digital service delivery, cloud-based donor management and remote working. When systems are unavailable, the impact is not only lost income. It can include additional costs of working, urgent outsourcing, overtime or temporary processes that pull staff away from frontline activity. Insurance can help bridge that gap where cover applies, which protects cash flow and continuity.
Cyber insurance can also support third-party exposures, such as legal costs and liabilities arising from data protection issues, confidentiality breaches or claims by affected parties. Again, cover varies by policy and wording, so it is worth checking what is included. If personal data is involved, a charity may need legal advice, support with notifications and guidance on managing regulatory engagement. Those costs can escalate quickly without support.
Many policies also provide access to a range of added-value services such as legal helplines, legal documents and contracts and PR support services. These can offer essential support at what will be a difficult time for those affected.
It is also important to understand that cyber insurance comes with risk management conditions. Insurers often expect minimum standards, such as multi-factor authentication for key accounts, patching routines, secure backups and access controls.
Relatively straightforward steps
Cyber attacks are a real risk for charities. But taking a number of relatively straightforward steps can go a long way to reduce it. Email security, reducing unnecessary access, keeping systems updated, making backups and thorough response plans are such steps. Use insurance as a safety net that supports recovery when prevention has proven not to be robust enough. Build in those steps and you make your charity a harder target, while keeping funding focused on the people you exist to support.
