Cybersecurity

Most charities rely on digital tools every day – email, databases, online banking, fundraising platforms and cloud storage. Cybersecurity is about protecting these systems, devices and the sensitive information they contain from unauthorised access, fraud or disruption.

Keeping your charity’s online information safe does not have to be complicated. The steps you take should be proportionate to the size of your organisation and the type of data you hold. A small charity with a few staff or volunteers will not need the same systems as a large organisation, but every charity should take some basic precautions.

Cyber attacks are increasingly common and charities can be attractive targets because they hold personal information about beneficiaries, donors and volunteers. Good cybersecurity helps protect your organisation and the people you support.

How Cyber Attacks Happen

Cyber attacks are often simpler than people expect and frequently rely on human error rather than complex hacking.

Common risks for charities include:

Phishing emails
Messages that appear to come from a trusted source (such as a bank, supplier, trustee or colleague) but are designed to trick someone into revealing passwords or clicking harmful links.

Impersonation
Fraudsters sometimes pose as a chair, treasurer or senior staff member asking for an urgent payment or gift card purchase.

Weak or reused passwords
Using the same password across multiple systems means that if one account is compromised, others may also be accessed.

Lost or unsecured devices
Laptops or phones containing sensitive information can expose data if they are not protected.

Even a simple mistake – clicking a link or sharing login details – can give attackers access to systems.

Why Cybersecurity Matters

A cyber attack can have serious consequences for a charity, including:

• Loss of sensitive data about beneficiaries, donors or staff

• Financial loss or fraudulent payments

• Disruption to services and operations

• Damage to trust and reputation

• Possible data protection issues

For many charities, trust is one of their most valuable assets. Taking sensible precautions helps protect your organisation and the people who rely on it.

Practical Steps Charities Can Take

Improving cybersecurity does not need to be expensive or technical. A few simple practices can significantly reduce risk.

Use strong, unique passwords
Avoid reusing passwords and consider using a password manager.

Enable two-factor authentication (2FA)
This adds an extra layer of security by requiring a second verification step.

Keep devices and software updated
Regular updates fix known security weaknesses.

Back up important data
Store backups securely and check they work.

Train staff and volunteers
Basic awareness can prevent many attacks.

Limit access to sensitive information
Only give system access to people who need it.

Have a simple response plan
Know what steps to take and who to contact if something goes wrong.

Free Cybersecurity Training

The National Cyber Security Centre offers free online training and a toolkit designed for organisations such as charities and small businesses.

Testing Your Response to an Attack

The National Cyber Security Centre also provides a free tool called Exercise in a Box.

This allows organisations to run simple practice scenarios such as phishing attacks or ransomware incidents. It helps teams think through what they would do in a real situation and improve their response planning.

Cybersecurity Frameworks and Guidance

The IASME Consortium provides practical frameworks to help organisations improve their cybersecurity.

One example is Cyber Essentials, a UK government-backed certification scheme that helps organisations put in place basic protections against common cyber threats. Even if your charity does not pursue certification, the framework provides a useful checklist of good practice.