7 Steps Charities MUST Take to Reduce Cyber Risk

Retail hacks have put cyber crime high on the agenda, adding more to the workload of overstretched not-for-profit tech leaders, but as CIO Kevin Antao points out, it is also an opportunity.

Cybercrime has become mainstream news following the recent BBC Panorama episode: Fighting Cyber Criminals. This documentary underscored the escalating cybercrime crisis in the UK, particularly the surge in ransomware attacks that have severely impacted businesses throughout 2025.

The recent attacks on retailers Marks and Spencer, Harrods, and Co-op have seen multi-million-pound ransoms being demanded by attackers. These high-profile cases have led to the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) calling for immediate national action to strengthen cyber security measures, emphasising improvements in security protocols, authentication, data back-ups, and incident response planning.

For not-for-profit cyber and IT leaders, this additional workload can be overwhelming to keep up with the variety of threats. A recent Charity Digital article: What’s on the Horizon for Charities in 2025 highlighted this increase in pressure, citing factors such as limited resources, increasing digital complexity, insufficient capacity, and gaps in governance.

 

Where to start

Not-for-profit IT leaders should narrow their focus and adopt a risk-based, pragmatic approach to cybersecurity, accepting that immediate resolution of all issues may not be possible. Seven priority areas are listed below for not-for-profit cyber or IT leaders to consider when planning actions and cyber responses.

  1. Executive engagement
  2. Basic cyber set up
  3. Develop the human firewall
  4. Get free assistance
  5. Partner with key mission stakeholders
  6. Practice, practice, practice
  7. Listen and learn from other charity incidents

Each of these areas is briefly described below, including suggestions and recommendations.

By focusing on these, a charity IT leader can frame their cyber response and meet the urgent call of the UK government to strengthen cyber security measures.

 

EXECUTIVE ENGAGEMENT

In 2025, it is rare to find an organisation that does not have cyber security listed as a key risk in the organisational register. Modern charity boards and executive teams expect regular updates on progress towards positive cyber health and mitigation of cyber risk. However, board and executive cyber expertise remains stubbornly limited, with senior stakeholders guilty of approaching cyber security with a superficial understanding of the topic or treating it as a tick-box exercise. This indicates a poor culture towards cybersecurity.

  • Executives fail to view cybersecurity as strategic.
  • Senior staff miss the opportunity to recognise that cyber security correlates with the mission that a not-for-profit serves.

This is likely due to the punitive way the topic is presented to executives, with emphasis on the consequences of getting things wrong, such as fines, penalties and operational failures, rather than a more balanced approach that includes the benefits to the mission of good cyber security. These include increased reach, impact, policy, and supporter engagement.

Despite this challenge, there still is a strong desire to improve cyber understanding, with boards and executive teams frequently making space for cyber security discussion at their meetings. These moments are important for the cyber or IT leader, as they present an opportunity to get the right messages across.

Sadly, too often these moments are not capitalised on. Instead, IT leaders will often share misleading metrics, dashboards or tools, diving into technical topics rather than presenting a more balanced view of the overall security posture. With board or executive members lacking effective skills to interrogate the technical data, the effectiveness of the moment is lost. 

Cyber and IT leaders should, therefore, think carefully about their executive engagement moment. It may be useful for cyber or IT leaders to reflect upon a few questions before the presentation:

  • What was the level of engagement at previous presentations on cybersecurity?
  • Could I adjust the narrative to provide a more balanced engagement by connecting cybersecurity to mission goals and/or to the strategy?
  • How can I avoid fearmongering or wholly focusing on the negative aspects of cyber security?
  • Are the metrics, dashboards and technical data presenting a clear, honest, comprehensible, holistic, comprehensive, and an independently verified view of the organisation’s current cyber maturity and security posture?
  • To what extent can I use any external examples of cyber breaches or failures to help educate the board on the real-world risk?

 

BASIC CYBER SET-UP

In 2025, a lack of basic cyber hygiene will not be tolerated. As with the notorious retail sector examples, the attacks targeted the most basic organisational weaknesses, arguably meaning that the events were most likely preventable. 

