Cyber Essentials for Charities and Non-Profits

‍‌​‌‌​‌‌‌‌​​​‌‌‌‌​​​‌​‌‌‌‌​‌​​‌​‌‌‌‌‌​‌​‌‌​‌‌‌​‌‌‌‌‌‌‌‌‌​​​‌‌‌‌​​‍32% of charities identified a cyber breach or attack in 2024. That's from the government's own Cyber Security Breaches Survey, not a vendor trying to sell you something. One in three charities, and most of them didn't have dedicated IT staff when it happened.

Charities hold data that attackers want: beneficiary records with home addresses and vulnerability assessments, donor databases with payment details. Safeguarding information on children and adults at risk. Financial records, Gift Aid claims, payroll data for a small team and volunteer contact lists for a much larger one. The data is sensitive by any standard. But the budgets to protect it are some of the smallest in any sector.

Cyber Essentials covers five technical controls that stop the most common attacks. A Lancaster University study tested 200 common vulnerabilities against these controls and found 131 fully mitigated, with another 60 partially mitigated. The certification starts from £320 + VAT and it comes with £25,000 of free cyber insurance. For most charities, this is the most cost-effective security investment available.

Why do attackers target charities?

Charities aren't targeted because they're charities; they're targeted because they're often easier to breach than a business of the same size.

Three things make the charity sector particularly vulnerable to attack. First, the security investment is considerably lower. A small business with 20 employees might have an IT budget. A charity with 20 employees often has a volunteer who's good with computers. That's not a criticism, just the reality of working with restricted funding. But it means the basics don't always get done.

Second, the data charities hold is genuinely valuable. A charity working with refugees holds immigration status, home addresses, legal case details, and family compositions. A mental health charity holds clinical notes and referral information. A children's charity holds safeguarding records that cannot be replaced. This is special category data under GDPR, which means higher regulatory penalties if it's compromised and higher value to criminals who trade it.

Third, charities process more payments than people realise. Donation platforms, direct debits, Gift Aid claims, grant disbursements. Payment processing infrastructure is a primary target for financially motivated attackers. If your charity takes online donations, you're running e-commerce, whether you think of it that way or not.

What does Cyber Essentials actually require?

There are five controls in total, and the same five controls that apply to a FTSE 350 company apply to a community interest company with three staff and a shared laptop.

Firewalls. There's a boundary between your network and the internet, and you control what crosses it. For most charities, this is your internet router. The default admin password needs changing, remote management needs turning off if you don't use it, and the firewall rules need documenting. If your team works from home, software firewalls on their devices handle the same job.

Secure configuration. Remove software you don't use and change default passwords on everything. Turn off features you haven't deliberately enabled. If your charity has a shared computer in a community hall, the guest account should be disabled, auto-run should be off, and someone should know what software is installed on it.

Security update management. Apply updates within 14 days for anything rated high or critical (that's a CVSS score of 7.0 or above). Fourteen calendar days, not working days. Operating systems, web browsers, office software, your CRM, your fundraising platform. If a device can't receive updates because the manufacturer has stopped supporting it, that device shouldn't be connected to the internet.

User access control. Everyone gets their own account with no shared logins. Admin accounts are only used for admin tasks, not for checking emails or writing funding bids. Multi-factor authentication (MFA) is mandatory on all cloud services that support it. That means your email, your donor management system, your cloud storage, and your accounting software all need MFA turned on.

Malware protection. Anti-virus software running and up to date on every device. Windows Defender counts if it's on and current. macOS has built-in protections that satisfy the requirement when properly configured. The point is that something is actively scanning for threats, not that you've bought an expensive product.

What makes charities different?

The controls are the same for everyone. The difficulty is in how you apply them when the budget is tight, the IT is informal, and half the team are volunteers.

