How to Keep Your Charity Safe Online Without Worrying About Rules

What if your charity’s email got hacked tomorrow and someone started sending fake donation requests to all your supporters? Or your volunteer database was accessed by strangers? Or your website was taken down just when you’re launching your biggest fundraising campaign of the year?

If these scenarios make your stomach drop, you’re not alone. Every day, small charities and community groups across the UK worry about online security, but many feel completely overwhelmed by where to start. Between GDPR, cybersecurity guidance, and endless advice about passwords and firewalls, it can feel like you need a computer science degree just to send an email safely.

The good news? Keeping your organisation safe online isn’t about following hundreds of complicated rules or buying expensive security software. It’s about building a few simple, good habits that become as automatic as locking your office door when you leave. Most online threats target organisations that haven’t done the basics, so getting those basics right will protect you from the vast majority of problems you might face.

You don’t need to become a tech expert. You just need to know which simple steps make the biggest difference, and how to make them part of your everyday routine without driving yourself mad with worry.

Stay Safe by Creating Strong Passwords That People Will Actually Use

The biggest security risk for most charities isn’t sophisticated hackers, it’s weak passwords. When your entire team uses “password123” or the charity’s name plus the current year, you’re basically leaving your front door wide open.

But here’s the thing: complicated password rules that no one can remember don’t work either. People write them down on sticky notes or use the same “secure” password everywhere, which defeats the point.

Try this instead:

• Use three random words together: Like “horse-battery-staple” or “coffee-rainbow-bicycle”
• Make each password unique by adding the service name: So your Facebook password might be “coffee-rainbow-bicycle-facebook”
• Use a password manager if you can: But if that feels too complicated, the three-word system is much better than weak passwords

For your most important accounts:

• Your email (if this gets hacked, they can reset everything else)
• Your banking and PayPal
• Your website admin area
• Any systems that hold supporter or client data

Make it a team habit: Instead of emailing passwords, write them down and hand them over in person. When someone leaves, change any passwords they knew. It sounds obvious, but many organisations forget this basic step.

Keep Your Information Safe and Legal

You probably have email addresses, phone numbers, and personal stories from the people you help. This information is valuable—both to your work and to people who might misuse it. Protecting it isn’t just about security; it’s about maintaining the trust people place in you.

Simple steps that make a big difference:

• Only collect information you actually need: Don’t ask for address details if you only need an email for newsletters
• Store information in as few places as possible: One spreadsheet is easier to protect than five different lists
• Delete old information regularly: Do you really need contact details from volunteers from five years ago?
• Be careful what you put in emails: Personal details, addresses, and sensitive information shouldn’t be floating around in email threads

When sharing stories:

• Always ask permission before sharing someone’s story, even if you’re not using their name
• Change identifying details if needed, the impact of your work comes through even if you change names and locations
• Keep original records separate from the versions you share publicly

For team access:

• Not everyone needs access to everything, your social media volunteer doesn’t need to see your client database
• Use shared accounts for things like social media, but individual accounts for email and important systems
• When people leave, remove their access the same day

Protect Your Online Accounts From Takeovers

Imagine logging into your Facebook page and finding posts you didn’t write, or discovering your website is displaying content that has nothing to do with your charity. Account takeovers happen more often than you might think, usually because someone guessed a password or clicked on a fake email.

Set up two-step verification on important accounts: This sounds complicated, but it just means you get a text message with a code when logging in from a new device. It stops most account takeovers instantly.

Do this for:

• Email accounts (especially the main charity email)
• Social media accounts
• Website administration
• Banking and payment accounts
• Any cloud storage you use

Watch out for fake emails:

• Banks and tech companies don’t usually ask you to click links in emails to verify your account
• When in doubt, go to the website directly rather than clicking email links
• If an email feels urgent or threatening, it’s probably fake—legitimate companies don’t work that way

Keep your systems updated:

• Turn on automatic updates for your computers and phones where possible
• Don’t ignore those “restart to finish updates” messages—security updates are important
• If you use WordPress or similar for your website, keep it updated or ask whoever manages it to do this regularly

Back Up Your Important Information

What would happen if your computer died tomorrow, or your office was flooded, or someone accidentally deleted your entire supporter database? If the thought makes you panic, you need better backups.

The simple backup rule: 3-2-1

• 3 copies of important information (the original plus two backups)
• 2 different types of storage (like your computer and an external drive)
• 1 copy stored somewhere else (like cloud storage or a backup kept at someone’s home)

What to back up:

• Contact lists and databases
• Financial records
• Important documents and policies
• Photos from events
• Your website content

Easy backup options:

• Cloud storage: Google Drive, Dropbox, or OneDrive automatically sync files
• External hard drives: Cheap and simple, but remember to actually use them regularly
• Email yourself important files: Not ideal as a main backup, but better than nothing

Make it routine: Set a monthly reminder to check your backups. The best backup system in the world is useless if you never use it.

Know Who to Call When Things Go Wrong

Even with the best precautions, things sometimes go wrong online. The key is knowing how to respond quickly to limit any damage.

Create a simple action plan:

• Who has the passwords to change compromised accounts?
• Who can contact your supporters if you need to warn them about fake emails?
• Who manages your website and can fix problems quickly?
• Which systems are most critical to your work, and who can help restore them?

If you think you’ve been hacked:

1. Change passwords immediately on any affected accounts
2. Check what information might have been accessed and who might be affected
3. Warn your supporters if fake emails might be sent from your account
4. Contact your bank if financial information might be involved
5. Report it to Action Fraud if money or sensitive data was involved

Consider cyber insurance: Many charity insurance policies now include basic cyber cover. It’s worth asking your insurer what’s included and whether you need additional protection.

Find local help: Many areas have volunteer IT support groups that help charities and community organisations. Your local Council for Voluntary Service might know who can help.

Small Steps, Big Protection

Online security doesn’t have to be complicated or scary. Like most things in life, it’s about building good habits rather than perfect systems. You don’t need to understand how encryption works or become a cyber security expert—you just need to do the basics consistently.

This week, pick just one thing from this post and make it happen. Maybe it’s changing the password on your main email account, setting up a simple backup, or turning on two-step verification for your Facebook page. One small step that takes five minutes today could save you days of stress and work later.

Your organisation does important work, and that work depends on people trusting you with their information and support. Taking basic steps to protect that trust isn’t just about following rules, it’s about making sure you can keep helping the people who need you most.

The online world can feel overwhelming, but you don’t have to navigate it alone. Take it one step at a time, ask for help when you need it, and remember that doing something imperfectly is always better than doing nothing at all.

Which account would cause you the biggest headache if it was hacked? Start there, and spend ten minutes this week making it more secure.