Cyber Essentials Plus is a UK government-backed certification that demonstrates your organisation’s commitment to cyber security. For not-for-profits, achieving this standard is not just about compliance, it’s about protecting your mission, your data and the trust of your supporters.
CSG are Microsoft Solutions Partners and have proven our skills as a Modern Work Solutions Partner.
Why Cyber Essentials Plus matters for NFPs
Charities and not-for-profits are increasingly targeted by cyber criminals. The consequences of a breach can be severe: financial loss, data breaches, reputational damage and loss of trust from donors and beneficiaries. Achieving Cyber Essentials Plus helps you guard against these risks and demonstrates to funders and partners that you take security seriously.
How Microsoft 365 Business Premium supports your certification journey
Microsoft 365 Business Premium is designed to bring enterprise-grade security to organisations of all sizes, including not-for-profits. Here’s how it maps to the five key Cyber Essentials requirements:
1. Firewalls and threat protection
- Microsoft Defender for Business provides next-generation antivirus, threat protection and firewall management.
- Centralised firewall configuration and monitoring for all devices.
2. Secure configuration
- Intune (Endpoint Manager) allows you to easily configure security policies for Windows devices.
- Windows Hello for Business replaces passwords with biometrics, reducing reliance on less secure credentials.
3. User access controls
- Microsoft Entra ID (formely Azure AD) enforces role-based access control.
- Multi-Factor Authentication (MFA) is built in, significantly improving identity security.
- Local admin password management prevents unauthorised changes and secures privileged accounts.
4. Malware protection
- Defender for Business and Intune help ensure all devices are protected and monitored for threats.
5. Security update management
- Automated update policies keep Windows and Microsoft 365 apps up to date, reducing vulnerabilities.
Bonus: Microsoft Secure Score provides a central dashboard with actionable insights to improve your security posture. We can provide you with your free IT strategy review to get started today, simply set up a call.
Top 10 tips to make your Not-for-Profit more secure
1. Turn on multi-factor authentication (MFA) everywhere
MFA is one of the simplest and most effective ways to prevent unauthorised access, even if passwords are compromised.
Why it matters: Not-for-Profits often hold sensitive donor and beneficiary data, making them attractive targets for cybercriminals. MFA adds a critical extra layer of protection. How to set up:
In Microsoft 365:
- Go to admin center
- Select users
- Select active users
- Select multi-factors authentication
- Enable MFA for all users
2. Keep software and devices updated
Enable automatic updates for all devices and applications. Outdated software is a common entry point for attackers.
Why it matters: outdated systems are a common entry point for attacks, and NFPs may have limited IT resources to recover from breaches. How to set up:
Enable automatic updates in Windows:
- Go to settings
- Select update & security
- Select Windows update
- Choose advanced options
- Enabe automatic updates
Tip: use Microsoft Intune to manage updates across all devices.
3. Back up data regularly
Use secure, off-site backups and test them regularly. This protects you from ransomware and accidental data loss.
Why it matters: your Not-for-Profit can’t afford to lose critical data due to ransomware or accidental deletion, as it can disrupt services and erode trust.
- Use OneDrive or SharePoint for cloud backups
- Schedule regular backups and test restoring files
- Back up and restore files with OneDrive
4. Train your team
Provide regular cyber security training with CSG’s cyber awareness training plans on recognising phishing and scam emails. Human error is a leading cause of breaches.
Why it matters: staff and volunteers within your Not-for-Profit may not have formal IT training, making them more vulnerable to phishing and social engineering. You can improve your staff’s knowledge through:
- Running regular security awareness sessions
- Use Microsoft’s free security training resources for staff
- Attend CSG’s regular webinars on how to strengthen cyber reslience within your industry
5. Use long, complex passwords
Longer passwords with a mix of letters, numbers and symbols are much harder to crack, which is essential for protecting sensitive donor and beneficiary data. When creating a new password in Microsoft Password Manager, use the built-in password generator to create passwords that are at least 12 characters long and include uppercase, lowercase, numbers and special characters.
Why it matters: never reuse passwords across multiple accounts as if one account is compromised then all your accounts areat risk. This is a common issue within NFPs so make sure that your NFP is ahead of the game by:
- Leyting Microsoft Password Manager generate and store a unique password for every account
- Use the “Password Health” feature to identify and update reused passwords
CSG further suggest regulary updating your passwords and ensure that you are reciving the automated alerts from Microsoft Password Manager than lets you know if any of your saved passwords are found in known data breaches. This provides your staff with prompts to change compromised passwords immediately.
6. Restrict access
Only give staff access to the data and systems they need for their role. Review permissions regularly.
Why it matters: with staff turnover and volunteers, it’s easy for ex-members to retain access to sensitive data. You can keep on top of this by:
- Regularly review user permissions in Microsoft 365 Admin Center
- Use role-based access control (RBAC) to limit data exposure
- Manage user access in Microsoft 365
7. Document your processes
Keep clear records of your security policies and procedures. This is a requirement for achieving the Cyber Essentials Plus certification.
Why it matters: your not-for-profit heavily relies on part-time staff or volunteers, so clear documentation ensures continuity and compliance. We suggest:
- Storing policies and procedures in a shared SharePoint folder
- Use Microsoft Teams or OneNote for easy access and updates
8. Test your response plans
Regularly test your incident response, business continuity and disaster recovery plans.
Why it matters: NFPs may not have dedicated IT teams, so practicing responses to incidents helps everyone know what to do in a crisis. CSG support a range of NFPs with their disaster recovery plans and can also help your organisation with yours. CSG can help provide you with support with:
- Scheduling regular tabletop exercises for incident response
- How to create an incident response plan that suits your organisation
9. Review remote work security
Ensure staff working remotely follow secure practices, such as using VPNs and not accessing sensitive data in public places.
Why it matters: many NFPs operate remotely or in the field, increasing the risk of data exposure on unsecured networks.
CSG can help you set up:
- A VPN use for remote access
- Regular training for staff on safe Wi-Fi practices and device encryption
- Setting up a VPN in Windows
10. Seek expert help
Microsoft and other experts suggest working with IT professionals that provide managed service contracts, especially when preparing for Cyber Essentials Plus.
Why it matters: NFPs may lack in-house expertise, but outside support can help you meet standards like Cyber Essentials Plus. Partner with a trusted IT provider.
