The cyber security frequently asked questions (FAQ's) for charities

Over the last few years, charities have become increasingly reliant on IT and Technology and with this, charities are falling victim to the activities of cyber criminals than ever before.

Charities by their very nature hold funds, personal, financial and commercial data, all of which is of interest to cyber criminals. This is due to the monetary value that cyber criminals can charge for access to your data if stolen or make as profit if they steal the data and sell it onto other criminals.

In the UK, we know that some charities are aware their data is sensitive, valuable and vulnerable to attack. However, many charities particularly smaller ones, do not realise this and do not perceive themselves as targets.

Smaller charities may not consider it a priority to commit resources to cyber protection, perhaps in the belief that cyber security will be expensive and divert money away from frontline expenditure. Or maybe they do not fully understand the threat. Therefore, we have created a Frequently Asked Document (FAQ) blog to expose the most commonly asked questions on why charities should take cyber security seriously.

What is a ‘cyber risk?’ A cyber risk is the potential exposure to loss or harm stemming from an organization’s information or communications systems.

What is cyber security? Cybersecurity refers to the protection of hardware, software, and data from attackers. The primary purpose of cyber security is to protect against cyberattacks like accessing, changing, or destroying sensitive information.

I'm a smaller charity, do we really have to worry about hackers?

The short answer is yes. Charities are subject to the same cyber vulnerabilities as other organisations and businesses that conduct financial transactions, and rely on electronically held data or information to conduct day-to-day operations.

The outward facing nature of charities and a culture of trust in the sector makes them particularly vulnerable to criminality.

What is ransomware? A type of malicious software designed to block access to a computer system until a sum of money is paid.

What is malware? Short for malicious software, malware is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

What types of cyber-attacks do charities face? How can I combat these? Sadly, there any many ways that cyber criminals can choose to attack a charity or business. The NCSC’s Cyber Threat Assessment revealed the following types of attacks were most prevalent of those reported:

  • Ransomware and extortion: Charities may be targeted directly, be inadvertently affected by malware aimed elsewhere, or by mass indiscriminate campaigns seeking to exploit as many victims as possible. Malicious actors may not only steal or deny access to data; they may delete or change it. Alternatively, attackers may steal and threaten to release data unless a payment is made (or another demand is met).

  • Business email attacks: Criminals may initially compromise the email accounts (usually business rather than personal accounts) of a company’s senior executives or finance or legal personnel. Spoofed emails are then sent ordering unsuspecting employees with financial authority to carry out money transfers that are diverted to the criminals’ accounts.

  • Fake organisations websites: Criminals exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity. This is often achieved through the creation of fake organisations and accompanying websites. Some of these fraudulent websites are well designed, functional and look professional. Criminals react quickly to exploit disasters and global events to steal donations.

What is a VPN? VPN stands for Virtual Private Network. It is a network connection method for creating an encrypted and safe connection. This method protects data from interference, snooping, censorship.

What can I do if I think I’m being/or have been attacked? The Cyber Resilience Centre for the South East is here to provide help and guidance to protect and prevent businesses from falling victim to cybercrime. If you think you have fallen victim to a cybercrime, you need to know how to report it.

If you are a business, charity or organisation that is currently suffering a live Cyberattack, then please call Action Fraud's 24/7 helpline on 0300 123 2040.​

You can report cybercrime, fraud and attempted fraud to the national fraud reporting service Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime, and takes crime reports on behalf of the police and can provide you with guidance. They assess each crime and where possible, pass it out to the most relevant law enforcement agency to investigate or offer bespoke protect advice. ​Report to Action Fraud at or by calling 0300 123 2040. How might a breach affect my charity? Charities can face heavy fines if they suffer data breaches leading to the loss or exposure of confidential information. Not only do charities need to worry about the financial implications of the data breach, but the negative publicity and financial penalty together can be devastating for a charity. A UK transgender charity was fined £25,000 by the Information Commissioners Office (ICO) for failing to keep the personal data of its users secure. The breach led to the names and email addresses of 550 people being searchable online.