The importance of cyber security for the not-for-profit sector

In today’s digital world, cyber security is no longer a luxury for organisations—it's a necessity. For not-for-profit organisations and charities, the stakes are even higher. Trusted with sensitive data, these organisations are prime targets for cyber attacks. In fact, research shows that the sector is disproportionately affected by cybercrime, with consequences that can be financially crippling and damaging to an organisation’s reputation.

The Charity Commission revealed it opened almost 100 cases relating to cyber crime in the last year and a further 600 relating to fraud, with phishing attempts identified as the most common type of cyber enabled fraud experienced by charities. The regulator recently published updated guidance to help charities reduce the risk of cyber crime and fraud taking place. It says fraud in the sector is often underreported and is also encouraging trustees to report any incidents they experience, even those that failed.

Why cyber security matters for not-for-profits and charities

Not-for-profits and charities often handle large volumes of personal information, from donor details to sensitive client data, making them prime targets for cybercriminals. Moreover, their generally lower levels of funding and resources can mean they are more vulnerable to attacks. Yet, the potential damage from a cyber attack for these organisations is significant, not only in terms of financial loss but also in undermining trust from donors, clients and the public.

With limited IT budgets, not-for-profits and charities often face challenges in implementing comprehensive cyber security measures, leaving them open to risk.

Cyber security statistics highlight growing threat

Recent statistics from the UK Government’s Cyber Security Breaches Survey (2024) highlight the growing cyber risks faced by the sector:

• 32% of charities reported experiencing a cyber attack or security breach in the last 12 months, with many noting the attacks were successful and caused disruption to operations.
• 94% of charities targeted experienced a phishing attack.
• The average cost of a cyber attack for a charity is estimated at between £460 to £9470, depending on the source—a significant amount for organisations with limited budgets.

These statistics illustrate the pressing need for cyber security measures in charitable organisations, not just to protect their own assets, but to safeguard the trust and support of their donors and stakeholders.

Cybersecurity risks facing charities

Donor and client data protection: Charities store vast amounts of personal data about their donors, clients and beneficiaries. A data breach could lead to sensitive personal details being exposed, leading to significant reputational damage and regulatory penalties under the GDPR.

Ransomware attacks: The sector is often seen as a "soft target" by cybercriminals. A ransomware attack can freeze access to vital data, including financial records and donor information, disrupting operations and potentially halting charitable activities.

Phishing and fraud: Phishing attacks trick staff into clicking malicious links or sharing login credentials, giving cybercriminals access to the charity’s internal systems. Fraudulent schemes, such as impersonating senior staff or donors, are also on the rise, often resulting in financial loss.

Lack of resources and awareness: Many charities lack the resources or in-house expertise to implement effective cybersecurity practices, leaving them vulnerable. Additionally, staff may not be adequately trained on the risks of cyber threats like phishing or how to respond to a potential data breach.

Regulatory compliance and cyber security

In addition to safeguarding against cyber threats, charities must also comply with various cyber security regulations:

• General Data Protection Regulation (GDPR): Charities are required to protect personal data and report data breaches within 72 hours. Failure to comply can result in significant fines and reputational damage.
• Charity Commission guidance: The Charity Commission has published cyber security guidelines for charities, which outline basic steps to mitigate cyber security risks.

Cyber security solutions for charities

For charities and not-for-profits, the consequences of a cyberattack are far-reaching, impacting not only operations but also trust, funding and public perception. With the right cyber security measures in place, charities can continue their valuable work without the constant worry of cyber threats.

To protect themselves and maintain the trust of their supporters, not-for-profit organisations need to adopt robust cyber security practices.

We offer a wide range of cyber security services from employee training, phishing simulation, dark web monitoring, to Cyber Essentials certification support. If you’re a charity or not-for-profit organisation looking to secure your systems, data, and reputation, don’t wait until it’s too late.