Cybersecurity: recent attacks are reminder of importance of getting it right

Recent cyberattacks on major organisations such as M&S, Co-op, and the British Library serve as a stark reminder that no sector is immune from digital threats – including charities.

These incidents have led to significant data breaches, service disruptions, and reputational harm. In the case of the British Library, a ransomware attack caused a shutdown of digital services lasting several weeks and highlighted the operational impact that such breaches can have. The Information Commissioner’s Office (ICO) has since shared a lessons-learnt statement, published by the British Library, underlining the importance of maintaining robust backups and secure remote access protocols.

Charities often hold sensitive personal data and can be perceived as soft targets by cybercriminals. It’s essential that your systems are up to date, staff are trained (regularly, as new threats are emerging all the time) to spot phishing attempts, and contingency plans are put in place such as tested back-up systems.

The ICO has practical guidance specifically aimed at protecting against ransomware attacks, as well as ‘Learning from the mistakes of others – a retrospective review’; both are useful for charities to read and consider how the lessons can be applied in their situation.

Charities should review cybersecurity as part of regular risk management processes. If your charity is affected by a cyber incident which results in significant loss of data, funds or service capability, this may constitute a serious incident under the Charity Commission’s guidance and must be reported promptly. Timely reporting and transparency are not only regulatory requirements but key to protecting trust and minimising harm.

Charities should carry out regular cyber risk assessments, review data protection policies, and ensure proper governance frameworks are in place. These types of risks should form part of the charity’s approach to risk management and should feature on your charity’s risk register as an active risk to be managed and minimised as far as possible.

At Stone King, we can assist with reviewing policies, incident response planning and compliance checks, which will help safeguard your charity’s mission and reputation. Take a look at ‘Information Law for Charities’.