In the wake of recent cyberattacks on high-street names such as M&S and Co-op, it’s increasingly clear that no organisation is safe from cybercrime. But while major retailers often have the resilience, budget and teams to absorb such crises, membership bodies and not-for-profit organisations face a far greater set of vulnerabilities.
These organisations are being targeted not in spite of their charitable status, but because of it.
A sector under siege
According to the UK Government’s Cyber Security Breaches Survey 2024, 30% of UK charities experienced a cyber breach or attack in the past year, equating to around 61,000 organisations. Of those affected, a staggering 95% said they were targeted by phishing—a low-effort but highly disruptive form of attack.
Civil Society News reported in April 2024 that the charity sector remains “exposed” due to limited budgets, outdated systems, and low levels of cyber awareness at board level. These insights were drawn from interviews with sector experts and analysis of recent cyber incidents affecting charities, many of which demonstrate an ongoing lack of preparedness at governance level.
Meanwhile, business advisers Armstrong Watson, who specialise in financial and risk services for charities, note that the average cost of a cyberattack on a charity ranges from £460 to £9,470—a serious financial blow for small and mid-sized organisations.
And while figures are revealing, the real impact is felt most acutely through individual case studies.
Albyn Housing Society: A cautionary tale
In August 2024, Albyn Housing Society, a major housing charity in Scotland managing around 4,000 homes, was hit by a ransomware attack that led to the leak of highly sensitive staff and tenant data.
The attack was attributed to the Russian-linked cybercriminal group Black Basta. According to The Times (12 May 2024), the hackers posted 10GB of data on the dark web—exposing not just payroll and employment records but also deeply personal information of vulnerable housing tenants.
The entry point? A compromised supplier, emphasising a growing trend of supply chain vulnerability—a critical blind spot in many not-for-profit governance frameworks.
The Albyn case is far from isolated. In 2023, a ransomware attack on Evide—a Northern Ireland-based data storage provider working with more than 140 charities, many supporting survivors of abuse—resulted in the exposure of highly sensitive personal data across multiple organisations. The breach sent shockwaves through the third sector, raising urgent questions about data stewardship and supplier oversight.
More recently, in May 2025, a phishing scam targeting Edinburgh schools disrupted access to online learning platforms for more than 2,500 secondary school pupils during the critical exam revision period. The incident sparked widespread concern across the education and public service sectors, highlighting vulnerabilities in digital infrastructure and the need for stronger cyber preparedness.
These cases illustrate a key truth: cybersecurity is no longer just a tech issue—it’s a governance issue.
Governance must take the lead
Too often, boards see cybersecurity as an operational matter or an IT team’s problem. But when a breach strikes, it is trustees, directors and senior leaders who are held accountable by regulators, donors, and the public.
Good governance means:
- Embedding cyber risk into enterprise-wide risk management frameworks
- Ensuring cybersecurity training is mandatory and up to date for staff and volunteers
- Regularly reviewing policies, including incident response plans and supplier due diligence
- Treating cybersecurity as a standing item on the board agenda
This is not about fear—it’s about preparation, oversight and responsibility.
We’re here to support you
At The Chartered Governance Institute UK & Ireland, we offer bespoke training in strategy, leadership and governance support, designed specifically for boards, executive teams and governance professionals across the not-for-profit and public sectors.
Through our training, you can:
- Build board-level confidence on cyber governance
- Integrate cybersecurity risk into broader strategic thinking
- Understand your organisation’s vulnerabilities—and how to respond
To find out more or commission a session tailored to your organisation’s needs contact:
Tara Wilson, Head of Business Development
E: twilson@cgi.org.uk
D: +44 (0)20 7612 7021
Visit our strategy, leadership and governance support page: https://www.cgi.org.uk/qualifications-training/bespoke-training/strategy-leadership-and-governance-support/
Related content
