Donor and beneficiary data
Charities hold sensitive personal data, sometimes about vulnerable people. A breach causes real harm and can permanently damage donor trust.
Why charities are a growing cyber target
Charities hold a combination of data that attackers find valuable: donor records (including bank and card details), beneficiary information (sometimes including vulnerable people), and access to legitimate fundraising channels. That makes the sector a deliberate target, not an accidental one.
Three things are driving the change for UK charities:
- The Charity Commission expects trustees to manage cyber risk as part of their wider duty of care, set out in CC3 and related guidance.
- Funders, particularly larger grant-making bodies and public-sector commissioners, increasingly ask about cyber security as part of due diligence.
- The Fundraising Regulator code and UK GDPR set clear expectations around how donor and beneficiary data is handled, particularly where vulnerable people are involved.
Forensic Control works with charities and non-profits to meet these expectations proportionately. We understand the sector budget constraints and the practical reality of running IT with limited internal capacity. Our approach is to focus on the controls that actually reduce risk, not to impose enterprise security on organisations that cannot sustain it.
Common security challenges for charities
Charities face a distinctive set of cyber risks shaped by limited budgets, mixed staff and volunteer access, and acute sensitivity around the data they hold.
Funder due diligence
Grant-makers and commissioners increasingly ask about cyber security during funding assessments. Strong answers improve funding prospects.
Online donations and payments
Donation pages, recurring giving and event ticketing all involve card and bank data. Each is a potential target if not properly secured.
Volunteer access management
Volunteers often need access to systems but turnover is high. Managing accounts properly is one of the most common gaps we see.
Phishing and impersonation
Charities are routinely impersonated in fundraising scams, and staff are targeted by phishing emails pretending to be from funders or trustees.
Charity Commission expectations
Trustees are expected to manage cyber risk as part of their wider duty of care. The Commission has published guidance on what good looks like.
Cyber Essentials for funder due diligence and trustee duty of care
For most charities, Cyber Essentials does three jobs at once: it satisfies an increasing share of funder due diligence questions, it reassures donors that their data is properly protected, and it gives trustees a clear evidence point for their duty of care under Charity Commission guidance. It is the UK government-backed certification, recognised across the sector.
Forensic Control is an authorised IASME Certification Body, not a reseller. We have been delivering Cyber Essentials since 2017, and we work with charities to make certification proportionate and affordable:
- Cyber Essentials (Basic). Suitable for most small to medium charities. Self-assessment with expert review.
- Cyber Essentials Plus. Required by some larger funders and for charities handling particularly sensitive data. Independent technical audit with vulnerability scanning included at no extra cost.
- Cyber Essentials Duo. Basic and Plus combined at a single price point.
Pricing is fixed regardless of charity size up to the standard scheme thresholds. We support charities of all sizes, from small local organisations to national bodies, with the same level of care.
Wider services for charities
Beyond Cyber Essentials, we support charities across the full security lifecycle.
Penetration testing
Testing of your systems and donation platforms to identify vulnerabilities before attackers do. Scoped proportionately to charity budgets.
Vulnerability scanning
Continuous monitoring for known vulnerabilities, with prioritised remediation guidance. Included with every CE Plus certification.
Incident response
When something goes wrong, we help you contain, investigate and recover, drawing on Metropolitan Police Hi-Tech Crime Unit experience.
Security awareness training
Practical training for charity staff and volunteers on recognising phishing, protecting donor data and reporting suspicious activity.
"He was able to help us get our Cyber Essentials renewal over the line during out of hours just so there is no lapse between our Cyber Essentials. He has been very helpful in answering all my questions as I was leading the Cyber Essentials renewal for my company for the first time and it could not have been any easier."
An Le
IT Security Analyst, Save the Children
Frequently asked questions
Practical answers to the questions charities ask us most often.
Do charities need Cyber Essentials?
Are there cyber security grants or discounts for charities?
We have a lot of volunteers who need access to our systems. How do we manage that securely?
What does the Charity Commission expect us to do about cyber security?
We process online donations. What additional security do we need?
We have been impersonated in a fundraising scam. What should we do?
How do we handle beneficiary data where safeguarding considerations apply?
How does cyber security fit with our Fundraising Regulator obligations?
Speak to a specialist about cyber security for your charity
Whether you are preparing for funder due diligence, responding to a donor concern, or improving your security after an incident, we can help. Contact us or Book a short call to talk through where you are and what you need.