IT and cyber leaders have no choice but to obsess about basic cyber hygiene and controls. Several checklists are in existence, such as insightful guidance from NCSC in its Small Charity Guide or other bodies in the UK to help ensure the basics are in place. Adopting the NCSC guidance as a minimum, IT leaders should always check:

  • Access Controls:
    • Restrict access to sensitive data to only those who need it for their roles.
    • Passwords: Use strong, unique passwords for all accounts and enable two-factor authentication where possible.
  • Staff Awareness and Training
    • Regular cyber training and simulated phishing tests are the norm.
    • Establishing the culture of reporting suspicious activity is important in terms of behaviour. It is never a bad idea to use the internal communication channels to really highlight when a staff member proactively points out a risk, consider creating a digital badge/reward/digital guardian for such behaviour.
  • Data protection and back-ups
    • Back-up: Regularly back up important data and store back-ups securely offline or in the cloud
    • Disaster recovery/business continuity: Take exercises to practice the restoration of systems seriously
  • Software and Devices
    • Patching: Keep software and devices up to date with the latest security patches.
    • Anti-virus: Install and maintain reputable anti-virus and anti-malware protection.
    • Device management: Ensure all devices (including mobiles) are protected with PINs or passwords and can be wiped remotely if lost.
  • Networks and Infrastructure
    • Understand network architecture and segmentation for sensitive workloads/data/systems
    • Make sure monitoring is robust and trustworthy
    • Ensure that remote/hybrid working access is well understood
  • Plans, Standards and Governance
    • CSIRP: Have an incident response plan in place for dealing with breaches or cyber-attacks.
    • Insurance: go through the process for cyber insurance and make sure you are clear on your policy
    • Standards: know what good is. Most charities align to CE, CE+ and ISO27001 as a minimum
    • Conduct risk assessments and business continuity exercises

 

DEVELOP THE HUMAN FIREWALL

In 2025, the theory that organisations consist of people, processes and platforms is widely accepted, as is the prioritisation of people-first over process and technology. This is highly relevant for cybersecurity, as it is essential that cyber and IT leaders prioritise human-centred activities. For mission-based organisations, this is even more crucial, as they are all about the human and societal impact. Points to consider:

  • Can a cybersecurity champions network be established? Trusted advocates on the ground in not-for-profits are vital in helping to bring the topic to life, bringing a collective responsibility and guardianship of the organisation. They also help to reduce pressure and cyber defence burden on resource-constrained IT teams, providing a crucial support network of engaged organisational defenders, both interested in the topic and safeguarding the mission.
  • Extending the internal defender concept, IT leaders in charities should consider external help, such as engaging ethical hackers and bug bounty hunters. These activists are good at simulating real-world attacks and provide cost-effective methods to surface limitations in the external-facing technology ecosystem. This can help to boost public trust and protect the reputation. Note that the engagement needs to be handled with care, as it can also lead to risks such as payment-demanding bounty hunters.
  • A cyber education programme is essential. Many not-for-profit organisations construct a “tiered” programme for cyber education across three levels of training:
    • Mandatory training (such as password hygiene, device protocols), typically delivered as someone joins the organisation and enforced through a no training, no access policy (NTNA).
    • Ongoing training, such as data protection and incident reporting delivered as ongoing courses as part of employees’ licence-to-work. To keep this fresh, consider a dedicated Cyber Security Week with other education offers and re-advertising the various cyber courses and training.
    • Specialist training, subject to role. It is often the case that finance teams dealing with fraud, senior executives in the public eye, researchers or other specialist roles at a non-profit require a more tailored set of education to manage cyber risks. These are opportunities to partner with other areas of the charity to collaborate and generate knowledge and content for wider organisational education.

 

GET FREE CYBER ASSISTANCE

Cybersecurity experts point out that the industry is well over thirty years old. This is based upon anti-virus software dating back to the 80s, firewalls and encryption arrived in the 90s and major breaches became more prevalent in the early 2000s. Despite this history, the cybersecurity industry is still perceived as young, but the decades of learning and knowledge should be acknowledged.

