Fewer UK charities are treating cybersecurity as a priority, even as attacks grow more frequent. New government figures published on 29 May show cyber is now a high priority for senior managers at 60% of charities, down from 68% a year earlier. The Department for Science, Innovation and Technology (DSIT) calls the drop a significant decline.
The fall is sharpest among the smallest charities. For those with income under £100,000, board-level prioritisation dropped from 64% to 53%. That matters, because these are the organisations with the least slack to absorb a serious incident.
The survey is blunt about why this is a problem. It warns that less frequent board engagement limits the ability of security experts to influence strategy and secure investment. In plain terms: when cyber slips off the board agenda, the people who understand the risk lose the standing to do anything about it.
Charity Board Cyber Risk – the threat hasn’t eased
The retreat in attention is not matched by a retreat in risk. Around 28% of charities reported a breach or attack in the past year — roughly 57,000 organisations. Phishing remains the dominant method, accounting for the vast majority of incidents. Some charities reported losing tens of thousands of pounds in a single attack.
The good news, such as it is: the percentage of charities experiencing a breach did fall slightly compared to the prior year. But the DSIT survey cautions against reading too much into that. Awareness of incidents may have decreased alongside prioritisation, meaning some breaches are going undetected or unreported rather than not happening at all.
Why smaller charities are most exposed
The pattern the survey describes is familiar to anyone who works with smaller charities. Cyber gets attention after a high-profile incident — a sector peer gets hit, a trustee reads something alarming — and then, as other pressures mount, it drifts back down the agenda.
Smaller charities are particularly vulnerable to this cycle. They typically lack a dedicated IT function, rely heavily on volunteers, and operate on tight budgets that make it hard to invest in controls or external advice. When cyber is nobody’s specific job, it’s easy for it to become nobody’s priority.
The survey notes that charities are less likely than businesses of similar size to have implemented basic hygiene measures — things like password policies, multi-factor authentication, and staff training. Not because trustees don’t care, but because nobody has the time or confidence to push it through.
A governance problem, not just a technology one
What makes the DSIT findings particularly interesting is how clearly they frame cybersecurity as a governance failure, not just a technical one.
The report specifically identifies reduced board engagement as the core problem. When trustees aren’t asking questions about cyber risk, the people who could act on it lose both the mandate and the budget to do so. It’s a structural issue: without sustained board-level focus, resilience is built on good intentions rather than good practice.
This is where a structured approach helps. A shared risk register keeps cyber threats in front of the whole board rather than buried in one person’s inbox, with owners and mitigations recorded in one place. Platforms built for smaller charities — Governance360 among them — bring the risk register, board papers and trustee training into a single system, so cyber stays on the agenda between meetings rather than resurfacing only after something goes wrong. Accredited director training also helps trustees who feel out of their depth on digital risk build enough confidence to ask the right questions.
None of that replaces good technical controls or expert advice. But it does address the specific weakness the survey identifies: the loss of sustained, high-level focus. Tools that make oversight routine are how charities stop attention from drifting.
The takeaway for trustees
The slightly encouraging news is that breach numbers dipped a little and high-profile attacks have pushed cyber up the agenda for some boards. The worrying news is that, for many smaller charities, attention and investment are heading the wrong way while attacks become more frequent.
Cyber resilience is built in the quiet periods, through habits and oversight, not in the scramble after an incident. For trustees, the question is simple: when did your board last review cyber risk, and who owns it now?
Sources
- Léa Legraien, “Concern as figures show fewer charities prioritise cybersecurity”, Civil Society, 29 May 2026: https://www.civilsociety.co.uk/news/concern-as-figures-show-fewer-charities-prioritise-cybersecurity.html
- Department for Science, Innovation & Technology, Cyber Security Breaches Survey 2025-26: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026
- Governance360 platform overview (board portal, digital risk register, director training): https://governance360.com/platform