Non-Profits & Charities: Here is your Cybersecurity Strategy for 2025

The charity and non-profit sector did incredible things in 2024. MindOut supported the LGBTQ+ community with mental health support, The Black Environment Network advocated for multicultural environmental access and the Pet Samaritans in Derbyshire protected countless animals.

Such feats were no easy task, particularly with a rising cost of living, cuts in government support and countless other factors working against them.

Beyond these, there are unique cybersecurity challenges to take on as organisations balance limited resources with increasing digital threats.

Understanding these challenges and preparing for future threats is crucial, which is why today I want to have a look at what should be the biggest priorities in 2025, with a glance back to 2024 to see what can be learned.

A look back to Cybersecurity Challenges for Charities in 2024

It’s nasty news, but non-profit organisations became increasingly attractive targets for cybercriminals due to their valuable donor data, political or malicious motives and the perception of being ‘easy targets’ due to often limited security infrastructure.

According to the National Cybersecurity Centre, 32% of charities experienced a breach in 2024, but a worrying 81% were unprepared.

Key Trends in 2024

Ransomware Targeting: Non-profits experienced a significant increase in ransomware attacks compared to 2023, with average ransom demands being well within the thousands (Nonprofit Technology Network, 2024)
Donor Data Breaches: Reported incidents involved unauthorised access to donor databases, affecting both financial and personal information
Phishing Campaigns: Targeted phishing attacks against non-profit employees increased, with sophisticated social engineering tactics specifically designed to exploit charitable missions

Major Challenges

Non-profits face several distinct cybersecurity challenges:

Budget Constraints: On average, non-profits allocate only a tiny fraction of their IT budget to cybersecurity, compared to a much larger percentage in the commercial sector
Resource Limitations: Many non-profits lack dedicated IT security staff
Volunteer Workforce: High turnover and varying technical expertise among volunteers naturally creates security vulnerabilities

Impact on the Sector

The financial and operational impacts can be significant. Beyond financial losses, affected organisations also face reputational issues that can majorly affect long term success. Furthermore, a cyber attack can severely disrupt operations.

2025 Predictions

Based on current trends and expert analysis, here are my key predictions for the non-profit sector in 2025:

AI-Driven Threats: Expect an increase in AI-powered social engineering attacks targeting non-profit staff and volunteers. These attacks will likely use advanced language models to craft highly personalised and convincing phishing emails, fake donation requests, and impersonation attempts.
The AI will analyse public information about the organisation and its staff to create targeted messages that appear legitimate, making them particularly dangerous for volunteers who may not have extensive security training.
Cloud Security Challenges: As more non-profits migrate to cloud services for cost-effectiveness and accessibility, cloud-based security incidents are predicted to rise significantly. This includes unauthorised access to cloud storage, data leakage through misconfigured settings, and attacks targeting cloud-based donation platforms.
Regulatory Compliance: New data protection regulations specifically targeting the non-profit sector are likely to emerge, including stricter requirements for donor data handling, mandatory breach reporting timelines, and specific guidelines for international data transfers.
Collaborative Security: Growth in shared security resources and platforms specifically designed for non-profit organisations

Priority Areas for 2025

Essential Security Measures

Implement multi-factor authentication (MFA) across all systems: This critical security measure requires users to provide two or more verification methods to access accounts.
Develop comprehensive security training programs: for staff and volunteers that include how to recognise phishing attempts and social engineering; account security and data handling.
Automate backup systems with encryption: a security measure that involves regularly backing up all important data with end-to-end encryption. This is particularly important for non-profits as it helps protect against data loss from ransomware attacks and other security incidents.
Incident response plan development and testing: Create and maintain a comprehensive incident response plan that includes the roles and responsibilities for team members and step-by-step procedures for different incidents

Data Protection

1. Donor data encryption and access controls: This involves protecting sensitive donor information through encryption (making it unreadable without proper authorisation) and implementing strict controls over who can access this data.

2. Regular security audits of third-party service providers: Systematically reviewing and evaluating the security practices of external vendors and services that your organisation works with to ensure they meet security standards and don't pose risks to your data.

3. Data minimisation practices: Collecting and storing only the essential data needed for operations, reducing the potential impact of any data breaches by limiting the amount of sensitive information kept on file.

Resource Optimisation

1. Leveraging non-profit security grants and programs
Take advantage of available funding and programs specifically designed to help non-profits improve their cybersecurity. Many organsations and foundations offer grants or special programs to support non-profit organisations with their security needs. Blog post with my recommendations coming soon!

2. Partnering with pro-bono cybersecurity services
Collaborate with cybersecurity professionals or companies who offer their services free of charge to non-profit organisations. These partnerships can provide access to expertise and resources that might otherwise be unaffordable.

3. Implementing cost-effective security tools designed for non-profits
Use security tools and solutions that are specifically created for non-profit organisations, often available at reduced costs or with special non-profit pricing. These tools are typically designed to meet the unique needs and budget constraints of those in your sector.

This blog has been a biggie but I hope it’s provided a little insight into what to be wary of in 2025 and how to begin building your defences.

While resources may be limited, the cost of inadequate security far outweighs the investment in prevention. Organisations that prioritise cybersecurity will be better positioned to maintain trust from their supporters and ensure uninterrupted service delivery to their communities.