What this means is that the resource-constrained cyber or IT leader at a charity can learn from goldmines of information at no expense. Cost should never be a barrier to taking cyber action. Similarly, cyber or IT leaders should not tackle the challenge of cybersecurity alone. A collaborative mindset is crucial, and the following resources provide free help and can bring about team solutions:

  • Consider appointing a volunteer Chief Information Security Officer (vCISO). Several recruitment consultancies and agencies have spun up volunteer or pro bono programmes. Charities may be able to access qualified security professionals through these schemes, often on a cost-effective basis. A good example of this has been through the La Fosse Pro Bono
  • Most charities rely upon major vendors and their solutions to deliver their mission. In the realm of cyber security, there are several useful partners and programmes that can provide expertise, funding and support to deliver positive cyber outcomes.
    • Microsoft offers substantial help in their Security Program for Nonprofits, including free security assessments, partner introductions for internal capacity building, and additional tools such as AccountGuard to help manage and mitigate against nation-state grade threats. Microsoft Learn is another free resource that can help in the construction of your cyber education programme, with the ability to tailor materials for your own organisation.
    • Google offer similar benefits, including access to grants or funding through org and built-in features in the Google Workspace for Not-for-profits
    • Salesforce products include sophisticated in-built cyber security features, and support is provided for assessments and health checks. Its Trailhead resource has a wealth of information that is freely available.
  • Cyber or charity leaders in the UK can also rely on government agencies for cybersecurity help and support, notably from the excellent NCSC.
    • The UK government has recently published the Cyber Governance Code of Practice, dubbed The Code. It has been created to support boards and directors in governing cybersecurity risks. The Code sets out the most critical governance actions that directors are responsible for. Details on the code are found at Cyber Governance Code of Practice
    • Free training is offered to board members to understand the purpose of the Cyber Governance Code of Practice, why cyber governance is important for Boards, and how it can support them to effectively govern cyber risks within their organisation. It is found at Cyber Governance for Boards Training.
    • The Code is underpinned by the Cyber Security Toolkit for Boards, which explains how boards can implement the principles as outlined in the Code, which can be found at: Cyber Governance for Boards Toolkit.
  • Third parties offer a wide variety of tools and capabilities for free, which can help an IT leader to benchmark or assess security posture and maturity, or measure a specific area, such as a penetration test. These offers need to be carefully navigated as they typically are put in place to secure the purchase of onward services. But it is often the case that charities can negotiate cost-effective and free services, as third parties value the reputational boost, bolstering their own employee experience over revenue considerations.
  • Other networks offer cyber or IT leaders’ guidance and practical help. Charity IT Leaders offers several special interest groups, networks and offers practical help and guidance for real-world cybersecurity problem solving.

 

PARTNER WITH KEY MISSION STAKEHOLDERS 

Solving cybersecurity threats requires collaborative partnerships across the organisation. This is because cyber security has different meanings to different internal stakeholders, but also because there are not only technical but strategic and cultural problems involved. IT leaders should consider the following partnerships:

