Membership Bodies and Cyber Risk: Why You are a Target

Most membership body leaders assume cybercriminals are interested only in banks, retailers, or large corporations. That assumption – understandable and logical but almost universally wrong – is why charities and membership organisations make such attractive targets.

They are targeted by cybercriminals because they hold large volumes of sensitive personal data, operate with lean (often inadequate) IT resources and volunteer access, and rarely have formal cybersecurity defences in place. The combination of valuable data and limited protection is not a gap that sophisticated attackers miss and the organisations most at risk are rarely the ones that know it.

Only when you understand the logic of the threat can you create a response that is proportionate, practical, and grounded in what your organisation can actually do. Let’s start with what you’re holding.

You Hold More Than You Think

Leaders underestimate the value of the data they manage every day.

Consider what a typical membership organisation actually holds. 

• Full names and contact details
• Professional qualifications and employment history
• Payment card information or direct debit mandates for membership fees
• Dates of birth, equality monitoring data, and health information collected for events or access requirements

For professional bodies and trade associations, there may also be disciplinary records, correspondence relating to complaints, and documentation of individual members’ legal or regulatory standing.

To a cybercriminal, this is not mundane administrative data. It’s a structured database of professionally verified identities, the kind of information that enables identity fraud, targeted phishing, and extortion. The NCSC’s Cyber Threat Report for the UK Charity Sector notes that charities are particularly attractive to attackers seeking financial gain because they hold valuable data while often operating without the cyber defences that commercial organisations of comparable size would have in place.

What makes this harder to grasp is that membership bodies don’t feel like data businesses. But from a data protection and cybersecurity perspective, they are running operations that would attract regulatory scrutiny if they were in a commercial context. The same obligations, and the same risks, apply.

Why Attackers Choose Easy Over Lucrative

One of the questions we hear most often is a version of: “Why would anyone bother with us?”

Cybercriminals, particularly those deploying ransomware or phishing campaigns at scale, are not worried about prestige. They’re optimising for effort versus return. A large bank is protected by multiple security teams, sophisticated monitoring tools, and massive investment in cyber resilience. A membership body with 3,000 members, two part-time staff, and a handful of volunteers running operations from personal laptops is a fundamentally different proposition.

According to the UK Government’s Cyber Security Breaches Survey 2025, 30% of UK charities reported experiencing a cyber breach or attack in the past year. This is about 61,000 organisations. The average cost of the most disruptive breach for a charity reached £8,690, though some organisations faced losses as high as £350,000. The Association of British Insurers reported that UK cyber insurance payouts jumped from £59 million in 2023 to £197 million in 2024, with ransomware and malware accounting for over half of all claims.

The logic of opportunistic cybercrime is straightforward: low resistance for real reward. A membership body that has never run a penetration test, has no incident response plan, and relies on volunteers to handle sensitive data access is a path of least resistance. Although the data has value the defences are often minimal. That drives targeting decisions, not the headline name on the door.

The Three Threat Types That Matter Most

Not every cyber threat is equally relevant to membership bodies. What follows is a plain-English briefing on the three attack types that show up most consistently in the sector.

• Phishing and business email compromise.
  This is by far the most common threat. Phishing attacks (emails designed to trick recipients into clicking malicious links, revealing passwords, or transferring money) accounted for 86% of the breaches reported by charities in the DSIT Cyber Security Breaches Survey 2025. Business email compromise, where an attacker impersonates a senior figure or trusted supplier to authorise a fraudulent payment, accounted for 35% of reported incidents. The NCSC documented a case in which a hospice in the West Midlands lost £17,000 to a single business email compromise incident. For a membership body operating on tight margins, that kind of loss is not a footnote – it’s a crisis.
• Ransomware.
  Ransomware attacks encrypt an organisation’s files and demand payment for their release. They are less frequent than phishing but significantly more disruptive. The NCSC reported that a ransomware attack on the Edinburgh Festival Fringe Society cost £95,000 to resolve. For a membership body, the consequences extend beyond the financial as years of member records, event history, communications, and governance documentation can be destroyed or made inaccessible overnight. The operational disruption before any ransom is even considered can be enough to threaten an organisation’s continued functioning.
• Data exfiltration.
  This is less visible than ransomware and involves an attacker quietly extracting information from systems over time without triggering obvious alarms. This is the threat that’s hardest to detect and, in GDPR terms, potentially the most consequential. If member data is accessed and exported without your knowledge, you have a reportable breach under the ICO’s 72-hour notification requirement, even if your systems never went offline.

