Safeguarding UK charities: Understanding cyber threats in 2025

Cyber security is becoming an urgent priority for UK charities. New data from the Information Commissioner’s Office (ICO) reveals a 51% increase in data incidents within the charity sector between 2020 and 2024, compared to a 26% increase across all sectors. With rising threats and increasing operational demands, charities must understand the risks they face and how to defend against them.

In this article, we explore the key cyber threats affecting UK charities in 2025 and provide practical steps to strengthen digital resilience, so you can keep your data, people, and mission secure.

Table of contents

1. Why are UK charities being targeted?
2. Key cyber threats facing charities in 2025
3. Practical steps to safeguard your charity
4. How Texaport helps charities stay secure
5. Conclusion

Why are UK charities being targeted?

Charities are attractive targets for cyber criminals for several reasons:

• Sensitive data: Charities often handle personally identifiable information (PII) and special category data, everything from donor records to health and support service information.
• Limited resources: Many charities operate under strict funding, which can lead to delayed technology upgrades or a lack of dedicated cyber security expertise.
• Volunteer-based workforces: High turnover and reliance on part-time staff make consistent training and access control challenging.
• Bring Your Own Device (BYOD) culture: With 64% of charity team members using personal devices for work (compared to 45% of businesses), security vulnerabilities can be harder to manage.

Key cyber threats facing charities in 2025

1. Phishing attacks

Phishing remains the most common cyber threat, and it’s growing fast. Reported phishing incidents in the charity sector rose 83% between 2023 and 2024.

Cyber criminals are becoming more sophisticated, using AI to craft realistic emails or messages that impersonate trusted contacts. Techniques include:

• Spear phishing – targeted emails to specific individuals
• Whaling – attacks aimed at senior leadership or trustees
• Business Email Compromise (BEC) – impersonating suppliers or executives to steal funds

2. Misconfigured software and hardware

Poorly configured systems present a serious risk, especially in environments with limited IT oversight. The number of misconfiguration-related incidents in charities rose by 625% since 2020, from just 4 cases to 29.

A high-profile example is the Mermaids data breach, where improperly configured email settings exposed confidential information online, leading to a £25,000 ICO fine.

“Misconfigurations may seem completely avoidable, but to date, we see them as one of the most significant risks.” - Information Commissioner's Office

Common misconfiguration issues include:

• Default passwords left unchanged
• Unencrypted sensitive files
• Unpatched systems with known vulnerabilities
• Overly permissive access settings

3. Ransomware

While the number of reported ransomware incidents declined in 2024 by nearly 38%, the threat remains severe. Ransomware encrypts your systems and data, often stealing it as well, and then demands payment for release.

The British Library attack in late 2023 serves as a stark warning. The attack wiped out major parts of their infrastructure, exposed 600GB of sensitive data, and left services offline for months, with a rebuild cost of up to £7 million.

Even when ransoms are paid, recovery is slow and reputational damage can be lasting.

4. Non-cyber threats: Human error and accidental breaches

Cyber criminals aren’t always the cause; 74% of reported incidents in the charity sector are classed by the ICO as “a type of breach that does not have a clear online or technological element which involves a third party with malicious intent.” These are often due to simple human error and can often be prevented through effective cyber security training and support from dedicated charity IT support.

The most common? Emails sent to the wrong recipient. In some cases, these involve highly sensitive data, triggering regulatory scrutiny and fines. In 2021, HIV Scotland was fined £10,000 for failing to use BCC in a bulk email, inadvertently exposing recipients’ identities and medical data.

These incidents show how accidental errors can still have serious consequences under UK GDPR.

Practical steps to safeguard your charity

Securing your charity doesn’t require a huge IT team. The following steps are practical, achievable, and proven to reduce risk:

Obtain Cyber Essentials certification

A government-backed scheme, Cyber Essentials, helps you implement baseline protections such as secure configuration, firewalls, access controls, and malware protection. It’s also a requirement for some public sector contracts.

Implement regular data backups

Use the 3-2-1 rule: keep three copies of your data, stored on two types of media, with one copy kept offsite. Don’t assume Microsoft 365 or your cloud provider backs everything up. Check and plan accordingly; this is a very common misconception.

Establish a security-first culture

Embed cyber awareness into your organisation:

• Provide onboarding and refresher training
• Simulate phishing attempts
• Use penetration testing to identify hidden vulnerabilities

Cyber security should be championed from the top, with directors and trustees actively engaged.

Use anti-virus and malware protection

Modern anti-virus tools provide real-time scanning and protection against evolving threats, including ransomware. Choose a solution that covers all endpoints, including BYOD devices.

Prepare an incident response plan

The first 72 hours after a breach are critical. Know your legal obligations (e.g. reporting to the ICO) and assign roles in advance. Automated monitoring tools and breach detection software can help you respond quickly.

Leverage free NCSC resources

The National Cyber Security Centre offers free tools specifically for charities:

• Team training modules
• ‘Exercise in a Box’ scenarios
• Mail Check and Protective DNS services

These resources can significantly boost your charity’s defences without extra cost.

How Texaport helps charities stay secure

With extensive hands-on experience in providing IT support for charities, we understand the unique pressures that charities face. We’ve supported organisations across the third sector with:

• Cyber Essentials certification and compliance support
• Managed cyber security services, including backup, monitoring, and endpoint protection.
• Incident response planning to ensure rapid, coordinated action when breaches occur
• Tailored cyber security training to reduce human error and raise cyber awareness

We take a proactive, partnership-based approach, working alongside your team to ensure technology never gets in the way of your mission.

Conclusion

Charities are doing vital work under growing pressure. With cyber threats rising rapidly and compliance expectations increasing, it’s more important than ever to build digital resilience.

By taking practical steps today, you can reduce your exposure to risk and protect the people and communities you serve.

Contact us if you wish to explore our cyber security offering.