Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
Interested in a Free Phishing Security Test?
VirtueUK are partners with KnowBe4, the world's largest security awareness training and simulated phishing platform.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
Read Our Previous Blog In Resilient Charities Series
We explore how charities can move beyond technical planning and embed technology into governance frameworks, ensuring that IT strategy directly supports organisational resilience, service delivery.
Turn IT Leadership Into a Strategic Advantage
Whether you need a Virtual CIO, strategic roadmap, or stronger governance around technology, we help UK charities move from reactive IT to confident, accountable leadership.
Award-Winning IT Services
Discover why we were named one of Britain’s 50 Best Managed IT Companies Award 2025, and how it reflects our continued focus on strong leadership and operational excellence.
Welcome back to the Resilient Charities Series, where we examine practical, governance-led approaches to strengthening organisational resilience in an increasingly digital landscape. In this edition, we focus on cyber resilience, outlining why it has evolved beyond technical consideration into a critical board-level priority for charity leaders across London and the wider UK.
The Shift: Cyber Resilience as a Board-Level Priority for UK Charities
Cyber threats continue to escalate in frequency and sophistication, elevating cyber resilience to a core governance priority for trustees and senior leadership. It is no longer confined to IT functions; decisions around cyber security now directly impact organisational risk management, regulatory compliance, reputation, and service continuity. This is particularly relevant for mid-sized charities, which must balance constrained resources with expanding digital dependencies. According to the UK Government’s Cyber Security Breaches Survey, 32% of UK charities reported experiencing a cyber breach or attack in the past 12 months, reinforcing the need for board-level oversight and accountability.
Beyond Basic MFA: Why SMS Authentication Is Insufficient for UK Charities
Multi-factor authentication (MFA) is widely recognised as a foundational security control, and many UK charities have adopted baseline measures such as SMS-based verification. However, these controls are increasingly inadequate against modern threat vectors. Techniques such as SIM swapping and interception enable attackers to bypass SMS-based MFA, leaving organisations exposed despite apparent safeguards. As a result, reliance on basic MFA can introduce a false sense of security rather than delivering meaningful risk reduction. This risk is underscored by findings from the National Cyber Security Centre, which continues to advise against SMS-based authentication for sensitive systems, while the UK Government’s Cyber Security Breaches Survey highlights that phishing and credential compromise remain among the most common attack vectors affecting UK organisations.
Incident Response Planning for UK Charities: Practical, Board-Ready Steps
Effective cyber resilience extends beyond prevention; it requires a well-defined and tested incident response capability. For UK charities, a structured incident response plan is essential to ensure rapid, coordinated action in the event of a breach. This should include clearly defined roles and responsibilities, up-to-date contact lists, and formalised communication protocols for both internal stakeholders and external parties. Plans should be regularly rehearsed through scenario-based exercises to validate readiness and identify gaps. Documentation must remain concise, accessible, and operationally focused to support decision-making under pressure. Crucially, trustee and senior leadership involvement is required to ensure governance alignment, accountability, and timely escalation.
The importance of preparedness is reinforced by the UK Government’s Cyber Security Breaches Survey, which found that a significant proportion of UK organisations lack formal incident response plans despite experiencing cyber incidents highlighting a critical gap in organisational resilience. Failing to prepare is indeed preparing to fail as the old adage goes!
Third-Party and SaaS Risk Management for UK Charities: Strengthening Supplier Assurance
UK charities are increasingly dependent on third-party suppliers and Software-as-a-Service (SaaS) platforms to deliver critical services, but each external relationship introduces additional cyber risk. Effective supplier risk management therefore requires a structured and proportionate approach: conducting due diligence on vendors’ security controls, reviewing contractual data protection and incident notification clauses, and maintaining an up-to-date register of critical third-party services. Prioritisation is essential, with particular focus on suppliers that process sensitive or mission-critical data.
In practice, robust due diligence should go beyond surface-level checks. This includes issuing standardised security questionnaires aligned to recognised frameworks (such as Cyber Essentials or ISO 27001), validating supplier certifications where applicable, and assessing key controls including access management, data encryption, backup practices, and incident response capability. Contracts should clearly define security expectations, breach notification timelines, and accountability. Ongoing assurance is equally important, this can be achieved through periodic reviews, monitoring supplier performance, and reassessing risk when services or threat landscapes change.
