Contact
Charities are under-resourced by definition. IT tends to get funded last, managed informally and held together by a combination of donated equipment, volunteer goodwill and the one trustee who used to work in tech. That's understandable. It's also a genuine problem, because the risks charities face are real and the consequences of getting it wrong fall on the people you exist to serve.
.png)
Charities are under-resourced by definition. IT tends to get funded last, managed informally and held together by a combination of donated equipment, volunteer goodwill and the one trustee who used to work in tech. That's understandable. It's also a genuine problem, because the risks charities face are real and the consequences of getting it wrong fall on the people you exist to serve.
You're handling sensitive data on vulnerable people. Depending on your work, that might include mental health information, safeguarding records, financial hardship details, or data on children. That's special category data under GDPR, and the obligations around it are significant regardless of your organisation's size or budget.
You're also a more attractive target than you might think. Charities process donations, sometimes hold grant funding and have relationships with local authorities, NHS bodies and other organisations that criminals find useful. The assumption that nobody would bother attacking a small charity is unfortunately wrong.
Donated and ageing equipment. Many charities run on second-hand computers donated by businesses or individuals. That equipment often arrives with old software, uncleared data from the previous owner, and no recent security updates. Using it without a proper assessment and rebuild creates risk from day one.
Volunteer access. Volunteers are essential but they're also a security challenge. They come and go, they use personal devices and access controls that work for a stable staff team often don't account for the fluid nature of volunteer involvement. Someone who stopped volunteering eighteen months ago may still have access to your systems if nobody checked.
Fundraising platforms and payment processing. Online donation platforms, fundraising events and direct debit mandates all involve financial data. Most reputable platforms handle their own security well, but the connections between those platforms and your internal systems — who has admin access, where the data goes afterwards — need active management.
Email. Phishing attacks on charities are common. Staff and volunteers are often less security-aware than their counterparts in commercial businesses, and the informal culture of many charities means suspicious emails are more likely to be clicked than questioned. A single compromised email account can expose donor data, grant correspondence and safeguarding records.
Cloud storage. Google Workspace and Microsoft 365 are both available at heavily discounted or free rates for registered charities. Many charities use them, which is sensible. But free access doesn't come with automatic security — access controls, sharing settings and offboarding processes all need to be managed properly or you end up with documents accessible to people who left two years ago.
The Charity Commission expects trustees to take reasonable steps to protect their organisation's data and assets. That includes IT. A trustee board that hasn't discussed cyber security or data protection isn't meeting its governance obligations and if an incident occurs, personal liability for trustees is a real possibility.
GDPR applies in full. The ICO does not give charities a pass on data protection and several charities have received enforcement action in recent years. The fact that you're a small organisation with limited resources is context, not a defence.
If you work with children or vulnerable adults, safeguarding obligations add another layer. Inadequate data security in those contexts isn't just a regulatory issue — it can cause direct harm to the people you're trying to protect.
The most common objection to proper IT support in the charity sector is cost. It's a fair concern and it deserves a straight answer.
Cyber Essentials certification — which provides a meaningful baseline of security — costs a few hundred pounds and is a requirement for some grant funding streams. Microsoft 365 Business Premium, which includes a substantial set of security tools, is available to charities at a fraction of the commercial rate through the Microsoft nonprofit programme. There are options that don't require a large budget.
What's harder to justify is the cost of not doing it. A data breach involving vulnerable beneficiaries, a ransomware attack that takes down your case management system, or a fraud that diverts grant funding — any of those is likely to cost far more than the IT support that would have prevented it, and the reputational damage to a charity can be irreversible.
You don't need enterprise-grade IT to be adequately protected. You need the basics done properly and maintained consistently: up to date software, controlled access, tested backups, staff awareness and someone who's actually watching your systems rather than waiting for you to call when something breaks.
Mercury Maynard works with organisations across Essex. If you're a charity that wants an honest conversation about where your IT stands and what's realistic given your budget, we're happy to have it — no jargon, no overselling.
Revolutionise business communication with unified solutions, connectivity and reliable hardware options.
Get IT problems sorted quickly with a trusted team of experts.
Move your business to new heights with our flexible and secure Cloud Services.
Stay connected and boost your online presence with our reliable Network Solutions.
Protect your business from cyber threats with our cutting-edge Cyber Security services.
Unlock the full potential of your technology with our expert IT Advisory Services.