Blog
Nonprofit

Cybersecurity for charities in 2026: What your organisation should be thinking about

By
Darren Slade
January 7, 2026
4 mins
Share this post
Want to see iplicit in action?
Book a demo
Watch 3-minute tour

Charities are embracing digital tools faster than ever, from cloud accounting to donor management platforms. But as your tech stack grows, so does your cyber risk. Here's what mid-market nonprofits need to know to protect their data, their donors and their hard-won reputations in 2026 and beyond.

We know you're already stretched. Budgets are tight, teams are small and you're juggling compliance, fundraising and delivery. The last thing you need is another thing to worry about.

But cybersecurity isn't optional anymore. Recent headlines tell the story: ransomware attacks have affected big-name organisations like M&S and Jaguar Land Rover as well as countless smaller organisations. Such attacks can lock organisations out of their own systems, expose sensitive information and take months and a lot of money to put right.

 

For charities, the stakes are even higher. A cyber incident can shatter the trust that donors, beneficiaries and funders place in you. And once that trust is lost, it's incredibly hard to rebuild.

Your people are your first line of defence

Cyber criminals rely on human weakness as much as technical vulnerability for their attacks to work. Someone has usually clicked a dodgy link, reused a password or ignored an update notification.

 

Here are the most common ways cybercriminals get in through your team:

  1. Phishing attacks. Someone receives an email that looks legitimate, clicks a link, and suddenly a hacker has access. This is by far the most common attack method facing charities
  2. Skipping two-factor authentication (2FA). We'll explain this properly below, but in short: if you're not using it, you're leaving the door wide open.
  3. Delaying software updates. Restarting your laptop when you're mid-task is annoying but those updates patch vital security holes.
  4. Clicking unknown links or attachments. Sometimes out of genuine ignorance, sometimes because people assume their antivirus will catch everything. (It won't.)
  5. Reusing passwords everywhere. If one account gets hacked, suddenly all your accounts are compromised too.
  6. Sharing passwords across the team. This happens more than you'd think, especially with shared inboxes or donor databases. It's a security nightmare and makes it nearly impossible to track who did what.
  7. Leaving screens unlocked in public places. Whether that's a cafe, a train, or even your own office when volunteers are in.
  8. Not reporting incidents quickly. If someone suspects something's wrong, they need to flag it immediately. Under UK GDPR, delays can increase penalties significantly.

The best way for an organisation to arm itself against cyberattacks is to train its teams, build a culture of awareness and respond quickly when things go wrong.

AI tools: helpful, but handle with care

Many charities are exploring AI – whether that's using ChatGPT to draft a funding bid or tapping into AI features built into your CRM or finance system. These tools can be transformative, but they also introduce new risks.

 

Most AI platforms live in the cloud, which means the same security basics apply: use strong passwords, enable two-factor authentication, and limit who has access.

 

One of the biggest risks with AI is accidentally uploading sensitive information. Staff might paste donor details, beneficiary case notes, or financial data into an AI tool without realising that information could be used to train future AI models. If that data isn't properly anonymised, it could potentially be exposed to others. And if the data relates to identifiable individuals, you could be in breach of UK GDPR.

 

With tools like ChatGPT and Claude AI, the default setting is that whatever you type can be used for training (though you can turn this off manually).

 

What to do:

  • Check the privacy settings on any AI tool your team uses.
  • Look for transparency about how your data is used.
  • Only work with providers who have a clear, ethical AI policy.
  • Train your team not to upload confidential donor, beneficiary, or financial information without checking first.

At iplicit, we take data ethics seriously. We recommend nonprofits ask tough questions about how any technology partner handles AI, especially when trust and donor confidence are on the line.

Two-factor authentication explained (it's simpler than it sounds)

If there's one thing you do after reading this article, make it this: turn on two-factor authentication (2FA) everywhere. It sounds technical, but it's genuinely straightforward – and it's one of the highest-impact protections you can deploy.

 

Here's how it works: when you log in to an app or service, you enter your username and password as usual. Then you're asked for a second code, usually six digits. This code is either texted to you, emailed to you or generated by an app on your phone. Even if a hacker somehow steals your password, they still can't get in without that second code – which only you have.

 

You'll find 2FA protecting everything from Gmail to cloud accounting platforms (including iplicit). If a service stores your data and doesn't offer 2FA, that should raise a red flag.

 

The gold standard is to use an authenticator app on your phone. Google and Microsoft both offer free ones, and they work across all your apps and services. Set it up once, and you've made your charity significantly harder to hack.

A practical cybersecurity checklist for your charity

We know you don't have unlimited time or budget. So here's where to start, focusing on practical, achievable steps.

 

1. Train your team (it doesn't have to be expensive)

Simple, regular training can make a huge difference. For charities, this might look like:

  • Watching a relevant YouTube video together in a team meeting, then discussing it.
  • Running a free online course (many are available from the National Cyber Security Centre).
  • Adding basic cybersecurity awareness to your onboarding checklist for new staff and volunteers.

 

2. Run a simple cyber risk check

You don't need a full audit. Just ask yourself these questions:

  • Who has access to which systems? Does everyone actually need the level of access they have?
  • Is 2FA turned on for every user and every account? And are you using authenticator apps?
  • How are passwords managed? When did your team last change critical passwords?
  • Does your team know what to do if something goes wrong? This should be written down, especially given the risk of GDPR fines. Your insurance provider may require it too.
  • Is anyone using outdated devices? For example, Windows 10 stopped receiving security updates in October 2025.
  • Are people using personal devices for work? This can create security gaps.
  • Are you using VPNs or personal hotspots when working remotely? Public Wi-Fi is convenient but risky.

Final thoughts

Cyber criminals often target smaller organisations precisely because they have fewer resources to defend themselves. Charities are no exception. Educate your team, build awareness, and create a culture where reporting a suspected issue is encouraged, not feared.

 

You don't need to become a cybersecurity expert overnight. You just need to start the conversation, take a few practical steps, and keep security on your radar as your organisation grows.

 

And if you're looking for a finance platform that takes security as seriously as you do, we'd be happy to talk.

Want to see iplicit in action?

Book your demo and discover how iplicit can simplify your finance operations, automate manual processes, and give you real-time visibility - wherever you work.

Book a demo
Watch 3-minute tour
Industries
HospitalityHousing assocationsMulti-academy trustsNonprofitsSoftware and technologyWholesale and manufacturingView all industries
Teams
Footer linkFooter link
Features
Automations and workflowsCore financialsGroup accounting and reportingIntegrationsStock and inventoryView all features
Partners
ResellersAccountantsAllianceView all partnersPartner login
Company
HomeContact us
Resources
BlogWebinarsEventsGuidesCase studiesSupport
Legal
Cookie policyLicensing agreementPrivacy policyTerms and conditionsTrust Centre
Ask AI for a summary of iplicit
Powerful accounting software
1st Floor at Bobby's, The Square, 2-12 Commercial Road, Bournemouth, Dorset, England, BH2 5LP
© 2026 iplicit. All rights reserved.