The 2024 UK Cyber Security Breaches Survey reported that 35% of UK charities suffered a cyber attack in the previous 12 months — comparable to commercial businesses, despite having far smaller budgets to defend themselves. Recent UK charity ransomware events have stopped service delivery for vulnerable beneficiaries, exposed donor financial data, and forced trustees to make difficult public statements about response failings. The Charity Commission’s 2024 risk register made cyber a tier-1 risk for the first time.
This guide explains how UK charities can build a credible cyber programme on a charity budget — using the Microsoft Charity pricing, NCSC’s free Active Cyber Defence services, IASME’s bundled cyber insurance, and a focused set of paid controls where it really matters. The goal: make sure trustees can answer the Charity Commission’s cyber-risk questions confidently, while spending an order of magnitude less than a commercial equivalent.
What the Charity Commission and NCSC expect in 2026
Charity Commission expectations
Charity Commission guidance under CC3 (The Essential Trustee), CC10 (Hallmarks of an Effective Charity) and the 2024 Risk Register expects trustees to identify, assess and manage cyber risk proportionately to the charity’s size and activities. Specifically: a documented cyber risk register reviewed by trustees at least annually, evidence of basic technical controls (MFA, backups, EDR), a documented incident response plan, awareness training for staff and volunteers, and consideration of cyber insurance.
NCSC sector guidance
NCSC publishes specific guidance for UK charities, including:
- The Small Charity Guide (free, published annually).
- Active Cyber Defence services free for eligible charities (Mail Check, Web Check, NHS Mail-style protective DNS via PDNS, Suspicious Email Reporting Service).
- The Charity Sector Vulnerability Reports (when published).
UK GDPR and the ICO
Charities are data controllers under UK GDPR. Donor data, beneficiary data and volunteer data all fall under scope. Beneficiary data for charities supporting vulnerable populations (e.g. domestic violence charities, mental-health charities, refugee charities) is special-category data with elevated protection requirements. The ICO has fined UK charities for breaches; recent examples have ranged £5,000–£75,000.
Fundraising Regulator and Code of Fundraising Practice
The Code of Fundraising Practice requires charities to handle donor data securely. Direct-debit fraud, donation diversion and donor-list theft are explicit risks the Code addresses.
Sector-specific extras
- Charities supporting vulnerable adults / children: Safeguarding overlay; data breaches expose vulnerable beneficiaries.
- Education-focused charities: KCSiE 2024 expectations cascade if you operate alongside schools.
- Healthcare-adjacent charities: May fall within DSPT scope if accessing NHS patient data.
- International charities: Sanctions compliance (especially around payments and beneficiary identity).
The threats UK charities actually face
1. Donation-page fraud and donation diversion
Attackers compromise charity websites or email accounts to redirect donations to attacker-controlled accounts — especially during high-profile fundraising campaigns or disaster appeals. The 2024 spike in fake disaster-appeal pages following major international events particularly hurt UK charities running parallel real campaigns.
2. CEO / fundraising-manager BEC
Attacker compromises CEO mailbox, then emails the finance officer requesting urgent grant disbursement or supplier payment. Charity finance teams typically have less BEC awareness training than commercial equivalents. More on BEC defences.
3. Ransomware on case-management or donor systems
Many UK charities use Salesforce NPSP, Donorfy, Beacon, ThankQ or sector-specific case-management tools to track beneficiaries and donors. Ransomware encrypting these systems can stop service delivery to vulnerable people — a substantially worse outcome than a commercial equivalent.
4. Phishing of trustees
Trustees often have email addresses on charity domains but no MFA, no IT support, and no awareness training. They become a backdoor into charity finances and confidential papers.
5. Insider threats from volunteers and short-term staff
Volunteers and short-term staff create access-governance challenges. Many UK charities don’t off-board volunteer accounts promptly when volunteers move on.
How UK charities can build cyber on a charity budget
Three free / heavily discounted programmes every UK charity should know about:
1. Microsoft Charity (formerly Microsoft for Nonprofits)
- Microsoft 365 Business Premium: free for up to 10 users, then heavily discounted (typically 75% off commercial pricing). Includes Defender for Business, Intune, MFA, Azure AD Premium P1, Defender for Office 365 P1.
- Office 365 E1: free for up to 300 users for eligible charities.
- Azure: free credits for non-profits.
- Eligibility: registered with the Charity Commission, qualifying charitable status. Apply via Microsoft’s nonprofit portal.
2. NCSC Active Cyber Defence
- Mail Check: free SPF/DKIM/DMARC monitoring and configuration support.
- Web Check: free vulnerability scanning of public-facing websites.
- Protective DNS (PDNS): free DNS-level malware blocking for eligible charities.
- Suspicious Email Reporting Service (SERS): free phishing reporting.
- Eligibility: registered UK charity. Apply via NCSC.
3. IASME Cyber Essentials with bundled cyber insurance
- £25,000 of cyber insurance free with Cyber Essentials certification for businesses turning over under £20m (most UK charities).
- IASME has charity-friendly pricing on certification (£300 IASME fee for micro-charities).
The cyber controls every UK charity should have in 2026
Identity and access
- MFA on every staff, volunteer and trustee account — no exceptions.
- Conditional access blocking unusual locations.
- Quarterly access reviews aligned to volunteer and staff turnover.
- Trustee accounts on the charity domain (not personal email) where they handle confidential papers.
Endpoint protection
- EDR on every device. Microsoft Defender for Business is sufficient and free with M365 Business Premium (which is free for up to 10 charity users). EDR comparison here.
- BitLocker / FileVault encryption on every device.
- MDM via Intune for any device storing donor or beneficiary data.
