top of page

Passwords, MFA and online security for charities – does it really matter?

You might well ask this question since charities are not cash rich organizations. But all charitable organizations hold personal records and other sensitive data which if publicised could damage the reputation of the charity, impacting on their ability to raise money for their good causes in the future. Couple this high value data with the fact that almost 50% of charities have very basic or non-existent cyber security protocols and it becomes easier to understand why they are such a high value target. Charities exist because the public trust that most of the money that they give will go to support something that they believe is a worthwhile cause. Loss of this trust could critically impact all affected charities future operations.

The Head of the National Cyber Security Centre, Lindy Cameron, sums up the current cyberthreats to charities in the 2023 NCSC Cyber Threat Report on the charity sector.

More charities are now offering online services and fundraising online, meaning reliable, trusted digital services are more important than ever. During the Ukraine crisis, we saw more criminals taking advantage of the generosity of the public, masquerading as charities for their own financial gain. Cyber-attacks affecting services, funds or compromising sensitive data can be devastating financially and reputationally, potentially putting vulnerable people at risk. The NCSC continues to support this vital sector and encourages all readers of this report to implement the guidance within it.

So where do you start?

Ensuring that your team use strong passwords is as good a place as any. The below graphic represents the time it would take for a cybercriminal to hack (brute force) a password using current technological capabilities.

Passwords should ideally be in the green section of this table, but if one of your current passwords is in another colour - do not worry. We would just advise that change it to something more secure and unique. With the rapid advancements in processing power, areas in the orange section may look secure right now, but it the next couple of years, they may become much weaker.

The NCSC recommend use three random words followed by punctuation to create a secure and unique password. To find out more about passwords guidance, click here.

Multi Factor Authentication

Two Factor Authentication (2FA) and Multi Factor Authentication (MFA) are incredibly useful in protecting your systems, accounts, and devices. They are essentially two or more methods that can verify your identity. A cybercriminal may be able to crack your username or password, but they do not have your fingerprint, Face ID, or your mobile phone to authorise a log in attempt on a mobile authenticator app.

2FA follows the idea of using a combination of two of ‘Something you know’, ‘Something you have’, and ‘Something you are’. So, you might have a password that you have remembered, a physical identification token like a badge, and a fingerprint scanner. Often times the ‘something you have’ will take the form of a different device, like a mobile phone, in order to verify your identity when connecting to services online.

By enabling MFA across your systems, accounts, and devices you are providing an additional layer of defence to protect you from a cyberattack.

What can you do now?

1. See what passwords you and your staff have which have already appeared in data breaches and change them as soon as possible. Why not run a poll to see who has the most/least breaches? is a website used globally by law enforcement to demonstrate whether your personal information has already been captured in a data breach. You can also register your email address or domain and get notified if it appears in another breach.

2. Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why not make a booking to discuss further?

3. Enable 2FA and MFA wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is no longer secure. With 2FA or MFA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.

4. If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – saying goodbye to reused passwords.

ECRC logo
Join this police led organisation free of charge today

5. Join the ECRC with free membership. Core members receive regular updates which include the latest guidance, news, and security updates as well as a series of "little steps" emails designed to get your business cyber resilient. Did you know that your local police force has Protect officers who will do free staff awareness training?

Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need. Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page