top of page

How charities can keep themselves safe online

Disappointingly, and perhaps only somewhat surprisingly, charities are the victims of cyber-attacks almost as frequently as commercial businesses. In fact, according to the Cyber Security Breaches Survey 2021, 26% of charities reported they had a cyber breach in the last six months. As there are currently 169,000 registered charities in the UK, there is the potential for cyber-attacks to happen to a large number of charities (and their Trustees).

Why are charities at risk?

There are a few reasons charities are at risk, and are often targeted, by cyber-criminals.

Used to access ‘bigger fish’ such as a local authority or corporation

  • Many charities are now fulfilling roles which were previously done by the government, local authorities or larger companies. It’s likely that the charity will need to share systems with the ‘bigger fish’ to carry out these roles and a cyber attacker could use the charity as a route in; causing significant damage.

Charities hold funds, personal, financial and commercial data

  • Funds and data have a financial value to a cyber-criminal, whether used to attack another person or sell on to other criminal entities.

  • While most small charities won’t hold a lot of funds, cyber attackers approach most things with a cost vs benefit analysis. If they can get a quick win and get £1,000 from a poorly protected organisation, it’s probably still worth their while. If you put in place some secure protection, it’ll add a layer of protection that could be the difference between being an easy target or one that is too time/cost-consuming to be worthwhile to criminals.

  • Charities become an easy target for cyber criminals and attackers as the levels of security protecting the funds and data are typically low or flawed.

Low levels of awareness, particularly amongst smaller charities

  • The NCSC’s assessment conducted in 2018 found that there were low levels of awareness, particularly amongst smaller charities that do not perceive themselves as a target; or even holding anything of value to an attacker. While the NCSC has not yet repeated their assessment, they have recently reviewed and updated their Small Charity Guide. Within this, they highlight the same concerns regarding low levels of awareness along with some important, yet simple, steps you can take to tackle it.

Culture of trust

  • To achieve their goals, charities must be open, transparent and trusting of beneficiaries and the public. How often have you had someone call or email a charity and offer to give them money, no strings attached? Plenty of times, I’m sure! This would never happen in a business, because everything is a commodity, which means that charities, by their very nature, are potentially open to having their trust exploited by criminals.

It's not just about the money

As well as the potential financial cost, lost earnings, and data, the reputational impact of a cyber incident can be severe to a charity. As a consequence, they may well need legal support, technical help with managing the internal and external response to the incident, and reputational management.

Consider the people the charity supports and the potential consequences of that data being in the wrong hands. Let’s consider the example of a successful cyber-attack at a domestic abuse charity, in which stolen data may be used to identify a victim. The victim may then have to move for their safety, which could include children having to move schools, causing further distress and disruption to them. The stolen data may also identify volunteers or employees of the charity, which also puts them at risk (if a perpetrator believes that they are responsible for keeping their loved ones from them).

Of course, not all risk to individuals exposed during a data breach is life-threatening but it’s still important. For example, consider donors to your charity: their personal and/or financial information could be stolen, which could cause disruption and harm to them.

What can charities do to protect themselves against cybercrime?

Firstly, educate everyone in your organisation. We can’t emphasise just how important this is given that anywhere from 82% to 95% of all successful cyber-attacks are due to human error. Training against cyber-attacks is the best way to fight against cybercrime after strengthening the general cyber-security of the charity.

Important lessons for keeping cyber-secure:

  • Examine the sender of any email: check that the recipient is real, and that any URL directs you to a safe page. Often URLs prompting for login details are fake.

  • Keep your password to yourself: It is extremely rare that your IT department (or anyone else) will ask for your password via email.

  • Think before you click: Cyber criminals will try and prompt a fast response, so think twice before you click on any link.

  • Report it: If you are uncertain about an email, report it. Your IT department should have protocols in place for detecting and deleting suspicious emails.

Secondly, consider obtaining Cyber Essentials Plus. This is a simple and effective Government-backed scheme, supported by industry experts and the Cyber Resilience Centre Network, that will help you put measures in place to protect your organisation, regardless of size or sector, against a range of the most common cyber-attacks. This includes protecting against threats such as malware, ransomware and phishing.

We can signpost you to one of our trusted partners, who can help you through the process of gaining the Cyber Essentials Plus certification. They are all official providers, registered with the recognised Industry body, IASME, and based locally within the West Midlands. This ensures that you’ll be able to receive high-quality and reliable support in securing the certification. [mi3]

If you’d like to find out more about protecting your charity against the rising threats of cybercrime, or Cyber Essentials, contact us today.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page