A guide to cyber security for charities

An increased reliance on digital devices has led charities to face a range of cyber security risks – The Cyber Security Breaches Survey 2025 revealed that three in ten charities experienced a cyber security breach or attack in the last 12 months. A cyber-attack can lead to financial loss, reputational damage, and disruption to delivering services that vulnerable people depend on, so it is essential that charities are equipped with essential cyber security guidance.

Continue reading our cyber security guide to help charity professionals and trustees protect their organisation from cybercrime.

What is cyber security?

Cyber security refers to the measures and practices designed to protect computer systems, networks, and the data they hold from unauthorised access, attacks, or damage. It covers a range of activities, including securing devices, managing passwords, and controlling access to sensitive information. For charities, implementing cyber security measures is crucial for protecting beneficiary, donor, and volunteer details, complying with data protection laws, and preventing any disruptions to service delivery.

What is cybercrime?

Cybercrime is any criminal activity carried out using computers or the internet, targeting individuals, organisations, or systems for financial gain, disruption, or information theft. Cybercriminals may exploit vulnerabilities in software, trick volunteers or staff into revealing passwords, or intercept sensitive data. Understanding the nature of cybercrime helps organisations to recognise risks and implement appropriate safeguards, ensuring they can continue to deliver essential services without interruption.

Types of cybercrime

According to the largest and fastest growing UK charity community, Charity Excellence Framework, cyber security risks facing charities include:

• Phishing attacks: Criminals impersonate real people or organisations to trick charity staff into revealing sensitive information or transferring funds – often in the form of an email.
• Ransomware: Malicious software encrypts charity data, followed by criminals demanding payment for the release of the charity's database or website.
• Data breaches: Unauthorised access to confidential information, such as donor details, which can lead to reputational damage and legal repercussions. 
• Website attacks: Hackers exploit vulnerabilities in charity websites to inject malware or deface pages.
• Social engineering: Manipulating individuals to disclose confidential information or perform actions detrimental to the charity’s interests.

Why your charity needs cyber security

Effective cyber security helps to reduce the risk of your charity falling victim to cybercrimes that can compromise sensitive data, halt operations, and negatively impact the trust of donors, beneficiaries, or partners. Overlooking cyber security can lead to harmful consequences for a charity, ranging from financial losses to affecting the charity’s reputation and ability to fulfil is purpose.

There are cyber regulatory laws and regulations in the UK which organisations must adhere to, such as the Data Protection Act 2018 and UK GDPR - cyber security protects personal data and makes it easier for charities to successfully follow these laws and regulations. By prioritising cyber security, charities can assure stakeholders of their dedication to safeguarding information and maintaining uninterrupted support for those in need.

How charities can prevent cybercrime

Charities can significantly reduce cyber risks by implementing practical cyber security strategies.

Back up your data

Charities should regularly back up important data to secure, off-site locations or reputable cloud services to ensure that critical information can be restored quickly and operations can continue with minimal disruption. Test backups and recovery procedures often to maintain data security and minimise the impact of an attack.

Protect against malware

Install cyber security software, such as Avast Business Cybersecurity Solutions or Bitdefender GravityZone Business Security, on all devices used by the charity, and make sure to keep these tools updated. Educate staff about the dangers of downloading files or clicking on suspicious links as malware can easily compromise sensitive information.

Secure any devices

Ensure all laptops, tablets, and smartphones used within the charity are password-protected and encrypted where possible. Limit device access to authorised personnel and enable features to wipe any devices remotely in case of loss or theft. Keep a list of all devices and make sure to review and update security settings regularly.

Use strong passwords

Instruct staff and volunteers to create complex, unique passwords for all accounts. Microsoft recommends using passwords which are at least 12 characters long, with combinations of upper- and lower-case letters, numbers, and symbols. Avoid using easily guessed or repeated passwords across multiple platforms and consider using a password manager for added security.

Defend from phishing

Raise awareness about phishing emails and messages among all staff and volunteers and train them to recognise suspicious requests for sensitive data or urgent payment instructions. Always verify the authenticity of unexpected communications before responding or clicking on any included links.