Volunteer-managed IT. Many charities rely on a trustee or volunteer who handles "the computer stuff." That person might be perfectly competent. But they're not always around, they don't always document what they've done, and when they move on, the institutional knowledge goes with them. I've assessed charities where nobody knew the admin password to the router because the person who set it up left two years ago. That's a fail before the assessment even starts.

BYOD is everywhere in the charity sector. Volunteers use their own phones. Staff use personal laptops because the charity can't afford to issue them. Trustees read board papers on their iPads at home. Under the Danzell update to Cyber Essentials (effective 27 April 2026), any device that accesses organisational data is in scope. If a volunteer checks their charity email on a personal phone, that phone needs a current operating system, a screen lock, and automatic updates enabled.

This is where charities panic, and it's usually unnecessary. You don't need to buy everyone a work phone. You need to set a policy that says: if you're accessing charity systems on your personal device, these are the minimum requirements. Then check that people are meeting them.

Shared devices in community spaces. A laptop in a drop-in centre. A tablet used by different staff to log beneficiary visits. A computer in a community hall that three different groups use. Shared devices are common in the charity sector and they create specific challenges. Each device needs its own documented configuration. Shared admin accounts fail the assessment. If five people use the same laptop, each person needs their own login.

Multiple locations with different setups. A charity with a head office, two satellite offices, and a team that works from home has at least four different network environments to manage. The firewall at head office might be properly configured. The router at the satellite office might still be on factory defaults. Every location where charity data is accessed needs to meet the standard.

Limited budget. This is the one that comes up first in every conversation, and it's the one I want to address directly. CE Basic costs £320 + VAT. That's the IASME certification fee. You don't need to buy new hardware. You don't need to hire a consultant (though you can if you want to). The five controls are things you should already be doing with the equipment you already have.

How much does it actually cost?

CE Basic starts from £320 + VAT, which is the certification fee. The assessment is a structured self-assessment questionnaire, not a technical exam. You answer questions about how your IT is configured, an assessor verifies your answers, and if everything checks out, you get a certificate valid for 12 months.

CE Plus: £1,200 to £2,100 + VAT. This adds a hands-on technical audit where an assessor (or their tools) actually tests your systems. CE Plus is required for some government contracts and NHS supply chain work.

Both levels come with up to £25,000 of free cyber insurance through the IASME scheme, available to eligible organisations with turnover under £20 million. For a charity spending £320 on certification and getting £25,000 of insurance cover in return, the maths is difficult to argue with.

If your charity has a turnover under £20 million (most do), the insurance alone more than justifies the cost. I've had worried trustees tell me they can't justify the expense to their board. I tell them to frame it as buying £25,000 of insurance for £320. That tends to settle the conversation fairly quickly.

What changes under Danzell?

The Danzell update to Cyber Essentials takes effect on 27 April 2026, and two changes matter most for charities.

Cloud services can't be excluded from scope. Under the previous version, some organisations structured their scope to put cloud services outside the assessment boundary. That's no longer possible. If your charity uses Microsoft 365, Google Workspace, a cloud-based donor management system, or any other service you log into with an account that holds your data, it's in scope. Every one of those services needs MFA enabled.

This catches charities that use free or low-cost cloud tools without thinking of them as "IT systems." A shared Google Drive for the trustee board. A Trello board for project management, or a Mailchimp account for newsletters. If it holds charity data and you log in with an account, it's a cloud service under the Danzell definition, and it needs MFA.

MFA is mandatory on everything that supports it. This was already the direction of travel, but Danzell makes it a hard requirement. If a cloud service offers MFA and you haven't enabled it, you fail. Most MFA apps are free (Microsoft Authenticator, Google Authenticator), so this isn't a cost issue. It's a setup issue. Someone needs to go through every cloud service your charity uses and turn MFA on.

The 14-day patching requirement hasn't changed, but enforcement is expected to be stricter. If your charity relies on volunteers to apply updates and nobody's checked in a month, that's a problem you need to solve before your assessment.

Does Cyber Essentials help with funding?

Yes, and this is where it gets practical for charities that depend on government grants or public sector partnerships.

