Concern has been expressed over new government figures showing a reduction in the proportion of charities deeming cybersecurity a high priority.
The Department for Science, Innovation & Technology’s cybersecurity breaches survey for 2025-26 shows that cybersecurity was considered a high priority for senior management in six in 10 charities (60%).
This is a “significant decline” from the 68% recorded in 2024-25, and was driven by smaller charities (income of less than £100,000), whose prioritisation fell from 64% to 53%.
The survey says the decrease is concerning because “less frequent board engagement limits the ability of security experts to influence strategy, secure investment, and drive the adoption of National Cyber Security Centre guidance”.
“It suggests that despite cybersecurity being a stated priority, the sustained, high-level focus required to build true organisational resilience is waning,” it says.
Phishing attacks most prevalent
The latest research – based on a survey and interviews with 1,085 charities between August and December 2025 – finds that 28% of respondents experienced a cybersecurity breach or attack in the last 12 months.
This is a decrease from last year’s 30% and equates to around 57,000 charities across the UK.
Phishing attacks remained the most prevalent type of breach or attack, experienced by 25% of charities and described as the most disruptive type of breach or attack (69% of charities that experienced a breach or attack).
Among those that experienced a breach or attack, the proportion experiencing only phishing attacks rose from 46% last year to 57% this year.
The report says there was a “significant increase” in the proportion of charities experiencing cyberbreaches or attacks weekly or more, from 18% in 2024-25 to 26% in 2025-26.
Increase in cybercrimes
Some 14% of respondents said they had been victims of at least one cybercrime (a subset of cyber breaches and attacks) in the past year, equating to around 28,000 charities nationally.
Phishing cybercrime remained the most prevalent type of cybercrime, accounting for 95% of charities that experienced a cybercrime.
The report estimates that UK charities experienced around 525,000 cybercrimes of all types in the last 12 months, compared to 453,000 the year before, with the vast majority of these related to phishing.
It warns of “a high level of repeat victimisation amongst some organisations experiencing cybercrime”.
Hacking cybercrime among charities experiencing cybercrime fell from 17% in 2024-25 to 4%, while ransomware cybercrimes increased from less than 0.5% to 1%.
Fewer impersonation breaches or attacks
The proportion of respondents experiencing impersonation breaches or attacks fell (7%, down from 11% in 2024-25 and 12% in 2023-24), as did takeovers (1%, down from 3% in 2024-25).
Meanwhile, 22% of charities held personal data unprotected by techniques such as anonymisation or encryption.
The report says recent high-profile cyberattacks in the media have moved the perception of risk up the agenda within respondents’ organisations.
However, it finds that the proportion of charities running staff training and awareness-raising activities fell year on year from 21% to 17%, driven by a decline among smaller charities from 18% to 13%.
There was a “significant decline” for smaller charities seeking external guidance, from 32% to 21%.
Around a third of charities reported being insured against cybersecurity risks in some way.
Respondents’ cybersecurity insurance tended to be part of a wider insurance policy, with only 5% having a specific cybersecurity insurance policy.
Over a third (34%) of those without cyberinsurance cited it not being a budgetary priority, while 24% reported a lack of awareness and interest in it.
