‘Cyber security’ sounds like an IT issue, doesn’t it? And whilst for many years it was, the simple reality is that the threat landscape has changed significantly. For charities, there was a time when cyber security would have been viewed as a misplaced headline in the industry media; today it has an all-too-frequent presence.
Cyber risk has become a governance issue that affects every aspect of their operations, reputation, finances and ability to deliver everyday services. Indeed, a recent report by the NCVO and Zurich Insurance cited, “…activities once considered routine, such as fundraising, events and campaigning, now require ‘significantly greater oversight, planning and risk assessment’…” with online hostility being one of several interconnected factors leading to this situation.
Simply, for unscrupulous cyber criminals, charities are an attractive target. They not only hold significant amounts of sensitive personal information relating to donors, beneficiaries, volunteers and employees, but they’re often perceived as particularly vulnerable given that constrained resources may mean ageing technology, limited internal IT expertise, and digital security measures that are less robust than their corporate counterparts.
The 2025 Cyber Security Breaches Survey suggested that 30 per cent of all UK charities had reported a cyber-attack or breach, 86% of which involved phishing, making it by far the dominant threat type. These figures reflect reported incidents, meaning the true scale of activity may be higher.
However, advances in artificial intelligence are enabling cyber criminals to create increasingly convincing scams, making attacks both harder to detect and easier to execute. The risk landscape is therefore becoming more complex, and charity boards can no longer assume that cyber security is simply an IT responsibility or something that can be addressed only after an incident occurs.
Additionally, trustees themselves can be a further point of vulnerability. They’re frequently targeted through phishing and their access to board papers, financial information and governance documents, often through multiple devices, from differing locations and with the absence of multi-factor authentication, all increase the potential weak points for attackers to exploit.
The simple reality is that, until now at least, cyber security is unlikely to have received the strategic attention or corresponding investment that it deserves.
The good news, however, is that none of this needs to be terminal, and there are several simple steps that charity boards can take to reduce cyber risks:
- Keep all malware protection and security software up to date
- Employ strong password hygiene that demands unique passwords for each account, regular updates and non-identifiable passwords
- Enable multi-factor authentication wherever possible
- Limit administrator access to only those for who it is necessary
- Embed regular cyber awareness training throughout the organisation so that phishing attempts and emerging threats are better recognised
- Prepare for the possibility of an incident through scenario planning, tested response arrangements, business continuity planning and appropriate cyber insurance cover
Charity boards must lead by example and ensure that each of these steps is viewed as non-negotiable at every level of the organisation. That means placing appropriate emphasis on people controls, such as training and simulations, alongside IT controls, while also seeking assurance that these are at least replicated in their suppliers’ security practices too.
Importantly, cyber security should not be treated as a one-off exercise or annual compliance task. Like financial management, safeguarding or health and safety, it requires ongoing oversight. Boards should receive regular reporting on cyber risks, incidents and mitigation activities, and ensure cyber risk is included within the organisation’s wider risk management framework.
Ultimately, trustees have a duty to protect the charity’s assets, reputation and beneficiaries. In today’s digital environment, that responsibility extends to cyber security. By treating cyber risk as a governance priority rather than simply an IT issue, boards can help build resilience, strengthen stakeholder confidence and ensure their organisations are better prepared for an increasingly complex threat landscape.