This risk landscape is reinforced by the UK Government’s Cyber Security Breaches Survey, which consistently identifies third-party access and supply chain vulnerabilities as a contributing factor in UK cyber incidents and that only 14% of UK charities formally review risks posed by their immediate suppliers, underlining the need for stronger supplier assurance and governance oversight.
Cyber Insurance Requirements for UK Charities: Aligning Controls with Insurer Expectations
yber insurance providers are continuing to tighten underwriting criteria, requiring UK charities to evidence mature and well-governed cyber security practices. Expectations now extend well beyond basic multi-factor authentication (MFA) to include formal risk assessments, documented policies and procedures, tested incident response plans, and demonstrable staff awareness training. For many charities, this reflects a shift from ad-hoc controls toward structured, auditable cyber resilience frameworks aligned with recognised standards.
Our approach supports charities in meeting these evolving insurer requirements through structured due diligence and practical implementation support. This includes cyber maturity gap assessments, and services aligned to frameworks such as Cyber Essentials and ISO 27001, validation of technical safeguards (including identity and access management, backup integrity, and endpoint protection), and preparation of insurer-ready evidence packs. We also help charities engage proactively with insurers to interpret requirements early, reduce ambiguity, and embed proportionate controls that satisfy underwriting expectations without unnecessary operational overhead.
Aligning with UK Cyber Security Guidance: Practical, Proportionate Controls
UK national cyber security frameworks provide strong guidance for improving resilience, but for mid-sized charities the priority is translating this into practical, proportionate controls that improve security without adding unnecessary complexity or operational burden.
A focused approach delivers the most meaningful protection: strong authentication (moving beyond SMS-based MFA), regular and tested backups, clear incident response procedures, and consistent staff cyber awareness training. These core controls address the most common attack vectors while remaining achievable within constrained resources. Overly complex toolsets or fragmented processes can reduce visibility and increase operational risk rather than improve resilience.
Our approach is to align security design with real-world threat patterns. For example, since phishing remains the most common type of cyber attack experienced by UK organisations, we implement layered security controls such as CyberSmart to strengthen baseline security posture and enforce Cyber Essentials-aligned protections, alongside Sendmarc to improve email domain protection and reduce impersonation risk through DMARC enforcement. These controls are paired with practical user phishing awareness training and reporting mechanisms to ensure staff can identify and respond to suspicious activity effectively.
This emphasis on foundational controls is reinforced by the UK Government’s Cyber Security Breaches Survey, which highlights phishing as the most prevalent attack vector affecting UK organisations underscores the need to prioritise targeted, proportionate defences over unnecessary complexity.
Proportionate Protection: Sustainable Strategies for Mid-Sized Charities
Mid-sized charities in London do not need enterprise-level cyber security stacks to achieve meaningful protection. Instead, long-term resilience is built through proportionate, scalable cyber security measures that strengthen core controls while remaining sustainable within limited budgets and operational capacity.
A practical approach focuses on high-impact essentials: regular security control reviews, strong authentication practices, tested backup and recovery processes, clear incident response planning, and ongoing staff cyber awareness. Just as importantly, cyber risk must be understood and reviewed at trustee and senior leadership level to ensure governance aligns with operational reality.
Our approach to cyber security for London charities prioritises measurable risk reduction over complexity. We help organisations embed cyber resilience into day-to-day operations through structured improvements rather than one-off technical deployments, ensuring security becomes sustainable, auditable, and board relevant.
There is critical given guidance from the National Cyber Security Centre, which highlights that UK organisations face continuous and escalating cyber threats, with a high volume of attacks targeting basic security weaknesses such as weak authentication, phishing, and misconfigured systems. This reinforces the importance of focusing on practical, proportionate controls rather than overly complex or fragmented security tooling.
For London charities, the objective is not more technology, it is clearer governance, stronger fundamentals, and resilient systems that support mission delivery, even under threat.
Conclusion: Key Takeaways and Next Steps
Cyber resilience is now a board-level priority, demanding action beyond basic MFA. By embracing structured incident response planning, assessing supplier risks, meeting insurer expectations, and aligning with national guidance, mid-sized charities can build robust yet manageable defences. The journey is ongoing – start with small, achievable steps and foster a culture of continual improvement. Your charity’s future depends on it.