Train to stay alert

Provide regular cyber security training to staff and volunteers, helping them to spot threats and understand the best cyber security practices. It is important to encourage a culture of vigilance and reporting, so that potential incidents are identified and addressed quickly. Ongoing training is key to building strong cyber defences and to ensure your organisation operates safely online.

Implement multi-factor authentication

Enable multi-factor authentication (MFA) on all accounts and systems where possible. MFA requires users to provide a second form of identification, such as a code sent to a mobile device, making it much harder for unauthorised users to gain access, even if passwords are compromised.

Keep software and systems updated

Regularly update all software, operating systems, and apps to the latest versions as these updates often include security fixes and patches to protect security vulnerabilities. Where possible, enable automatic updates to ensure consistent installation of critical fixes to minimise risks.

Set up firewalls

Install and turn on your firewalls to protect your charity’s network from unauthorised access through acting as barriers and monitoring incoming and outgoing traffic for suspicious activity. Global leaders of cyber security solutions and services, Fortinet, share how firewalls are beneficial by stopping virus attacks, preventing hacking, and stopping spyware. Make sure to regularly review and update your firewalls to maintain cyber security.

Create a cyber incident response plan

If feasible, develop a clear, written plan outlining the steps to take during a cyber incident. Assign roles and responsibilities, establish communication processes, and rehearse the plan with staff. A well-prepared response can substantially reduce the impact of an attack and help your charity recover promptly.

Consider cyber insurance

Cyber insurance can help protect your business in the event of a malicious attack on your computer systems and data. This can help to minimise any disruption to your business, covering the financial costs involved in handling and recovering from a cyber-attack or hacking threat.

Discover more information about how to protect your organisation from cyber-attacks, here, or access the National Cyber Security Centre’s free Cyber Action Toolkit.

Cyber security services and tools

GOV.UK recommend a range of cyber security tools and services for different types of charities:

For all charities: Charities can use a range of NCSC Active Cyber Defence tools, most of which are free, to help you protect your charity.

For small charities: Check your cyber security with the NCSC’s free online service to look for common weaknesses in, for example, your emails, your website, or web browser you use.

For medium and large charities: The Cyber Governance Code of Practice sets out actions you can take to protect your charity, and you can join the NCSC Cyber Essentials Scheme to certify if your charity is cyber secure.

How to respond to cybercrime

If your charity is targeted with a cybercrime, you can respond by following the below steps: 

• Contact your insurer: If you have cyber insurance, contact your provider first.
• Confirm the attack: To verify if an attack has occurred, look at your security software or contact your IT security provider.
• Determine the type of attack: Enlist an IT technician to help you identify what type of attack took place.
• Contain and assess the damage: Suspend all devices/platforms which have been affected, then consider what information was taken and the impacts of the cybercrime.
• Report to the authorities: The Data Protection Act 2018 requires data breaches to be reported to the Information Commissioner's Office (ICO) within 72 hours if they pose a risk to individuals' rights and freedoms.
• Inform any donors, volunteers, or beneficiaries: Outline the plan you are going to take to address the event. It is essential that you notify your customers before any media or social sources potentially share it.
• Secure your database: Protect your business against cybercrime, and keep your staff and volunteers trained on how to identify and respond to an attack in the future.

For an in-depth explanation of what to do in the event of a cyber-attack, read our dedicated article. 

How to report a cybercrime in the UK

If your charity experiences a cybercrime, you can report it to the police, or if it meets the below criteria, you can submit a form with the National Cyber Security Centre:

• Data on employees, customers, or clients of the organisation – in a charity, this would include beneficiaries, volunteers, or donors
• The organisation’s computer firmware, software, or hardware
• Personal data of the UK, Channel Islands, and Isle of Man

Discover help and guidance for charities, or learn more about our charity insurance and cyber insurance.

Please note: This article provides guidance for information purposes only. It should not be relied upon wholly when making or taking important business decisions – always seek the services of an appropriately qualified professional. The views expressed by websites referenced to are limited to those of the websites, and do not necessarily reflect the views of Markel Direct.