6 April 2026 · 8 min read · Arviteni
Charities handle sensitive data on a tight budget, making them prime cyber targets. Here's what Cyber Essentials certification involves, what the Charity Commission expects, and how to get there without breaking the bank.
In 2024, the NCSC's annual Cyber Breaches Survey found that 32% of charities had identified a cyber security breach or attack in the previous 12 months. For larger charities with annual income above £500,000, that figure rose to 66%. The most common attack vector was phishing — fraudulent emails designed to trick staff into revealing credentials or transferring funds.
Charities are attractive targets. They hold donor financial data, beneficiary personal information, safeguarding records, and volunteer details. They often operate with small IT teams (or none at all), limited budgets, and a culture that prioritises mission delivery over infrastructure. Cyber criminals know this.
Cyber Essentials is the UK government's baseline cybersecurity certification. It is achievable for organisations of any size, costs from £300 for the basic certification, and is increasingly expected by funders, partners, and the Charity Commission itself.
The Charity Commission's guidance CC8 ("Internal Financial Controls for Charities") explicitly addresses cybersecurity as part of trustees' duty to safeguard charity assets. Trustees have a legal duty to protect the charity's data and systems. A serious data breach that results from negligence — no MFA, unpatched systems, shared passwords — is a governance failure that the Commission can investigate.
In its 2024 annual report, the Charity Commission noted a rise in cyber-related serious incident reports. The Commission expects charities to take "proportionate steps" to protect against cyber threats. Cyber Essentials certification is the clearest way to demonstrate that you have done so.
Government grants and contracts increasingly require or prefer Cyber Essentials certification. The DCMS (now DSIT) requires Cyber Essentials for any organisation bidding for government contracts that involve handling sensitive or personal data. This extends to charities delivering public services on behalf of local authorities or government departments.
Major grant-making trusts are beginning to ask about cybersecurity in application forms. The National Lottery Community Fund, for example, asks applicants about data protection practices. While they do not yet mandate certification, the direction of travel is clear.
Cyber insurance premiums have risen sharply across all sectors. Insurers now routinely ask about MFA, backup procedures, and patch management as part of the underwriting process. Charities with Cyber Essentials certification typically receive lower premiums and broader coverage. Some insurers now require certification as a condition of cover.
A data breach at a charity is not just a technical incident — it is a trust crisis. Donors trust charities with their financial information. Beneficiaries trust charities with their most sensitive personal data. Volunteers trust charities with their contact details. A breach that exposes this data can cause lasting reputational damage that directly affects fundraising, volunteer recruitment, and beneficiary engagement.
For charities working with vulnerable people — domestic abuse survivors, refugees, people with mental health conditions — a data breach can put lives at risk. The stakes are not theoretical.
Five technical controls. None require specialist equipment or enterprise-grade budgets:
1. Firewalls. Your internet connection must be protected by a properly configured firewall. For most charities, this means your office router is configured correctly and any cloud services have appropriate access controls. If staff work remotely (as most charity workers now do), their home routers or VPN connections need to be covered too.
2. Secure configuration. Devices must be set up securely. Default passwords changed. Unnecessary software removed. Auto-run disabled. This applies to every laptop, desktop, tablet, and phone that accesses charity systems. If volunteers bring their own devices, those devices need baseline security configuration too.
3. User access control. Every person has their own account. No shared logins. Admin accounts used only for administration. Access to sensitive data (beneficiary records, financial systems, donor databases) limited to those who need it. Multi-factor authentication enabled on all accounts.
4. Malware protection. Anti-malware software on every device, kept up to date, configured to scan automatically. For charities using Microsoft 365, Windows Defender is included and sufficient — but it needs to be properly configured and monitored.
5. Security update management. Software patches applied within 14 days of release. Unsupported software (Windows 10 reaches end of life in October 2025) removed or replaced. This is the control that catches most charities — legacy systems and old devices that "still work" but no longer receive security updates.
Charities often rely on volunteers who use their own laptops and phones. These devices may be running outdated operating systems, have no anti-malware software, and connect to charity systems through personal email accounts. Cyber Essentials requires that any device accessing organisational data meets the five controls.
The practical solution is either to provide managed devices for volunteers who access sensitive systems, or to use cloud-based systems with strong access controls (MFA, conditional access policies) that do not require data to be stored on personal devices.
Charities frequently receive donated computers and equipment. These may be running older operating systems, have unknown software installed, or retain data from previous users. Every donated device must be wiped, rebuilt with a current operating system, and configured to meet Cyber Essentials standards before being connected to charity systems.
Many charities below £1 million income have no dedicated IT staff. Technology decisions are made by whoever is most comfortable with computers, or by trustees with varying levels of technical knowledge. Cyber Essentials is achievable without in-house IT expertise, but it helps to have a knowledgeable IT partner who can assess your current position, remediate gaps, and guide you through the certification process.
The certification itself is affordable (£300 to £500 for basic, £1,500 to £3,000 for Plus). The remediation work — if significant gaps exist — can cost more. However, many of the required changes are free or low-cost:
The biggest cost is usually replacing devices that are too old to run supported operating systems. Charity-specific hardware programmes (such as those offered by the Digital Poverty Alliance and Loughborough University) can help.
Charities operating across multiple sites — community centres, outreach offices, shared workspaces — have a more complex environment to secure. Each location needs appropriate network security. Remote workers need secure access to central systems. The key is having a consistent approach managed centrally, not ad-hoc arrangements at each site.
Map your technology environment. How many devices access charity systems? What operating systems are they running? Who has access to what? Are there shared accounts? Is MFA enabled? When were security updates last applied?
This can be done with a simple spreadsheet and an afternoon of investigation. If you have an IT partner, ask them to do it for you.
Address the gaps. The most common remediation tasks for charities:
Complete the Cyber Essentials self-assessment questionnaire through an accredited certification body. Answer based on your actual position after remediation, not your aspirations.
Receive your certificate. Display it on your website, include it in funding applications, and share it with partners and donors. Certification is valid for 12 months.
Once Cyber Essentials is in place, consider:
Cybersecurity can feel overwhelming for charities already stretched thin. The message is simple: Cyber Essentials is achievable, it is affordable, and it protects the people you serve.
If your charity handles sensitive data — and almost all do — the question is not whether you can afford to get certified, but whether you can afford not to.
Get in touch if you want help assessing your charity's cybersecurity position. We work with charities and non-profits on practical, budget-conscious IT security — and we understand that every pound spent on infrastructure is a pound that could have gone to your mission.