When Security Policies Accidentally Exclude: A Lesson for Charities Pursuing Cyber Essentials

I sat in a board meeting several years ago, at a cryptocurrency company navigating intense regulatory scrutiny, when the compliance officer leaned over with a concerned look.

"You'll need to turn off your hearing aid for this section. We're discussing security protocols and can't have Bluetooth devices active."

I blinked. "My hearing aid?"

"It's Bluetooth. We need to minimize wireless attack surfaces during sensitive discussions."

They meant well. The company was genuinely trying to build robust security in a high-threat environment. But in their focus on technical controls, they'd created a policy that would exclude anyone who relied on assistive technology.

I've watched this same pattern emerge in charity governance—organisations pursuing Cyber Essentials certification, implementing security measures that accidentally create barriers for disabled trustees, staff, and volunteers.

The Gap in Security Frameworks

Here's the challenge. Cyber Essentials provides excellent guidance on technical controls. It helps organisations secure their networks, manage access, and protect against common threats.

What it doesn't address is how those technical controls intersect with accessibility requirements. So organisations fill that gap themselves—often with blanket policies that seem logical from a pure security perspective but create unintended consequences.

"No Bluetooth devices during board meetings" sounds reasonable until you realize that includes hearing aids, glucose monitors, and other medical devices that people depend on to participate fully.

This isn't about Cyber Essentials being flawed. It's about implementation requiring thought beyond checklists.

What the Equality Act Requires

Under the Equality Act 2010, employers and service providers have a legal duty to make reasonable adjustments for disabled people. That includes adjusting security policies that would otherwise create barriers.

Failing to make a reasonable adjustment can constitute discrimination—with potential tribunal claims, reputational damage, and the loss of talented people who decide to work elsewhere.

What's "reasonable"? The Ministry of Justice, handling classified information, explicitly permits Bluetooth hearing aids in secure facilities. They recognize that "where there is a good reason, such as for Accessibility, an exception will be treated sympathetically and permitted wherever possible."

If government departments can accommodate medical devices while protecting state secrets, most organisations can find ways to do the same.

The Hidden Cost

When security policies exclude disabled people, organisations lose more than they realize.

You lose institutional knowledge when long-serving trustees resign rather than repeatedly explain why they need their assistive technology. You lose diverse perspectives that challenge groupthink. You create workarounds—the volunteer who can't manage complex passwords writes them on sticky notes, the staff member with arthritis reuses simple passwords everywhere.

Security that isn't accessible often isn't secure. People find ways around policies that make their work impossible.

The Bigger Picture

There are 5.6 million disabled people in employment in the UK—around 22% of working-age adults. In the charity sector specifically, we should lead on inclusion, not trail behind other sectors in accommodating disabled colleagues.

Yet only 31% of charities have trustees with cyber or digital risk knowledge. That gap shows. Charities sometimes implement security measures without fully considering how they'll affect the people who actually need to use them.

When security certification processes create barriers for disabled people, organisations don't become more secure. They become less capable, less diverse, and more vulnerable to the blind spots that diverse teams help prevent.

What Good Practice Looks Like

The solution isn't abandoning security standards. It's implementing them thoughtfully.

Before rolling out any security policy, ask: "Could this create barriers for someone with a disability?" If yes, work through the risk assessment properly.

For Bluetooth hearing aids, that assessment might conclude:

• The device pairs securely using PIN authentication

• It's not discoverable to other devices

• It's no more risky than the smartphones board members keep on the table

• The value of the trustee's participation outweighs the minimal additional risk

• Policy proceeds with documented exception

That takes 15 minutes to think through properly. It demonstrates you've considered accessibility and security together, rather than treating them as competing priorities.

The Path Forward

If you're a charity pursuing Cyber Essentials—excellent. Taking cybersecurity seriously matters enormously given the sensitive data charities handle.

As you implement security controls, build in accessibility considerations from the start:

Before any policy goes live:

• Review it through an accessibility lens

• Consult with disabled staff, volunteers, or trustees

• Document your reasonable adjustment process clearly

• Make sure people don't have to beg for exceptions to do their jobs

When conflicts arise:

• Risk-assess the specific situation rather than applying blanket rules

• Document your reasoning (both for governance and potential tribunal defence)

• Remember that "security" includes retaining the skilled people who make your charity work

The crypto company I mentioned eventually revised their policy after several board members pointed out the accessibility implications. It took longer than it should have, but they got there.

Charities can do better. We can build security and inclusion together, not force people to choose between them.

Cyber Essentials certification should make charities more secure AND more capable of fulfilling their missions. When those goals seem to conflict, we haven't understood either one properly.