Last month, the Department for Science, Innovation & Technology (DSIT) released its annual Cyber Security Breaches Survey 2025 offering critical insights into the current state of cyber resilience across the UK.

The report feeds directly into the UK’s National Cyber Strategy and highlights key cyber trends, levels of preparedness and the rising costs of cyber incidents across businesses, educational institutions and charities.  

What is evident is that UK charities remain increasingly vulnerable to cyber threats. Nearly one in three charities (30%) reported a cyber breach or attack in the past year – a figure that underscores the sector’s growing exposure to digital risks. It is also likely that this figure under-represents the true scale of the threat, as many more attacks will not have been detected or reported.

The scale of the cyber threat to non-profit organisations underlines how vital it is to ensure active steps to protect against the risk of data breaches or cyber attacks.

Here are the key takeaways from the survey in relation to charities:

The level of reported cyber breaches remains steady

• 30% of charities reported a cyber security breach or attack in the last 12 months. This equates to around 61,000 registered charities and while this represents a 2% decrease from last year, the risk remains high.
• Breach levels in medium and large businesses also remain very high (67% for medium businesses and 74% for large businesses). 

Phishing remains the #1 cyber threat

• Phishing scams remain the most “prevalent and disruptive” for charities, especially because it requires significant time to investigate and manage. Phishing is where attackers deceive people into clicking on fake links or revealing sensitive information.
• 86% of charities experienced at least one phishing attack in the last year - many of which are detected or blocked without resulting in a breach - with many charities reporting weekly or monthly attacks which is consistent with the 2024 figures.
• It was also found that increasingly sophisticated methods, such as AI impersonation, were becoming mainstream, making it harder for users to spot threats.  

Increasing operational disruption

• There was a notable rise in system disruption due to cyber attacks. Incidents where charities lost access to critical systems or third-party services jumped from 1% to 5% since last year. These incidents can bring operations to a standstill, preventing charities from delivering services and carrying out day-to-day activities.
• Some larger charities also appear to be falling behind in cyber preparedness. Fewer reported having formal cyber security strategies or routinely assessing the security of suppliers – key components of effective cyber risk management.

Cybercrimes

• Around 14% of charities – equating to around 29,000 organisations - experienced at least one cybercrime in the past year, with phishing responsible for 95% of these crimes.
• Among those affected, charities experienced 16 cybercrimes each over the 12-month period, adding up to an estimated 435,000 cybercrimes across the sector. These figures highlight the targeted nature of cyber threats facing the charity sector. 

Leadership: a high priority with a knowledge gap

• The survey found 68% of senior charity managers view cyber security as a high priority. However, of concern, board level responsibility for cyber security has steadily declined among businesses since 2021 (dropping from 38% in 2021 to just 27% in 2025).
• However, having responsibility does not always equate to having expertise. Many leaders lack the technical understanding of cyber security needed to make informed decisions on cyber-related risks. This knowledge gap is compounded by limited staff training: only 21% of all charities and 47% of high-income charities provided staff cyber training last year.  
• As the survey notes, “This is an important knowledge gap because board members may be making decisions, such as on budgets, without realising the full extent of their impacts”.
• In the recent M&S cyber attack, hackers employed social engineering tactics to deceive IT staff into resetting passwords in order to gain access to systems. A critical layer of defence is adopting regular cyber security training for employees and managers to help recognise and respond appropriately to suspicious activities.

Cyber hygiene still falling short

• While most charities had basic technical controls such as malware protection and password policies, only 35% had multi-factor authentication in place – a key safeguard against account breaches.
• Notably, the NHS data breach in 2022 was attributed to the lack of multi-factor authentication, illustrating how basic gaps in cyber hygiene can lead to major incidents. You can read more about this data breach in our recently published blog here.
• High income charities showed a decline in their implementation of fundamental cyber hygiene practices. This includes a decrease in the actions taken to identify cyber security risks, reviewing immediate supplier risks, and having a formal cyber security strategy in place. Insight from qualitative interviews suggest this could be linked to budget constraints.

You can read the Cyber Security Breaches Survey 2025 here.

While the statistics re breaches and cyber attacks in the report, and cited above, are concerning, it is worth remembering that they don’t encompass undetected or unreported incidents - therefore the true statistics will be even higher, potentially significantly so.

The survey paints a clear picture: cyber threats are becoming more targeted, more sophisticated, and more disruptive towards UK charities and it is crucial that safeguarding measures are adopted to better protect against threats.

As we have seen in recent high-profile incidents such as the cyber attacks against M&S, Co-op and Harrods, the consequences of a breach can be particularly damaging – both reputationally, operationally and financially and these consequences ring true in a charities context with the stakes being high given the role that many charities play in delivering frontline services. These incidents serve as a critical reminder for all organisations on the importance of cyber security readiness.

Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks, and best practices. Our team are on hand to support you on your cyber resilience journey, from implementing protective measures to handling a full-scale incident. Please get in touch with any of our team to discuss how we can help.

The team are also running their annual spring webinar series over the coming weeks, looking at current data governance issues. With a session on priorities of the ICO and navigating regulatory risk, it is a must attend for all organisations and charities handling sensitive and personal data. Find out more about the series and register your place here. 

Related News, Insights & Events