Charities and non-profit organisations (NPOs) continue to be prime targets for cybercriminals because they handle sensitive personal data, process online donations, and often operate with limited IT resources and a distributed workforce.
In the UK alone, 14% of charities experienced cybercrime within the past year, with phishing accounting for 95% of charity-related cyber incidents. The Home Office estimated over 450,000 cybercrimes against UK charities during the reporting period.
At a broader level, incidents of ransomware and data breaches have increased significantly, transforming cyber risk from an IT issue into a board-level concern across all sectors — including charities.
This article consolidates the latest data, best practices, and practical frameworks to help non-profits strengthen their cybersecurity posture without heavy financial burden.
The Threat Picture
-
Phishing Dominates – 95% of charity-related cyber incidents stem from phishing emails or spoofed domains.
-
Ransomware on the Rise – Though less frequent in smaller charities, ransomware incidents are growing industry-wide, often through shared cloud or vendor systems.
-
High Frequency, Low Preparedness – Victimised charities experienced an average of 16 cyber incidents annually, revealing repeat targeting and insufficient preventive controls.
-
Cost of Incidents – The global average recovery cost per cyber incident now exceeds $1.5 million, even though smaller charities face smaller but still devastating losses.
-
Leadership Accountability – Regulators and national cybersecurity centres now classify cybersecurity as a governance and resilience responsibility, not just a technical one.
Regulatory & Reporting Duties (UK Focus)
-
Serious Incident Reporting: A cyber attack that leads to major data loss, service disruption, or fraud must be reported to the Charity Commission.
-
Data Protection Enforcement: The ICO (Information Commissioner’s Office) continues to fine organisations for inadequate data protection, emphasising accountability and evidence of security measures.
-
Payment Security: Charities processing online donations must comply with PCI DSS (Payment Card Industry Data Security Standard) requirements, which cover multi-factor authentication, secure coding, and script integrity for donation forms.
Why Charities Are Targeted
-
High Trust, High Value Data: Donor, volunteer, and beneficiary data can be highly sensitive.
-
Distributed Workforce: Staff, trustees, and volunteers often use personal devices and networks.
-
Legacy IT Systems: Outdated software and unpatched systems increase vulnerability.
-
Public Reputation: Attackers exploit the high trust and emotional connection between charities and donors.
Eight Essential Security Measures
1. Enforce Multi-Factor Authentication (MFA)
Over 99% of compromised accounts lack MFA. Use app-based or FIDO key methods, not SMS, for best protection.
2. Secure Email and Domains (SPF, DKIM, DMARC)
Implement DMARC with a “reject” policy to block domain spoofing, which remains one of the most common attack tactics against charities.
3. Keep Systems Updated
Ensure automatic updates for operating systems, browsers, and software to fix vulnerabilities within 14 days of discovery.
4. Backup and Test Regularly
Maintain 3-2-1 backups (three copies, two formats, one offsite) and perform quarterly restore tests.
5. Limit Privileged Access
Restrict administrator privileges and implement role-based access to protect critical systems.
6. Deploy Endpoint Detection & Response (EDR)
Even cost-effective EDR tools can detect suspicious behaviour early and reduce response times.
7. Secure Your Supply Chain
Vet all vendors (fundraising, email, CRM, payments) for compliance with cybersecurity standards such as ISO 27001, SOC 2, or PCI DSS.
8. Train and Test Staff
Provide regular micro-training and simulated phishing exercises for staff and volunteers.
A 90-Day Cyber Readiness Roadmap
Weeks 1–2:
-
Enable MFA across all systems.
-
Disable legacy authentication.
-
Review and clean up old user accounts.
Weeks 3–6:
-
Strengthen backups with immutability and test restore procedures.
-
Deploy SPF, DKIM, and DMARC at “p=none” to start gathering data.
-
Install EDR software across endpoints.
Weeks 7–10:
-
Move DMARC to “p=reject” after alignment.
-
Implement role-based access controls.
-
Compile a vendor security register.
Weeks 11–13:
-
Develop a one-page Incident Response Plan.
-
Conduct tabletop cyber drills for phishing or ransomware scenarios.
-
Establish a quarterly board-level cyber risk review.
One-Page Incident Response Plan
-
Detect & Contain: Isolate affected systems, reset credentials, revoke access tokens.
-
Assess: Identify what data and systems are impacted.
-
Escalate: Activate predefined response roles and responsibilities.
-
Report: Notify the Charity Commission, ICO, and law enforcement as required.
-
Communicate: Inform staff, donors, and partners promptly and transparently.
-
Recover: Restore data from backups and verify integrity.
-
Review: Conduct a post-incident audit and update procedures.
Payment and Donation Security
-
Use redirected or hosted payment gateways certified under PCI DSS.
-
Implement Content Security Policy (CSP) and Subresource Integrity (SRI) for web donation forms.
-
Conduct regular vulnerability scans and penetration tests.
Board-Level Oversight Metrics
-
% of users with MFA enabled.
-
Time to patch critical vulnerabilities.
-
Backup restore success rate.
-
Phishing simulation click rate.
-
% of suppliers with valid cybersecurity certifications.
-
Number and type of incidents reported to regulators.
Common Pitfalls in the Charity Sector
-
Believing “we’re too small to be attacked.”
-
Overreliance on third-party vendors without verification.
-
Unclear ownership of cybersecurity governance.
-
Poor email domain protection (no DMARC enforcement).
-
Outdated backup systems that fail during incidents.
Free Resources
-
NCSC Small Charity Guide – Practical step-by-step guidance for charities.
-
GOV.UK: Protect Your Charity from Cybercrime – Official UK government resource.
-
Verizon Data Breach Investigations Report (DBIR) – Annual global cyber trends.
-
PCI Security Standards Council (PCI SSC) – Compliance and payment protection resources.
-
Microsoft Security Blog – Identity protection and MFA deployment best practices.
ICCSO’s Top 10 Recommended Controls
-
Multi-factor authentication everywhere.
-
Block legacy authentication.
-
Enable automatic patching.
-
Deploy endpoint detection and response.
-
Implement DMARC with “reject” policy.
-
Maintain tested, immutable backups.
-
Limit administrative privileges.
-
Require supplier compliance and attestations.
-
Establish an incident response plan and testing cycle.
-
Track board-level cyber KPIs quarterly.
Conclusion
Cybersecurity in the non-profit sector is no longer optional—it’s essential for trust, continuity, and compliance. The majority of attacks remain preventable with simple, affordable measures.
Charities that implement MFA, proper email authentication, tested backups, and clear governance can dramatically reduce their exposure to financial loss and reputational damage.
Cyber resilience is not about spending more; it’s about focusing on what truly matters most.
Sources
-
UK Government – Department for Science, Innovation and Technology: Cyber Security Breaches Survey (Charities)
-
National Cyber Security Centre (NCSC): Small Charity Guide
-
Information Commissioner’s Office (ICO): Enforcement Actions and Guidance
-
Charity Commission for England and Wales: Serious Incident Reporting Guidance
-
Sophos: State of Ransomware Report
-
Verizon: Data Breach Investigations Report (DBIR)
-
PCI Security Standards Council: PCI DSS v4.0 Summary of Changes
-
Microsoft Security Blog: Impact of MFA on Account Security
Note:
This article is published by the International Consortium for Cyber Security Operations (ICCSO) to provide educational and informative insights for the non-profit sector. It aims to raise awareness and encourage better cybersecurity governance across charitable and voluntary organisations worldwide.