Hackers love charities: How to avoid being an easy target

Charities work tirelessly to support those in need by delivering emergency aid, offering information, and raising awareness. Behind the scenes, communication is crucial to ensure that help reaches those who rely on it.

Now, imagine your charity’s communication systems suddenly failing. At first, it may seem like a glitch, but when quick fixes fail, you slowly realise what's happened. You’ve been targeted by hackers. Before you know it, hackers have gained access to your sensitive information.
 
Understanding why cybercriminals choose charities is the first step to avoiding those situations and proactively protecting what is important to you.

Table of contents

1. Why cybercriminals target charities
2. Why IT support for charities is vital to resilient services
3. The ripple effect of a cyber attack
4. Charities’ first line of defence: the UK NCSC’s Cyber Essentials
5. How does Cyber Essentials benefit charities?
6. How to get started and protect your charity today

Why cybercriminals target charities

Charities help some of the most vulnerable people in our communities, but cybercriminals view charities as easy and lucrative targets.

There are four key reasons:

1. They hold large amounts of highly sensitive data

Personal Identifiable Information (PII) – data that can be used to identify specific individuals - is a valuable currency for criminals who can trade it on the Dark Web and commit fraud.

In 2022, the International Committee of the Red Cross was targeted for its data, with hackers breaching the records of 515,000 service recipients.

2. Charities are viewed as soft targets

Understandably, charities want to channel funding and donations to beneficiaries rather than buying new devices or hiring in-house IT professionals. However, older systems have vulnerabilities that regular software updates can fix. With little or no in-house IT support for charities, many of these weaknesses go unpatched, leaving them open to cyber attacks.

3. Cybercriminals see a high payout potential

Cybercriminals know charities collect sensitive data and use this as leverage. In December 2024, Liverpool’s Alder Hey Children’s Hospital and Chest Hospital NHS Foundation Trust were hit by a hacker group threatening to leak sensitive patient data.

Charities may be tempted to pay ransoms to avoid public disclosure of service recipient information.

4. Charities have a fluid workforce

Charities rely on volunteers, part-time and temporary workers making regular cyber security training difficult. When workers leave, dormant accounts left active present cyber security weaknesses.

It’s common for employees to access charity systems using BYOD (Bring Your Own Devices), which are difficult to secure. The National Cyber Security Centre identifies this as a Cyber security risk. Their research shows that 64% of charities use BYOD, which is above the 45% average used in businesses.

Why IT support for charities is vital to resilient services

The UK has 200,000 registered charities, with a combined income of £100bn, making them an attractive target.

Charities were among the top sectors reporting ransomware activity to the National Cyber Security Centre (NCSC) over the past 12 months, with around a third (32%) experiencing a breach or attack.

Organisations with a dedicated, in-house cyber security team can set up their systems and establish procedures to protect themselves from these threats. With a global shortage of cyber security professionals, demand far outstrips supply and for charities, hiring an in-house expert is often prohibitively expensive. Charity IT support services can bridge this gap and empower charities to defend their networks and maintain service provision.

The ripple effect of a cyber attack

An attack has an immediate impact on a charity's finances and the services it provides. However, the consequences often persist far longer:

1. Delays in service delivery to beneficiaries

The SAMH ransomware attack impacted people in crisis who needed immediate support, but the expense of a cyber security incident can have a longer-term effect.

The British Library was attacked by a hacker group in 2023 that targeted HR and finance records. They refused to pay the criminals, but the bill for rebuilding its systems was reported to be between £6m - £7m, which is about 40% of its reserves.

2. Loss of donor trust and funding

Donors want to be sure their money is helping charities achieve their mission. Effective cyber security and charity IT support services help maintain this trust.

As Helen Stephenson, Chief Executive of the Charity Commission for England and Wales, commented: “All charities ultimately rely on public trust and continued public generosity. So the impact of any cyber attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support.”

3. A cyber attack can lead to regulatory fines and penalties

Cyber attacks often lead to data breaches. All organisations have a responsibility to protect PII under the UK GDPR. Unauthorised access to this data, including by cybercriminals, breaches the ‘Integrity and confidentiality’ principle and may lead to a reprimand or fine from the Information Commissioner’s Office (ICO). Charities must also report a serious incident to The Charity Commission.

Charity IT support services may seem like an expense that takes funding away from beneficiaries, but an attack can be even more costly. Effective IT services for charities help to protect the essential support charities provide.

Charities’ first line of defence: the UK NCSC’s Cyber Essentials

Without in-house IT support for charities, cyber security can seem daunting. This is where the government-backed Cyber Essentials (CE) scheme is invaluable. It’s a cost-effective way to begin your cyber security journey and achievable for charities of any size.

CE certification is the baseline security recommended by the NCSC and will help you protect your charity from common cyber attacks. These include phishing, ransomware, unauthorised access and supply chain attacks.

With its controls in place, your donor and beneficiary data is safeguarded, meeting GDPR requirements and enabling your charity to continue its mission with greater peace of mind.

The five technical controls your charity must have in place for CE are:

• Firewalls: These help your charity by safeguarding your donor and beneficiary databases. Firewalls monitor traffic going in and out of your network. Any unauthorised attempts to access your network and databases can be blocked. Cybercriminals scanning your network for vulnerable points will also be blocked.
• Secure configuration: This ensures your charity’s systems are set up securely and sensitive files can only be accessed by authorised staff. The default configurations of systems and devices are often insecure; for example, they often use a pre-set, widely known password, making them vulnerable to cybercriminals.
• User access controls: Charity employees, including temporary staff and volunteers, can only access the files they need to complete their roles. Limiting access reduces the risk of data being stolen or of an accidental data breach.
• Malware protection: Anti-malware software scans data from your charity’s network, preventing its systems from being infected. Malware can corrupt files and lead to the theft of sensitive data and even ransomware.
• Managing security updates: Updates patch known vulnerabilities in software, strengthening your charity’s defences. New vulnerabilities are constantly discovered in even the most universal systems. It’s important to patch these quickly before cybercriminals exploit them. A patch management system ensures that software and systems are kept up to date.

How does Cyber Essentials benefit charities?

Improving your charity's cyber security safeguards its data and protects beneficiaries, donors and employees. Government bodies often require organisations they work with, including charities, to hold a Cyber Essentials certification.

This was the case for the social enterprise business Hey Girls, whose mission is to tackle period poverty. They needed CE accreditation to bid for a government contract and contacted Texaport for help.

Texaport worked closely with Hey Girls, creating a bespoke approach to Cyber Essentials, enabling them to pass the qualification process the first time.

How to get started and protect your charity today

For most charity leaders, providing essential support to their beneficiaries is the priority. Effective cyber security helps to ensure continuous, uninterrupted services. However, building a cyber-resilient organisation can be challenging without in-house IT services for charities.

At Texaport, we can guide your charity through the Cyber Essentials process and ensure you pass the certification process.

Cyber Essentials is more than a box-ticking exercise. Many organisations we work with value the improved IT processes and the peace of mind that certification brings. Certification lasts 12 months, and we provide ongoing IT support to ensure compliance and security are maintained duration of the certification.

Discover how Cyber Essentials can safeguard your data and keep your charity secure. Book a free consultation to learn more.