There is a version of this conversation that comes up a lot with charity leaders. It tends to go something like: “We are a small housing charity. We do not have anything worth stealing.” And they are wrong, in a specific and provable way. Cyber security for charities is more important than ever.
Nearly a third of UK charities reported a cyber attack or breach in the past year, according to the government’s Cyber Security Breaches Survey 2025. For charities with an income over half a million pounds, the figure is considerably higher. Charities are not being targeted despite what they do. In many cases, they are being targeted partly because of it.
Attackers look for two things: valuable data and limited defences. Charities reliably offer both.
The data charities hold is worth real money to criminals. Donor records include personal details, email addresses, and payment information. Beneficiary files contain sensitive personal and health data. Grant management systems hold banking details. All of it trades in identity fraud and financial crime markets. The belief that only corporate targets are worth pursuing is outdated thinking that costs charities every year.
The capacity problem compounds it. A stretched team focused on delivering services rather than managing technology is less likely to have the monitoring, update processes, and access controls in place that a commercial business prioritises. Attackers know this. Phishing emails targeting charity staff have become more specific and sector-aware because the sector has proven worth targeting.
Phishing and impersonation. The most common attack by some distance. Effective in charities because staff receive legitimate contact from a wide range of external sources. A convincing impersonation of a known grant body, partner organisation, or regular supplier is often enough to trigger a fraudulent payment or expose login credentials.
Ransomware. Encrypts your data and holds it until payment is made. For a charity that cannot access its records, systems, or communications, the pressure to pay is significant and the disruption is immediate. Some charities have been unable to operate for weeks. Where backups were inadequate, data loss was permanent.
Business email compromise. An attacker gains access to a legitimate email account and uses it to redirect payments, intercept communications, or build intelligence for further attacks. Finance and leadership are the primary targets. It often goes undetected longer than phishing because the messages arrive from a trusted, real address.
Not as a legal requirement, but the practical case is strong. A growing number of government grant programmes and public sector contracts require Cyber Essentials certification as a condition of award. Not holding it may already be excluding your charity from funding it is entitled to. Beyond that, the five technical controls the certification covers protect against the vast majority of common attacks. It also signals to donors, beneficiaries, and partners that your organisation takes data responsibilities seriously. That matters more than it used to. Our IT services for charities go beyond day-to-day support. We work with charities through the Cyber Essentials process and handle the gap remediation so certification lands first time rather than being delayed by issues that could have been caught earlier.
You do not need a large budget to meaningfully improve your position. The most effective actions tend to be the most basic:
If you are not sure where the gaps are, a cybersecurity review is the right starting point. Lift Off IT offers a free IT review for charities that gives you an honest assessment of your current position without any obligation attached. We will identify your risks and tell you exactly what we would recommend. Contact us to get started.
Ask most business owners if they have a disaster recovery plan, and they will say yes. Ask them where it is and what it says. That is where the confidence tends…
There is a moment in every business where replacing IT equipment stops being optional and starts being urgent. The problem is that moment usually arrives as a crisis. A server fails on…
Choosing the right internet connection for your business is one of those decisions that feels simple until you start looking into it. Leased line vs fibre broadband is the comparison most growing…