Where the Gaps Usually Are

Vulnerabilities in membership bodies tend to follow a consistent pattern, regardless of size or sector.

• Volunteer access on personal devices.
  Many membership organisations rely on volunteers to do the key work. Treasurers, committee members, event coordinators can access sensitive systems from their own laptops, tablets, and mobile phones. Those devices may have outdated software, no endpoint protection, and a history of personal browsing that creates additional risk. Imagine a volunteer treasurer accessing your membership database and finance system from a home laptop that hasn’t had a security update in two years. That’s not a hypothetical, it’s a structural feature of how the sector operates.
• No formal access controls.
  In organisations without dedicated IT support, access permissions often accumulate by default rather than by design. Former volunteers may still have live credentials, staff who’ve changed roles may retain access they no longer need and systems purchased years ago may have default administrator passwords that were never changed. Each of these represents an open door.
• Unpatched software and ageing infrastructure.
  Deferred IT investment creates a direct cybersecurity exposure. Software that hasn’t received security updates is software with known vulnerabilities and attackers actively scan for organisations running unpatched systems; it’s one of the primary tools of automated threat campaigns.
• No incident response plan.
  The DSIT survey found that board-level responsibility for cyber security is actively declining across the sector, and formal incident response plans remain rare in resource-constrained organisations. What this means in practice is that when something goes wrong, and eventually it probably will, the organisation has to make decisions in real time, under pressure and without a rehearsed process. That’s the worst possible moment to work out what to do.

What a Proportionate Response Looks Like

You do not need enterprise-level security to meaningfully reduce your exposure. 

Cyber Essentials certification is the natural starting point for any membership body. Developed by the UK government and certified by the National Cyber Security Centre, it covers the five foundational controls that address the majority of commodity cyber attacks: 

• Firewalls
• Secure configuration
• Access control
• Malware protection
• Patch management. 

Crucially, it also demonstrates to funders, insurers, and enterprise partners that your organisation has met a recognised standard, something increasingly expected in grant applications and procurement processes.

Staff and volunteer awareness training addresses the human layer, which is where most attacks succeed. Phishing and business email compromise work because people are deceived, not because technical defences fail. A simple, well-run awareness programme doesn’t require specialists to deliver it and reduces susceptibility significantly. The NCSC offers free resources specifically designed for small organisations and charities.

Access control and offboarding discipline. Every person with access to your systems should have the minimum permissions required for their role and nothing more. Every departure, whether staff or volunteer, should trigger an immediate access review. This is just good governance.

Managed IT support with security monitoring. For organisations without in-house IT capability, a managed service provider that includes security monitoring such as watching for unusual activity, managing updates, and providing a response capability fundamentally changes the risk profile. It means that the signals of an attack are less likely to go undetected until the damage is done.

Cybersecurity is a governance issue, not an IT afterthought.

Why This Matters

The consequences of a cyber incident reach well beyond the immediate disruption. For membership bodies, trust is key. Members share personal data, professional credentials, and financial information because they trust the organisation will protect it. A breach, especially a poorly handled one, can break that trust in ways that can take years to repair, if repair is even possible.

The ICO’s enforcement record shows that charities and membership bodies are not exempt from regulatory action. A failure to implement reasonable security measures, followed by a reportable breach, can result in formal reprimand, mandatory remediation, and in some cases financial penalty. The reputational damage of a public enforcement notice can be more damaging than the fine itself.

There is also the practical question of operational continuity. Many membership bodies are running processes including financial administration, event management, and member communications that depend entirely on systems that have never been properly assessed for resilience. If a ransomware attack takes those systems offline for a week, this is not a minor inconvenience. It can compromise annual conferences, disrupt renewal cycles, and leave the organisation unable to meet its obligations to members and funders.

The DSIT 2025 survey found that the average most-disruptive breach cost a charity £8,690. But averages obscure the range. Some organisations have absorbed losses in the hundreds of thousands. The asymmetry matters: the cost of basic prevention is modest; the cost of recovering from a significant incident is not.

Protecting Your Membership Body: Next Steps

The starting point is honest assessment. Most membership bodies have never had an independent review of their cyber posture, not because it’s expensive but because no one has pushed for it. That review is worth having before an incident makes it urgent.

Three things worth doing over the next 90 days:

• Commission a basic security audit. Understand what access exists, where your data lives, what software is unpatched, and what gaps exist in your access control processes. A focused audit from a provider experienced with resource-constrained organisations will surface more than a self-assessment checklist.
• Start the Cyber Essentials process. It’s the recognised baseline for UK organisations, it’s achievable without specialist staff, and it addresses the majority of commodity threats. Cardonet’s cybersecurity services include Cyber Essentials support designed for organisations at exactly this stage.
• Put cybersecurity on the board agenda. This is not a technical item but a governance question: what data do we hold, who can access it, what would happen if we lost it, and what reasonable steps are we taking? That conversation, held annually, is one of the most cost-effective risk management decisions a membership body can make.

For a clearer picture of where your organisation stands right now, Cardonet’s cyber security audit provides an independent, plain-language assessment of your risk exposure without requiring technical knowledge to act on the findings. To find out more, contact us at cardonet.co.uk or call +44 203 034 2244.

FAQs: Cybersecurity for Membership Bodies and Charities

1. Are membership bodies and charities legally required to have cybersecurity measures in place?
Yes. Under UK GDPR and the Data Protection Act 2018, any organisation that processes personal data – which includes all membership bodies – is legally required to implement appropriate technical and organisational measures to protect that data. What counts as “appropriate” is assessed in proportion to the sensitivity of the data held and the resources available, but the obligation exists regardless of organisational size. Failure to meet this obligation and then experiencing a breach can trigger ICO enforcement action.

2. What is the most common type of cyber attack against charities and membership bodies?
Phishing is consistently the most prevalent threat. According to the UK Government’s Cyber Security Breaches Survey 2025, 86% of charities that reported a breach identified phishing as the attack vector. Business email compromise – a targeted form of phishing designed to impersonate trusted individuals and authorise fraudulent transactions – accounted for 35% of reported incidents.

3. What is Cyber Essentials, and is it suitable for small membership organisations?
Cyber Essentials is a UK government-backed certification scheme that covers five foundational security controls: boundary firewalls, secure configuration, access controls, malware protection, and patch management. It is specifically designed to be achievable by organisations without dedicated IT teams, and the NCSC offers a funded route for qualifying small charities. It is widely recognised by funders, insurers, and enterprise procurement teams as a baseline standard.

4. We rely on volunteers who use their own devices. How should we manage this risk?
Personal devices represent one of the most significant structural vulnerabilities in the membership body sector. The proportionate response involves a combination of policy and technical controls: a clear acceptable use policy covering what volunteers can and cannot access, multi-factor authentication on all systems they connect to, and where possible, web-based access rather than direct system connections that minimise what can be exposed if a personal device is compromised. This doesn’t require expensive technology – it requires clear rules that are communicated and enforced during onboarding.

5. If we experience a cyber incident, what are our immediate obligations?
Under UK GDPR, if a personal data breach is likely to result in risk to individuals’ rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it. If the breach is likely to result in high risk to individuals, you must also inform the affected individuals without undue delay. In parallel, you should isolate affected systems, preserve evidence, and engage your IT support provider to contain the incident. Having a simple, rehearsed incident response plan in place before something happens is significantly better than working this out in the moment.