Cyber Security Basics Every Charity Should Have in Place

Cyber security in the charity sector is usually treated as either a wholly unaffordable problem (the language of penetration tests and security operations centres) or no problem at all (the silent assumption that small charities are not targets). Both framings are wrong. The attacks that hit UK charities are mostly opportunistic and mostly preventable with basics. The basics are not glamorous, but they are within reach of any team.

What follows is the seven-control baseline I recommend to every charity I work with. Each control is implementable without a security specialist, costs little or nothing, and blocks a specific attack pattern that the National Cyber Security Centre has seen in the sector.

Why charities are targeted

Three reasons charities are over-represented in the breach statistics relative to their size:

• They hold sensitive personal data (donor details, beneficiary records, sometimes health or safeguarding information).
• They move money in patterns attackers find readable (large donations, regular grant payments).
• They tend to under-invest in IT and over-rely on volunteer or generalist staff to manage it.

None of these are reasons to despair. They are reasons to invest in the basics that disproportionately reduce risk.

The seven controls

1. Multi-factor authentication on every account

If you do one thing this month, do this. Turn on MFA across every email account, your CRM, your finance system, your cloud storage, and your website admin. Authenticator apps are stronger than SMS codes; both are stronger than passwords alone.

MFA blocks more than 99% of credential-stuffing attacks - the most common entry point for charity breaches. It is free in every mainstream platform. The only barrier is that nobody has scheduled the 90-minute Friday afternoon to turn it on.

2. A password manager for the whole team

Bitwarden, 1Password, Dashlane - any reputable option will do. Free or low-cost charity tiers exist for all of them. The benefits are practical: unique passwords per account, secure sharing of shared credentials, and an audit trail when someone leaves.

Without a password manager, your team is reusing passwords or storing them in browsers, spreadsheets, or Post-it notes. Every one of those storage methods has been the entry point for real charity breaches.

3. Patched and updated devices

Set every laptop, phone and tablet to install operating system updates automatically. Same for browsers. Same for the apps the team relies on. Most breaches that exploit a software vulnerability target ones that have been patched for months or years.

Make patch compliance part of new starter onboarding and quarterly reviews. "Are your devices up to date?" is a sensible standing question for the operations meeting.

4. Email filtering that actually filters

Microsoft 365 and Google Workspace both include strong anti-phishing filters. Turn them on at the highest reasonable setting. Configure your domain's SPF, DKIM and DMARC records so attackers cannot easily spoof your charity's email address to your own staff or supporters.

These three records are 30 minutes of work for someone with DNS access. They prevent your charity's domain being used in spoofed emails sent to your own donors - one of the more painful attack patterns when it succeeds.

5. Backups that are tested, not just configured

Cloud platforms back up data, but in formats and retention periods that may not match what you need for a recovery. Maintain a separate, offsite backup of the data that matters most (CRM, finance, key documents) and test the restore once a quarter.

A backup that has never been restored is a hope, not a backup. The first time you test a restore is the time you discover whether your real recovery time is two hours or two weeks.

6. Staff training that is annual and brief

A one-hour training session for the whole team, once a year, covering: how to spot phishing emails, how to handle suspicious payment requests, what to do if a device is lost, and how to report a suspected breach. Add a 15-minute refresher every six months.

The training does not need to be expensive. The NCSC publishes free materials. The discipline is having it scheduled and attended, not the production value.

7. A written incident response plan

Two pages. Who to call, in what order, when something goes wrong. Who has authority to disconnect systems. Who notifies the chair, the ICO, the bank. Where the printed contact list lives (because if you are mid-breach, you may not have email).

Most charities never need to use the plan. The ones who do are profoundly glad it exists. The plan is the cheapest insurance you will ever buy.

What to skip in year one

Three over-bought controls that frequently appear in proposals to charities and rarely justify their cost at the basic stage:

• Endpoint detection and response (EDR) suites at enterprise price points.
• Penetration testing without remediation budget. A test that finds 30 issues you cannot afford to fix is a paper trail of liability.
• Bespoke security awareness platforms. NCSC free materials are perfectly adequate at this baseline.

How to know if you are doing enough

Three questions for the senior team and trustees, every six months:

1. Is MFA turned on for every account that handles money or personal data? If no, that is the next action.
1. When did we last successfully restore a backup? If "never" or "more than 12 months," schedule a test this quarter.
1. Could the team name the steps to report a suspected breach without reading the document? If no, run a short tabletop exercise.

If the answers to all three are yes, you are ahead of most of the sector. If any are no, you have a clear next action.

Cyber security is the rare governance topic where the basics genuinely deliver most of the protection. Charities that have the basics in place sleep better and recover faster than the ones still planning their first big investment.

The 30-day baseline implementation

1. Week 1: Enable MFA across every account. Roll out a password manager. Audit email security settings.
1. Week 2: Confirm device patching for the whole team. Set SPF, DKIM, DMARC. Schedule first backup restore test.
1. Week 3: Deliver the one-hour staff training. Distribute the incident response plan as a printed document.
1. Week 4: Brief the senior team and chair on the new baseline. Diary the six-month review.

Thirty days. Negligible spend. The cyber risk profile of the charity reduced by an order of magnitude. The trustees will appreciate the discipline as much as the IT supplier will.

Further reading

The State of Charity Tech, 2026 | Setting Strategy With a Small Team | The Trustee Onboarding Pack New Trustees Actually Read