Cyber Security for UK Charities and Non-Profit Organisations
Why charities are increasingly targeted, what the Charity Commission expects, and how to protect donor data and restricted funds on a limited budget.
Why charities are actively targeted
It might seem counterintuitive, but charities are disproportionately targeted by cybercriminals. The reasons are straightforward: charities often have limited IT budgets and expertise, they handle significant financial flows including donations and grants, they hold sensitive beneficiary data, and they have high staff and volunteer turnover that creates access control challenges.
The NCSC's Cyber Security Breaches Survey consistently shows charities experiencing higher rates of cyber incidents than similarly sized private sector organisations. The reputational and financial consequences of a breach for a charity — loss of donor trust, regulatory scrutiny, diversion of restricted funds — can be existential.
Charity Commission expectations
The Charity Commission requires trustees to protect charity assets — and in the digital age, data and systems are assets. Trustees have a duty to:
- Ensure the charity has appropriate cyber security measures in place
- Report serious cyber incidents to the Charity Commission as a serious incident
- Protect donor and beneficiary data under UK GDPR
- Have controls in place to prevent fraud and financial loss
The Commission has made clear that trustees cannot delegate responsibility for cyber security — even if day-to-day management sits with staff or volunteers, trustees must ensure adequate controls are in place.
The most common threats for charities
CEO fraud targeting finance staff
Attackers impersonate the CEO or a trustee to instruct finance staff to make urgent bank transfers. Charities are particularly vulnerable because of the trust placed in senior figures and the urgency sometimes associated with funding deadlines.
Donation platform fraud
Attackers create fake donation pages impersonating your charity, diverting donations intended for you.
Ransomware
Charities often have poor backup practices and limited IT support, making them vulnerable to ransomware and slow to recover.
Beneficiary data breaches
Many charities hold sensitive data about vulnerable beneficiaries — mental health service users, domestic abuse survivors, people in financial difficulty. A breach of this data can directly harm the people you exist to help.
Volunteer and staff account takeover
High turnover and the use of personal devices and personal email accounts by volunteers creates significant access control challenges.
Security on a limited budget
Good news: the most important security controls are free or very low cost. For charities with limited budgets, the priority order is:
MFA on email and cloud services — free
Enable two-step verification on Microsoft 365 or Google Workspace. Both offer free or discounted licences to registered charities. This is your most important control.
Individual accounts, remove access promptly — free
Every staff member and regular volunteer needs their own account. Remove access immediately when someone leaves — this is a significant risk for organisations with high turnover.
Automatic updates — free
Turn on automatic updates on all devices. This closes the majority of vulnerabilities attackers exploit.
Payment verification procedure — free
A written policy requiring phone verification of any payment instruction received by email. Prevents CEO fraud and invoice fraud.
Cloud backups — low cost
Most cloud services offer backup options. Microsoft 365 Backup or Google Workspace backup features are often included or low cost.
Cyber Essentials certification — subsidised for charities
IASME offers subsidised Cyber Essentials certification for small charities. The formal certificate demonstrates to funders and donors that you take security seriously.
Our 10-minute security assessment covers all five Cyber Essentials areas and produces a professional report trustees can use to demonstrate their oversight of cyber security to the Charity Commission and major funders.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required