The following text field filters the results that follow as you type.
Cyber risks to charities are growing, and simple steps can greatly reduce vulnerabilities.
Published on 2 February, 2026
A staff member at a small West Midlands hospice receives what looks like a routine email from Microsoft, asking them to reset their password. They follow the link and oblige. An hour later, another message lands, this time asking for the original password to confirm the change. Again, they comply.
The next day, donors begin reporting suspicious emails from the hospice. The Microsoft email was a phishing scam, and the staff member’s inbox has been compromised. Thousands of sensitive records and payment details are put at risk.
The cost of managing the breach of this real-world case, shared in a National Cyber Security Centre (NCSC) report, was put at an estimated £17,000, alongside the reputational damage to go with it.
And it highlights a harsh reality: the critical and compassionate work of charities offers no protection from cybercrime. In fact, the Government’s latest Cyber Security Breaches Survey shows around a third (32%) of UK charities suffered a breach or attack in the past year. For those with income over £500,000, that figure jumps to 66%. The NCSC describes charities as “attractive targets” for cyber criminals.
So, how can the third sector stay protected, even with limited tech budgets and busy teams? Here are seven tips brokers can share with charity clients.
1. Back up what matters most
Identify critical data, such as donor records, beneficiary information, finance files, and back it up regularly. Keep at least one copy separate (for example in the cloud or on an external drive). Test your ability to restore it. The NCSC says reliable backups are the best defence against ransomware.
2. Turn on multi-factor authentication (MFA)
Government data found phishing is still the top attack method affecting charities (83% of incidents), like in the case of the West Midlands hospice. MFA stops most account-takeovers in their tracks, even if a password is stolen. Charities can enable it on email, cloud storage and fundraising platforms.
3. Train staff and volunteers
People remain both the weakest and strongest link. Short, scenario-based training on spotting phishing emails, verifying payment requests, and reporting suspicious activity makes a huge difference. Make reporting easy and judgement-free – mistakes caught early are easiest to fix.
4. Protect devices and systems
Keep software updated, use antivirus protection and apply patches promptly. The NCSC’s Small Charity Guide also advises turning on automatic updates and limiting admin privileges to reduce exposure.
5. Check the charity’s online footprint
Suggest free tools such as the NCSC’s Mail Check and Web Check to scan email domains and websites for vulnerabilities or spoofing risks. These quick audits help prevent attackers impersonating charities to target donors.
6. Plan for the worst-case scenario
Have a simple incident response plan: who to call, how to isolate systems, and how to contact trustees, regulators, and affected individuals. Run a short “tabletop” rehearsal annually.
7. Review your insurance cover
Only a third of UK charities currently have cyber insurance, according to the Government’s latest data. The right policy can give immediate access to forensic experts, PR support, and legal advice if a breach occurs, as well as financial protection.
Defending against an attack is critical but so is having the means to minimise loss and damage should an attack prevail. Specialist cyber insurance policies offer policyholders a combination of incident management and access to legal and PR experts, as well as cover for costs such as those caused by business interruption or data issues.
An effective insurance policy will help charities, not-for-profit, and care organisations to respond to cyber incidents and boost the confidence of the other parties they provide services for.
A flexible solution for the risks faced by not-for-profits
Charities Combined is a specialist insurance solution built to serve the needs of smaller charities and community groups with up to £2m turnover. Coverage options include cyber and data risks, liabilities, and protection of assets, and it’s available to eTrade on Acturis today.
Discover quick quotes, digital underwriters, and expert support from our charity specialists:
