Cyber Security for Charities: 3 Risks Trustees Should Not Ignore in 2026

As a trustee, you're used to keeping a close eye on governance, finance, and compliance. But how often does cyber security come up in board discussions?

Charities are becoming increasingly vulnerable to cyber-attacks. Not because they are high-value targets, but because many often rely on under-protected systems, hold sensitive data and depend on external providers. If something goes wrong the consequences can be serious, both financially and reputationally.

Here are three cyber risks worth raising at your next board meeting.

1. Supply Chain Risks: Your Partners Could Be the Weak Point

Many charities use third-party platforms or outsourced IT services to manage fundraising, communications, or even day-to-day operations. If one of those suppliers is compromised, your charity could be exposed and, in some cases, held responsible.

What should trustees do?

• Perform risk based cyber security due diligence on suppliers
• Review contracts and data-sharing agreements regularly
• Make sure supplier risk is included in the board’s risk register

2. Email Phishing is Becoming more Sophisticated and Harder to Spot

Attackers are now using artificial intelligence to create highly convincing emails that imitate the tone, style, and even language of real individuals. These emails often appear to come from senior leadership teams or a fellow trustee. A single message could lead to a payment being made or personal data being leaked.

We’ve seen examples where charities have lost thousands after responding to what seemed like a genuine request.

What should trustees do?

• Ensure Multi Factor Authentication (MFA) is enabled, where available
• Encourage staff and volunteers to question anything unusual and make direct contact for confirmation
• Offer short, practical cyber awareness training internally across the organisation

3. Cyber Essentials for Charities: A Simple but Effective Step

Cyber Essentials is a government-backed scheme that protects against the most common cyber threats. It also includes cyber insurance and helps demonstrate good governance to regulators and supporters.

It is not expensive or overly technical, and it is one of the most practical steps your board can take to improve security and resilience.

What should trustees do?

• Ask your IT provider or CEO about Cyber Essentials certification
• Add cyber security to your next board agenda if it is not already in place
• Treat it as part of your wider risk and compliance framework

Find out more about cyber essentials on Bruce & Butler's website

Need a Second Opinion or Some Straightforward Advice?

Cyber security is no longer just an IT issue. It is a governance issue, a risk issue, and for many charities, a reputational issue too. As a trustee, you are not expected to be an expert, but you do need to make sure the right questions are being asked.

At Bruce & Butler, we support charities across the UK with clear, practical cyber advice. No jargon. No scare tactics. Just what you need to protect your organisation and focus on your mission.

If you would like to get in touch, call Bruce and Butler on 0800 999 5550 or visit: https://www.bruceandbutler.com/

Related content