Charities and not-for-profit organisations are very vulnerable to cyber attacks for multiple reasons. The Government's Cyber Security Breaches Survey 2024 found that a third of all charities had experienced a cyber security breach or attack in the previous 12 months. 

By far the most common attack is phishing, with 83% of charities stating that they had experienced a phishing attack. This is followed by others impersonating organisations (37% of charities) and 14% of charities have experienced malware or or other viruses. 

Charities are often specifically targeted by cyber criminals, attempting to take advantage of their large amounts of data, which includes financial information, as well as the knowledge that charities don’t always have the budgets to keep their tech up to date, making them much more vulnerable to attack. 

On top of this, charities often have part-time employees and also work with a lot of volunteers, who may be using their own devices for charity work, which may not be kept up to date, or some of whom don’t understand the severe threats around phishing and other fraud. 

The result of any cyber attack can also have a huge long-lasting effect on a charity or not-for-profit organisation, which could result in loss of trust from donors and supporters. 

Our cyber experts tell us that cyber breach and cyber attack statistics are likely to increase over the next few years. One reason for this is the very swift advancements made in generative AI over the past few years. Sadly, this has helped cyber attackers to create much more convincing phishing emails and communications, as well as helping them to launch much larger scale attacks to multiple charities and individuals. 

Government research also shows that only half of charities had implemented basic levels of cyber hygiene, and only 26% of charities have undertaken cyber security risk assessments over the past year, and only 9% of charities have reviewed the risks taken by their suppliers. On top of that, only 34% of charities have taken out cyber security insurance. 

So how can charities stay safe against this growing threat of cyber attacks? It’s really important that managers and the board take these threats very seriously and put into place policies that apply to all employees and volunteers. 

Below, we have collated our advice to ensure these basic levels of cyber hygiene are adhered to: 

Our top advice for charities to stay protected against cyber attackers is: 

1. Have robust password policies

It’s really important to ensure that all employees and volunteers understand how to create a safe and secure password. They also need to understand that passwords should not be shared or written down anywhere to ensure they are kept safe. 

The NCSC recommends using ‘three random words’ which will create a unique and safe password. 

1. Restricted admin rights

This is really important within charities, working with extended teams of volunteers. Ensure that you are always up to date with who has access to which accounts, and restrict access strictly based on needs. On top of this, remove access immediately whenever a volunteer or employee no longer works for the charity. 

1. Cloud back up 

Ensure you always have a cloud back up for all of your data, which is updated regularly. Any charity or organisation would be unable to function or run day to day operations if they lost their data, which includes donors and donations; marketing data; financial data or any other operational data. 

4. Agreed processes for phishing emails 

Phishing emails (and other messages) are so common, and although usually caught with your email provider’s spam filter, some of the more convincing emails do get through. When someone you know has been attacked, the email may even come from their real email address, but contain a dodgy link. 

It’s essential to make sure that all employees and volunteers have training around how to spot phishing and what to do if you have accidentally clicked on a malware link in a phishing email, social media post or other type of message. 

5. Supply chain 

Charities need to ensure that their supply chain is also taking precautions around cyber security as well. Many cyber attacks can begin at a smaller organisation or supplier, in order to target a larger organisation in the long term. 

6. Keep all software up to date

It’s also essential to keep all software up to date, as otherwise this can create vulnerabilities for cyber hackers to gain entry into your networks. This includes all computers and laptops, tablets and mobile phones. It’s useful to send regular reminders to employees, and volunteers where necessary, to make sure they keep their devices' software completely up to date. 

7. Bring your own device policy

If your charity does work with a lot of volunteers, it’s really important to have a ‘bring your own device’ policy, which covers cyber security, and ensure that the policy is updated every year.

Remember that all cyber breaches or cyber attacks should be reported to Action Fraud.

The NWCRC is a police-backed organisation which offers free guidance and advice to charities. Contact us for affordable and low cost training specifically for employees or volunteers in charities.