  • Trustees and senior board members are key in ensuring that cybersecurity is locked into governance, risk management, compliance and policies across the organisation. At charities, IT leaders should recognise that trustees are mostly unpaid individuals with varying knowledge of cyber protocols. IT leaders need to be flexible to foster these partnerships, being patient to understand personal or professional trustee cybersecurity challenges or perspectives so as to build trust and collaboration.
  • The CEO relationship is crucial. Threats facing the CEO are numerous, including CEO impersonation risks through spear phishing or whaling, or even deepfakes generated through AI-driven social engineering. IT leaders may even need to consider the boundary between the personal and professional digital footprint of the CEO. This is a delicate topic to be navigated, but a white glove, holistic approach with the CEO is necessary, potentially applying specialist risk assessment activity to understand the CEO’s personal and professional profile and to assess for vulnerabilities. A good way of doing this would be commissioning a specialist threat hunting organisation to conduct a broad Executive Threat Assessment (Control Risks Executive Threat Assessment).
  • The CFO relationship is equally crucial, as many cyber-attacks will target the financial team, such as invoice fraud. IT leaders will speak to CFO’s on multiple cyber security related topics, including budgeting and resources, risk management and compliance, fraud prevention and financial controls, cyber education and business continuity. Consider aligning with professional finance groups to influence cybersecurity, such as the Charity Finance Group (CFG) and its specific guidelines for finance professionals and cybersecurity.
  • As was the case during the Covid pandemic, the new power couple at the executive level was formed between the IT Director and the Chief Human Resources Officer (CHRO). For cyber security, this is a vital partnership, notably with the people-first quote expressed earlier. The opportunity for closer ties is illustrated with the Chartered Institute for Personnel and Development (CIPD) calling for more focus on cyber security for HR professionals, illustrated by articles such as It’s time for HR to get serious about cyber security. HR professionals see cyber security not just as an IT issue but a strategic HR responsibility, and IT leaders should collaborate closely with HR counterparts to foster a culture of organisational digital vigilance.
  • Non-profit organisations often seek to influence policy, raise public awareness of their missions, and provide deep insight and research. Stakeholders affiliated to these departments, such as researchers, advocates, policy influencers and public awareness professionals, are important collaborators for the IT leader. In many cases, the depth of specialist knowledge and understanding of aspects of cybersecurity for these individuals can even exceed that of the IT leader, due to the nature of the role undertaken by these professionals. This is an important collaboration and key in aligning cybersecurity to the mission.

 

PRACTICE, PRACTICE, PRACTICE 

There is significant value in simulating crisis management and cybersecurity failure scenarios. The Co-op formed a deeper strategic partnership with Hacking Games following its cyber-attack.

IT leaders at non-profit organisations will need to be courageous and look for opportunities for:

  • Tabletop exercises to simulate a cyber incident.
  • Phishing simulations where mock phishing emails are sent to staff to test for awareness and response
  • Running cyber response drills to practice back-up, restoration and other recovery procedures

Common resources that are used for these exercises include the NCSC Exercise in a Box, business continuity planning from the likes of Biscon, or the excellent guide to tabletop exercises provided by Sophos.

 

LISTEN AND LEARN FROM CHARITY INCIDENTS

It is imperative that charity IT leaders spend time engaging with those managing cybersecurity at other organisations, especially those with firsthand cyber incident experience. There is a need to build a collective resilience against the attackers, and sharing knowledge is the only way for effective defence and proactive measures to counter the threat.

Don’t panic if you find yourself in an incident. Real-world examples are priceless to learn from. I have led the recovery from:

  • Mailbox compromise, where an organisation’s entire email infrastructure was infiltrated, with external infrastructures set up to send bogus emails to all audiences of the charity. Several financial threats arose from the situation, requiring careful steps to communicate with the charity’s audiences and supporters to provide assurances around personal data and future interaction.
  • Sophisticated cyberattack believed to be carried out by state-sponsored hackers linked to a nation state. Detected by advanced security monitoring tools, the breach involved tactics and infrastructure consistent with known advanced persistent threat (APT) groups. Cyber forensic experts confirmed the links to previous campaigns associated with nation-state actors. Response included swiftly securing systems and offering guidance to protect personal data. State-sponsored hacking continues to be a growing pressure on NGOs and human rights defenders across the globe.
  • High-profile targeted attacks on key staff, including personal ransomware targeting, or sophisticated geotagging, vishing or other means to impersonate or threaten executives. This included vicious, personalised cyber bullying and attacks, notably on high-profile senior female staff at a charity involved in preventing online violence against women.

 

Cyber and IT leaders should seek out and listen to real-world stories to gain an understanding of the threat landscape.

If you are worried about your cybersecurity, Intergence are offering a free cyber security assessment and infrastructure audit, to help you identify any vulnerabilities and offer support on where to improve. You can register here.