A charity guide to maintaining Cyber Essentials all year round

Robert Connor is a Cyber Essentials Assessor and Cyber Advisor at Cyber Sense.  He offers some valuable advice about how to maintain good cyber hygiene all year round, making recertifying to Cyber Essentials as painless as possible.  

For many small charities with stretched resources, staying secure online can feel overwhelming. But by putting simple processes in place, you can keep your organisation safe and ensure compliance with Cyber Essentials all year round. 

Just like dental health, good hygiene isn’t just about the check-up but about good habits and regular care all year round. In a similar way, cyber security requires consistent attention to prevent bigger problems down the line. 

In this guidance, we’ll suggest some easy-to-implement ideas to help you maintain security without needing technical expertise.

Nominate a responsible trustee or senior personnel 

The first step in ensuring your charity stays on top of cyber security is to nominate a trustee or senior member of staff to take responsibility for information security. This doesn’t mean they need to be a technical expert. Instead, they’ll be the key person who ensures security tasks are completed, policies are reviewed, and the charity stays compliant with the requirements for Cyber Essentials. 

Create checklists for onboarding and offboarding 

One of the simplest ways to maintain security is to introduce clear processes for onboarding new employees and offboarding those who leave. Onboarding and offboarding are critical points where security issues can easily arise, so having a well-documented process for account creation and deactivation is vital. This minimises the risk of unauthorised access and ensures your charity’s data remains secure. 

When onboarding new staff, create a checklist to ensure they: 

• Are trained on your charity’s password policy
• Have multi-factor authentication setup on all their cloud services
• Have secure access to only the systems they need and no more than that
• Are introduced to key policies, such as your data protection policy, and are reminded of best practices
• Know how to handle suspicious requests or phishing attempts: if they receive an unexpected email or message asking for sensitive information, they should avoid responding, report it immediately, and verify it through trusted contact methods

When employees leave, it’s equally important to have a checklist to promptly remove their access to systems and accounts. This ensures that no one can access sensitive data once they are no longer part of the charity, safeguarding your organisation from potential data breaches. 

Set up a New Device Configuration Checklist 

When acquiring new devices, it’s important to ensure that you don’t fall out of compliance with Cyber Essentials. It’s far easier to configure devices correctly from the start, giving you peace of mind that the device is secure and ready for use. Having a checklist in place is essential to ensure you meet the basics of Cyber Essentials and maintain security from day one. 

If staff use their own devices, include this in the onboarding process or make sure they are aware they must notify the responsible person when switching devices. 

When setting up new computers or devices, follow a checklist to ensure the following: 

• Employees are using standard user accounts, not admin accounts, to reduce the risk of unauthorised changes

• Firewalls are enabled on all devices

• Up-to-date anti-malware software is installed

• Only applications for business purposes are installed

• The latest software updates and patches are applied. 

This simple step can prevent potential security threats before they arise, helping to keep your charity’s systems secure and compliant with Cyber Essentials. 

Schedule a six month Cyber Review 

It’s a good idea to schedule a formal review of your charity’s cyber security every six months to ensure everything is running smoothly and nothing has slipped through the cracks. If your charity has completed Cyber Essentials certification, you should already have an asset register in place. Use this as a reference during your review to track all devices and systems in use. 

A quick and practical way to do this is by setting aside 10 minutes of a regular team meeting to conduct a simple audit of employees’ devices. During this meeting, you can: 

• Check which devices staff are using for work
• Confirm their systems are up to date
• Address any security concerns or issues

You can also share your screen to demonstrate how staff can check their computer and mobile device versions, as well as how to run updates. After gathering this information, update the asset register and ensure everything remains in compliance. 

Use the Operating System Support pages on the Cyber Essentials Knowledge Hub to help you identify if any systems or software are no longer supported, ensuring your charity’s technology remains secure and up to date. 

If you find anything that is unsupported, make plans to update or upgrade the device promptly to avoid security vulnerabilities and maintain compliance. 

Review and update your cyber security policies annually 

For small charities, reviewing cyber security policies on an annual basis is sufficient to keep up with changes in technology and security threats. Cyber Essentials requires certain key policies, such as a Password Policy and an Administrator Account Tracker but having a broader Information Security Policy can be highly beneficial. 

Spend some time each year reviewing your policies to ensure they remain relevant to your charity’s operations. After updating them, or at least once a year, reshare the policies with your staff and volunteers, encouraging them to review the content and raise any concerns or questions. 

Keeping policies fresh and visible helps maintain compliance and ensures everyone remains engaged in protecting your charity’s security.

Putting it all together 

About a month before your Cyber Essentials certification is due for renewal, it’s important to start preparing. By taking consistent steps throughout the year, this final review will be much easier. Here’s what to do:

• Revisit the Cyber Essentials requirements document: Review the latest requirements to ensure your charity is still compliant and that no new guidelines have been introduced
• Audit the devices used by staff: Take some time to check in with your team and ensure all work devices are secure and compliant. You can do this by gathering basic information during a quick team meeting - confirm that everyone’s systems are up to date and address any recent security concerns. After the audit, ensure your asset register is current and that all devices meet Cyber Essentials standards
• Start uploading answers to the certification portal: Begin completing the Cyber Essentials questionnaire early to avoid last-minute rushing. This gives you plenty of time to resolve any issues that may arise and ensures you’re ready to re-certify for another year

Maintaining Cyber Essentials doesn’t have to be overwhelming for small charities. By nominating a responsible person, creating checklists for onboarding and off-boarding, configuring new devices securely, conducting regular cyber security reviews, and updating policies, your charity can stay secure all year round. With these consistent practices, you can identify potential risks before they become major issues.