Fewer high-income charities are carrying out “cyber hygiene” to identify risks and prevent attacks, according to the government’s latest Cyber Security Breaches survey.

Interviews with charity representatives carried out for this annual in survey “suggest this could be linked to budget constraints”.

The survey found that only three in four large charities are carrying out activities to identify cyber security risks, down from almost nine in ten last year.

Just over a fifth are reviewing immediate supplier risks, compared to more than a third last year.

Two in five have a formal cyber security strategy in place, down from almost a half in 2024.

Across the charity sector, just a third of organisations are insured against cyber security risks in some way, compared to almost half of businesses, who were also surveyed.

Despite the fall in preventative action, the proportion of charities impacted by cyber breaches and attacks has dipped slightly over the last year.

The survey found that 30% of charities are impacted by attacks and breaches. This is the equivalent of 61,000 charities and down on the 32% reporting breaches or attacks last year.

The findings for the 2025 survey are based on interviews carried out between August and December 2024.

Phishing remains most common risk

Attacks include phishing where criminals attempt to steal money by sending fraudulent requests for financial and personal information. This year’s figures show that this continues to be “the most prevalent and disruptive type of breach or attack” affecting 86% of charities that have experienced a cyber security incident.

Among businesses and charities that took part in the survey “interviews highlighted that phishing attacks were often cited as time-consuming to address due to their volume and the need for investigation and staff training”, according to the Department for Science, Innovation & Technology and the Home Office, which have published the survey.

Both charities and businesses are also reporting that criminals are using “increasingly sophisticated methods, such as AI impersonation”, which are “becoming mainstream”.

While the proportion of charities impacted has dipped more are reporting negative outcomes, such as loss of money. This has increased from one in eight in 2024 to one in six in this year’s report.

Charities lost on average between £3,240 and £8,690 through the most disruptive breach they faced. But as the costs involved are self-reported estimates from charities, they “may represent an underestimation of full financial impact”, says the survey.

---