Under Procurement Policy Note 09/14 (PPN 09/14), government contracts involving personal data or ICT services require Cyber Essentials certification. That applies by contract type, not by value. There's no minimum threshold for contract value. If your charity delivers services under a government contract that involves personal data, you'll need the certificate.

This catches more charities than you'd expect. A homelessness charity delivering services on behalf of a local authority. A training organisation running government-funded programmes, or a mental health charity receiving NHS referrals. Any of these relationships could trigger the CE requirement.

Beyond government work, funders are starting to ask about cybersecurity as part of due diligence. The National Lottery Community Fund, for instance, has been asking more questions about data protection in recent applications. Having a CE certificate doesn't guarantee funding, but it removes a potential obstacle and signals to funders that your charity takes data protection seriously.

Some charitable trusts and foundations are also beginning to include cybersecurity questions in their application forms. It's not universal yet, but the trend is clear, and having the certificate already in place means you don't have to scramble when a funder asks.

What does the assessment look like?

The CE Basic assessment is a self-assessment questionnaire. It's not a technical exam, nobody comes to your office, and nobody plugs anything into your network.

You'll answer questions about your IT setup: what devices you use, how they're configured, who has admin access, whether MFA is enabled, how you handle updates, what your firewall looks like. The questions are specific but they're in plain language. You don't need to be a network engineer to answer them.

An assessor reviews your answers against the requirements. If something doesn't look right, they'll ask follow-up questions. If there's a gap, a good assessor will tell you what needs fixing and give you time to sort it. The process isn't designed to catch you out. It's designed to confirm that the five controls are in place.

I've certified over 800 organisations, and many of them were charities or non-profits. The ones that struggle aren't usually doing anything wrong. They're doing the right things but haven't documented them, or they've missed one requirement like MFA on a cloud service they'd forgotten about.

CE Plus is a different process entirely. It includes a hands-on technical verification where an assessor uses tools to check your systems against the controls. It's more thorough and it costs more. Most charities start with CE Basic and only move up when required. If you need CE Plus for a specific contract or supply chain requirement, you'll know because someone will tell you. (referenced in the strategic posture benchmarking report).

How do you get started?

The process is more straightforward than most people expect.

1. List your devices. Every laptop, desktop, tablet, phone, and server that accesses charity data. Include personal devices used by staff and volunteers if they access email, cloud storage, or any charity system. Include your routers and firewalls in this list.

2. List your cloud services. Email, file storage, donor management, accounting, project management, communication tools. If you log in with an account and it holds charity data, it's on the list.

3. Turn on MFA. Work through your cloud services list and enable MFA on every service that supports it. This single step fixes the most common failure point. Most MFA apps are free to download and use.

4. Check your patching. Are your operating systems, web browsers, and office software up to date? If you're running Windows 10 on a laptop that hasn't been updated in three months, that needs sorting. Automatic updates are your best friend with this control.

5. Review user accounts. Remove shared logins and give everyone their own account. Make sure admin accounts aren't being used for everyday work. If a volunteer left six months ago and their account is still active, disable it.

6. Get assessed. Contact a certification body and start the process. You'll fill in the questionnaire, an assessor will review it, and if everything meets the standard, you'll have your certificate within days.

The five controls aren't complicated to implement. For most charities, the work is tidying up what's already there, not building something from scratch. Your data deserves the same protection as any business. The difference is that CE makes that protection achievable on a charity budget.

Need help with your Cyber Essentials assessment? Get in touch, email [email protected], or call +44 20 3026 2904.

---

Related articles

• Cyber Essentials for Healthcare and NHS Suppliers
• Cyber Essentials v3.3: What the Danzell Update Changes
• Cyber Essentials Plus vs Basic: What's the Difference?
• MFA on Cloud Services for Cyber Essentials
• CREST Pen Testing Explained
• Cyber Essentials ROI Calculator

netsec-canary-4198c38fbcac.