This blog was written by Intergence Systems who are a valued Cyber Essentials Partner of the ECRC.

The charity sector, driven by compassion and a mission to serve, faces an increasingly hostile cyber landscape.

While charities collect and manage sensitive data – from donor details and financial records to beneficiary information – their often-limited resources and technical expertise make them attractive targets for cybercriminals. The statistics are stark: UK charities have already experienced an estimated 924,000 cybercrimes in the past year, encompassing a wide range of attacks. And the situation is set to deteriorate further in 2025.

A Sector Under Siege

Currently, 32% of UK charities have reported a cyber security breach or attack in the last 12 months. These attacks aren't just a minor inconvenience; 38% of them directly impacted service delivery, with 19% leading to negative outcomes for those the charity serves. Alarmingly, despite these threats, only 26% of charities have conducted cyber security risk assessments in 2023, highlighting a significant gap in preparedness. This lack of proactive assessment, combined with the increasing sophistication of cyber attacks, paints a worrying picture for the future.

Why 2025 Will Be Worse?

Several converging factors point to an escalation of the cyber threat to charities in 2025:

• AI-Powered Attacks: The rise of readily available AI tools will dramatically lower the barrier to entry for cybercriminals. Sophisticated phishing campaigns, malware, and even ransomware attacks will become easier to generate and deploy, making it harder for charities to defend themselves. AI can personalise attacks at scale, making them more convincing and increasing the likelihood of success.

• Geopolitical Instability: Global tensions and conflicts often spill over into the cyber realm. Charities, particularly those working in sensitive areas or with international partners, may become collateral targets in state-sponsored or hacktivist attacks. Disinformation campaigns targeting a charity's reputation could also become more prevalent.

• Increased Regulatory Scrutiny: As data protection regulations tighten, the financial and reputational penalties for data breaches will increase. Charities that fail to invest in robust cybersecurity will face not only the direct costs of an attack but also potentially crippling fines and legal action. The pressure to comply, especially with limited resources, will be immense.

• The Evolving Threat Landscape: Cybercriminals constantly adapt their tactics. New attack vectors emerge, and existing ones are refined. Charities must not only defend against known threats like phishing and ransomware but also anticipate and prepare for emerging threats. This requires continuous learning and investment in cybersecurity infrastructure, which many charities struggle to afford.

• Economic Pressures: The ongoing economic downturn will likely exacerbate the problem. Charities are already facing funding cuts and increased demand for their services. This financial strain may force them to further reduce spending on non-essentials, including cybersecurity, making them even more vulnerable.

The Familiar Foes - Phishing, Data Breaches, and More

While new threats emerge, the familiar ones persist and evolve:

• Phishing: Still the most prevalent threat, phishing attacks will become even more sophisticated with the use of AI, making them harder to detect.

• Data Breaches: The sensitive data held by charities makes them prime targets. Breaches can lead to financial losses, reputational damage, and regulatory fines.

• Ransomware: Ransomware attacks continue to cripple organisations, and charities are no exception. The increasing use of double extortion (stealing data before encrypting it) puts even more pressure on victims to pay the ransom.

• Supply Chain Attacks: As charities rely more on third-party vendors, their supply chains become a potential weak link. Attackers can target smaller vendors to gain access to the charity's systems.

• Insider Threats: Whether malicious or accidental, insider threats remain a concern. Proper training and access controls are essential to mitigate this risk.

The Path Forward - Fortifying the Sector

Charities must take proactive steps to bolster their cybersecurity posture:

• Prioritise Cybersecurity: Cybersecurity should be a strategic priority, not an afterthought. Boards and leadership teams must understand the risks and allocate adequate resources to protect their organisations.

• Invest in Training: Regular cybersecurity training for all staff and volunteers is crucial. People are often the weakest link, and training can help them recognise and avoid common threats like phishing.

• Implement Strong Security Measures: Multi-factor authentication, strong passwords, regular software updates, and robust backup systems are essential.

• Conduct Regular Risk Assessments: Regularly assess vulnerabilities and identify areas for improvement.

• Develop Incident Response Plans: Have a plan in place to deal with a cyberattack. This will help minimise damage and ensure a swift recovery.

• Collaborate and Share Information: Share information about cyber threats with other charities and collaborate on best practices.

• Seek Expert Help: Don't hesitate to seek help from cybersecurity experts. They can provide guidance and support in navigating the complex cyber landscape.

About Intergence Systems Ltd

Intergence Systems Ltd is a leading technology consultancy and IT managed services provider, who solve complex digital and operational challenges with innovative, outcome-based solutions. We offer advanced cybersecurity solutions, including Managed Detection and Response that comes with £1 million cyber insurance, and they also offer a free security assessment, to help protect and strengthen your IT infrastructure against evolving threats.

Our digital change consulting team offer technical and business advisory services to support organisations at each stage of their digital journey, from formulating digital strategy, through to benefits realisation.Our managed services are powered by our data operations service, Stratiam. Headquartered in Cambridge, UK, we serve a global client base across various industries, delivering measurable results and building upon valued, long-term partnerships.

For more information, visit www.intergence.com or book some time with them here.

How the ECRC can help?

Joining the ECRC as a free member ensures that your organisation is supported in making the small changes that make the biggest difference. Becoming a free member means you will receive regular communications via email, which will drip feed you ways in which you can improve your cyber resilience without costing any money.

The ECRC website also contains several links to helpful National Cyber Security Centre (NCSC) resources, which are all free, up-to-date, and easy to use. Tools such as Exercise in a Box and the NCSC Cyber Action Plan are particularly useful in terms of identifying areas where you could improve your cybersecurity. They also have many informative guides that are sector specific, which will give you useful and detailed information.

If you would like more information about how the ECRC can help your organisation specifically, please book a chat with us today.

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which is not ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)