Email security
- Microsoft Defender for Office 365 P1 (included in M365 Business Premium).
- SPF, DKIM, DMARC at p=reject — configured for free via NCSC Mail Check.
- External-sender warning banners.
- Anti-impersonation rules detecting CEO display-name spoofing.
Backup & recovery
- 3-2-1-1 backup including donor systems, case-management systems, finance.
- Tested restore quarterly — not annually.
- Immutable storage even on charity-friendly pricing (Wasabi, Backblaze).
Detection and response
- For most charities, a business-hours managed detection service is sufficient. Larger charities supporting vulnerable beneficiaries should consider 24/7 cover.
- Documented incident response plan covering ICO, Charity Commission, donors and beneficiaries.
- Pre-arranged DFIR firm via the IASME-bundled insurance hotline or a specific retainer.
Compliance and governance
- Cyber Essentials annually (claim the free £25k IASME insurance).
- Cyber Essentials Plus where charity has government contracts or beneficiary data sensitivity.
- Annual cyber awareness training for staff, volunteers and trustees.
- Trustee-level cyber risk register reviewed annually at audit committee.
Realistic cyber budgets for UK charities
Micro charity (5–10 staff + volunteers)
- M365 Business Premium: FREE via Microsoft Charity (up to 10 users)
- NCSC Active Cyber Defence: FREE
- Cyber Essentials managed: £500/year
- Awareness training: £120/year
- Cloud backup beyond M365 retention: £200/year
- Total: ~£820/year (cyber insurance £25k bundled free with CE).
Mid-sized charity (30 staff, 80 volunteers)
- M365 Business Premium charity rate: £1,800/year
- EDR via Defender (included)
- Cyber Essentials Plus: £3,500/year
- Awareness training: £850/year
- Donor system backup add-on: £1,200/year
- Annual external pen test: £3,500 (may be free via NCSC for high-impact charities)
- Cyber insurance top-up beyond £25k IASME: £2,500/year
- Business-hours MDR: £2,500/year (negotiated charity rate)
- Total: ~£15,800/year
Large national charity (200 staff, 1,000+ volunteers)
- M365 charity mix: £25,000/year
- Standard tier MDR (24/7): £30,000/year
- Cyber Essentials Plus + ISO 27001: £15,000/year
- Awareness training + role-specific modules: £4,500/year
- Pen testing programme: £15,000/year
- Cyber insurance: £7,500/year
- IR retainer: £6,000/year
- Total: ~£103,000/year
Frequently Asked Questions
Cyber Essentials is not directly mandated by the Charity Commission, but the 2024 risk register and Charity Commission guidance together expect trustees to demonstrate proportionate cyber controls. Cyber Essentials is the most credible way to do that. It’s also increasingly required by charity grant-makers, public-sector partners and large funders. Practical answer: certify it. The cost is small (£500–£1,500/year), the £25k IASME insurance is bundled free for charities turning over under £20m (most UK charities), and the diagnostic value alone often pays for the certificate.
Three big free programmes: (1) Microsoft 365 Business Premium free for up to 10 users via Microsoft Charity (includes EDR, MFA, email security), (2) NCSC Active Cyber Defence services including Mail Check, Web Check, Protective DNS and the Suspicious Email Reporting Service, (3) the IASME Cyber Essentials £25k cyber insurance bundle for businesses turning over under £20m. Together these can cover 60–80% of a typical small charity’s cyber stack at zero cost — you just need to claim them.
Five high-impact, low-cost actions: (1) enforce MFA on every account that has any access to donor data, (2) move donor records into a managed CRM (Salesforce NPSP, Donorfy, Beacon, ThankQ) rather than spreadsheets so access controls and audit logs apply, (3) take immutable backups of the donor system at least daily, (4) train fundraising and finance staff on donation diversion and BEC tactics, (5) certify Cyber Essentials so the £25k IASME insurance backs you up. Most donor breaches happen via mailbox compromise, not direct attack on the donor system — so MFA and email security are the highest-leverage controls.
Yes, and this is increasingly an expectation in Charity Commission guidance. Trustees often have access to confidential papers, board minutes, financial information, and the chair frequently has direct email contact with the CEO — making them an obvious BEC target. Trustees should receive at minimum: a short induction module on phishing and BEC, awareness of the charity’s data-protection obligations, an understanding of the cyber risk register and incident response plan. NCSC’s Board Toolkit (free) is a good starting point.
For a small UK charity, a credible minimum is achievable for under £1,000/year: Microsoft 365 Business Premium via Microsoft Charity (free for up to 10 users), NCSC Active Cyber Defence services (free), Cyber Essentials managed (£500/year, includes £25k insurance), basic awareness training (£100/year), and a cloud backup beyond M365 retention (£200/year). This isn’t enterprise-grade but it’s materially better than 70% of UK charity defences and demonstrates the trustees have addressed the risk. Scale up only when growth justifies it.
Yes — significantly. NCSC’s 2024 reporting and the Cyber Security Breaches Survey both showed charity ransomware incidents rising at 15–25% year on year, faster than the commercial sector. The reason is unfortunate but rational: attackers know charity defences are typically thinner than commercial equivalents, while the publicity around an attack creates pressure to pay quickly. The defence is the same as for commercial businesses — immutable backups, MFA, EDR, awareness training — just delivered on charity budget using the free programmes above.
Need charity-aware cyber security advice? Request a free cyber gap analysis with charity-rate pricing — we’ll cover the controls the Charity Commission and NCSC expect, identify the free programmes you should be claiming (Microsoft Charity, NCSC ACD, IASME bundled insurance), and recommend the smallest paid-for layer that closes the residual risk. See also our best UK cyber security companies guide.
Related Reading
More from the Connection Technologies blog.