Cyber security for charities

Like any other organisation, charities have information assets to protect. Often, they have less money to spend on protection and are staffed largely, if not entirely, by volunteers. 

If you work for a charity, this means you have some additional challenges to overcome too, but improving the cyber security defences protecting a charity, isn’t an impossible task. 

Bring Your Own Device (BYOD) 

Many charities rely on volunteers using their own devices to carry out work on behalf of the charity: 67% of charities, according to the DCMS Cyber Security Breaches Survey 2021 (Cyber Security Breaches Survey 2021 (

If it isn’t possible to supply volunteers with equipment for financial reasons, then the charity should have a strong BYOD policy in place. 

In particular, you should insist that devices are automatically locked if not used for a few minutes, password protected (ideally with multi-factor authentication) and that software is updated to the latest versions and includes security software.  

If finances allow, consider using a mobile device management system to enable remote management of the devices. For example, the ability to wipe data remotely, if the device is lost or stolen.     

Data Protection 

Charities are likely to hold information about supporters, their volunteers (and any staff) and possibly about clients, depending on their mission. Like any other organisation, charities need to abide by the data protection laws to ensure that this information is as secure as possible. 

Attackers don’t ‘go easy’ on charities because of their good work: the ICO received over 530 reports of incidents in the last year. Note that this figure is based on the number of reports made by data controllers, not necessarily the number of incidents (not all incidents must be reported). Data security incident trends | ICO 

Make sure that you understand the data protection requirements and step through the information security checklist, to see where you could make improvements. Information security checklist | ICO 

Staff training 

All staff, voluntary or paid, should receive security awareness training, because attackers don’t care whether their target is being paid or not. And yet only 18% of charities train their staff in cyber security (Cyber Security Breaches Survey 2021 ( 

For example, the most common cyber-attack on charities are phishing email attacks. So, teaching staff how to spot a phishing email, should help reduce the phishing risk. 

But there are other areas of security to train staff in too. Even something as simple as failing to ‘BCC’ correctly in an email, and thereby revealing personal information. This can result in a fine from the ICO, as HIV Scotland discovered late last year (ICO warning after Scottish charity reveals personal data in email error | ICO). 

You could start with this short training session for staff, provided by the National Cyber Security Centre. Top tips for staff – Overview ( 

Supply chain 

Depending on their size, charities may well be using third parties to provide some of the day-to-day operational processes needed to run the charity, such as; HR and IT, accounting, cloud services and data storage.  

Like any other organisation, the risk here is that if one of the third-party providers suffers a cyber-attack, the charity’s data may be at risk. Only 8% of charities have reviewed these third-party risks (Cyber Security Breaches Survey 2021 ( 

This may take some time, but you could begin by reading the NCSC’s supply chain security guidance: Supply chain security guidance – NCSC.GOV.UK. 

Insider threat and Covid-19 

According to the Fraud Advisory Panel, fraud has increased by as much as 40% during the pandemic, and charities are at particular risk. This is typically because of excessive trust: those working in charities are highly committed to that charity’s aims, and find it impossible to consider that colleagues might not be.  

Not only has the amount of cybercrime gone up, but so has the level of insider fraud as staff and volunteers come under increased financial pressure as a result of the pandemic. Often, too, there are insufficient controls in place, especially as people have been working from home. ( 

It is important to have strong controls in place, including pre-screening, staff training and awareness, and to develop strong governance. 

Call Click and Protect on 0113 733 6230 to talk about how we can help your charity to strengthen its cyber security defence.