Disaster Recovery Planning for UK NGOs...

How to Protect Services, Data and Trust

For UK NGOs, disaster recovery planning is not just an IT exercise. It is a safeguard for beneficiaries, donors, staff, volunteers and the wider mission of the organisation.

Whether your charity supports vulnerable people, delivers community services, manages grant-funded projects or operates internationally, technology is now central to day-to-day impact. A serious IT outage, cyber attack, data loss or cloud service failure can quickly affect service delivery, safeguarding, reporting obligations and public trust.

The risk is real. The UK Government’s Cyber Security Breaches Survey 2025 found that charities continue to experience cyber breaches and attacks, with phishing remaining a common threat. The Charity Commission also advises charities to protect themselves from cyber crime and understand how to respond if an incident occurs.

What is disaster recovery planning?

Disaster recovery planning is the process of preparing your organisation to restore critical IT systems, data and services after a disruptive incident.

For NGOs, this may include recovering:

• Donor and fundraising databases
• Case management systems
• Email and Microsoft 365 accounts
• Financial records
• Safeguarding and beneficiary data
• Volunteer management platforms
• Cloud files and shared drives
• Websites and online donation systems
• Devices used by remote staff and field workers

A good disaster recovery plan answers a simple question: if our systems stopped working tomorrow, how would we continue operating and how quickly could we recover?

Why disaster recovery matters for UK charities and NGOs

Many NGOs operate with limited budgets, lean internal teams and a high level of dependency on digital systems. This makes resilience especially important.

A major incident could prevent staff from accessing case notes, delay payroll, interrupt fundraising campaigns, expose personal data, or stop frontline teams from communicating. For charities handling sensitive information, the consequences can also include regulatory reporting, reputational damage and loss of donor confidence.

The National Cyber Security Centre advises organisations to plan response and recovery around their essential functions, the assets that support them and the data required to keep operating.

Common disaster scenarios for NGOs

Disaster recovery planning should cover more than dramatic events such as fires or floods. In practice, many incidents are digital, operational or supplier-related.

Common scenarios include:

• A ransomware attack encrypting shared files
• Accidental deletion of important data
• A compromised Microsoft 365 account
• Loss or theft of a staff laptop
• Failure of a server, firewall or internet connection
• Cloud platform misconfiguration
• Website compromise
• Power outage at an office or hub
• A key software supplier becoming unavailable
• Human error during system updates or data migration

For NGOs with remote teams and volunteers, the risk is often spread across multiple locations, devices and user accounts. This makes clear controls and tested recovery procedures essential.

The key elements of a strong disaster recovery plan..

1. Identify your critical services

Start by listing the systems your organisation depends on most. For each one, ask:

• Who uses it?
• What data does it hold?
• What happens if it is unavailable?
• How long could the organisation operate without it?
• Is there a manual workaround?

This helps separate genuinely critical services from systems that are useful but not urgent.

2. Set recovery objectives

Two important measures should guide your planning:

Recovery Time Objective, or RTO: how quickly a system must be restored.

Recovery Point Objective, or RPO: how much data your organisation can afford to lose.

For example, your finance system may need to be restored within 24 hours, while your beneficiary case management system may need a much shorter recovery window. A shared marketing folder may tolerate a longer delay.

3. Back up data properly

Backups are the foundation of disaster recovery, but they need to be designed carefully.
The NCSC’s small charity guidance recommends identifying what needs to be backed up, keeping backups separate from the main network, and making sure backups remain immutable, considering cloud backup and making backups part of everyday routines.

For NGOs, this should include Microsoft 365 data, cloud files, databases, finance records, website content and any data stored on local devices. It is also important to remember that cloud platforms do not automatically replace a dedicated backup strategy.

4. Protect Microsoft 365 and cloud services

Many UK charities rely heavily on Microsoft 365 for email, Teams, SharePoint and OneDrive. These platforms are powerful, but they still need proper configuration.

Disaster recovery planning should include:

• Multi-factor authentication
• Conditional access policies where appropriate
• Separate admin accounts
• Regular permission reviews
• Backup for Microsoft 365 data
• Clear leaver processes
• Monitoring for suspicious sign-ins
• Secure sharing policies for sensitive files

A compromised mailbox can quickly become a wider organisational incident, especially where donor, finance or safeguarding information is involved.

5. Create an incident response process

Disaster recovery and incident response should work together.

Your plan should explain who makes decisions, who contacts suppliers, who communicates with staff, and who handles external reporting. This is particularly important for charities, where trustees may need to be informed and serious incidents may need to be reported to the Charity Commission.

Your response plan should include contact details for:

• Senior leadership
• Trustees or board members
• IT support provider
• Cyber insurance provider, if applicable
• Key software suppliers
• Legal or data protection advisers
• Communications lead
• Finance lead
  

Store this information somewhere accessible even if email is unavailable.

6. Test the plan

A disaster recovery plan that has never been tested is only a theory.

Testing does not always need to be complex. A charity might start with a tabletop exercise, where key people walk through a realistic incident scenario. More mature organisations may test restoring files, rebuilding devices, recovering from backup or simulating a Microsoft 365 account compromise.

The goal is to find gaps before a real incident does.

Disaster recovery for NGOs with limited budgets

Many charities worry that resilience requires expensive enterprise technology. In reality, some of the most valuable improvements are practical and affordable.

Good starting points include:

• Enabling multi-factor authentication
• Documenting critical systems
• Reviewing backup coverage
• Removing old user accounts
• Training staff to recognise phishing
• Keeping devices updates
• Using password managers
• Restricting admin privileges
• Testing file restoration
• Agreeing an incident contact tree

The NCVO also highlights cyber security and data protection basics for charities, including backing up data, protecting against malware, securing mobile devices and improving password practices.

Governance: why trustees should be involved

Disaster recovery should not sit only with the IT team or an external provider. It is a governance issue.

Trustees and senior leaders should understand the organisation’s most important digital risks, approve sensible recovery priorities and ensure there is appropriate budget for resilience. This does not mean trustees need deep technical knowledge. It means they should be asking informed questions.

Useful trustee-level questions include:

• Do we know which systems are mission-critical?
• Are our backups tested?
• Could we operate if email was unavailable?
• Who would lead the response to a cyber incident?
• Do we know when to report an incident?
• Are staff and volunteers trained?
• Are our suppliers part of our recovery planning?

A practical disaster recovery checklist for UK NGOs

A strong plan should include:

• An inventory of critical systems and data
• Recovery priorities for each service
• Backup schedules and retention periods
• Named incident response roles
• Supplier and emergency contact details
• Communication templates for staff, trustees and stakeholders
• Data protection and reporting procedures
• Manual workarounds for essential services
• A test schedule
• A review process after changes or incidents

The plan should be clear, concise and usable under pressure. A 10-page document that people understand is often more valuable than a lengthy policy that nobody reads.
How Mark One Consultants can help

For UK NGOs, disaster recovery planning is about protecting continuity, accountability and trust. It helps ensure that a technical incident does not become a service crisis.
Mark One Consultants works with charities, SMEs and mission-led organisations across Somerset, the South West and the wider UK to strengthen IT resilience. Our team can help review existing backup arrangements, secure Microsoft 365, improve cyber security, document recovery procedures and provide responsive IT support when it matters most.

If your organisation has not reviewed its disaster recovery plan recently, now is the right time to do it. A short conversation today could prevent a much larger disruption tomorrow.