Cyber security for fully remote charities: a step-by-step guide

With charities increasingly embracing remote and hybrid working, protecting your charity’s digital environment has never been more important or more challenging. Fortunately, the Cyber Essentials certification provides a framework to ensure your charity remains protected from the most common cyber threats, even with a fully remote workforce. 

Below, Robert Connor, Cyber Essentials Assessor and Cyber Advisor at Cyber Sense guides you through the steps to scope a remote charity for Cyber Essentials and maintain compliance.

To keep cyber security on track, designate a trustee or senior staff member as your cyber security lead. This person doesn’t need to be a technical expert—they will simply ensure essential tasks are completed, policies are up to date, and Cyber Essentials requirements are met. 

If additional support is needed, consider working with a Cyber Advisor. You can find trusted providers through the National Cyber Security Centre (NCSC). 

2. Build and maintain an asset list 

Any asset that regularly accesses charity data falls within the scope of this assessment, making it crucial to maintain a comprehensive and up-to-date list. For remote charities, this is especially important. After all, you can only protect what you know exists. Use a straightforward spreadsheet to track all devices and cloud services, ensuring that no asset is overlooked. 

To stay organised, create three separate worksheets for: 

For example: Your spreadsheet might include five key columns: the device name (e.g., "Laptop-123"), the operating system and version (e.g., "Windows 11 Pro v23H2"), the assigned user, confirmation that all security updates are applied, and whether unnecessary software has been removed. 

A great time to update your asset list is during team meetings, at least quarterly. Use these opportunities to confirm device details and ensure everyone’s tools are accounted for. The IASME Cyber Essentials Knowledge Hub can guide you in determining whether devices are compliant. 

3. Conduct device checks 

Fully remote charities must pay special attention to the configuration of employees’ devices. Start your Cyber Essentials journey with a full audit, ensuring all devices meet baseline security standards. This can even be conducted remotely by observing the employee’s device setup during a Teams call. 

For Computers: 

For Mobile Devices: 

If you’re uncertain about the technical aspects of these checks, consider working with a Cyber Advisor to ensure everything is correctly configured. The IASME Knowledge Hub can also help you review current requirements and align your devices with best practices. 

4. Enable Multi-Factor Authentication for cloud services 

Cloud services are a lifeline for remote charities, but they can also be points of vulnerability. Cyber Essentials requires that multi-factor authentication (MFA) is enabled for all cloud accounts. 

This simple step significantly enhances security by requiring an additional verification step, even if a password is compromised. Most cloud platforms, like Microsoft 365, Google Workspace, and Dropbox, provide step-by-step guides in their knowledge bases to help you configure MFA. 

Include a column in your asset list to track whether MFA is available and configured for each service. 

5. Create an onboarding process 

Documenting your onboarding process ensures new hires and devices align with security standards from day one, reducing vulnerabilities. Include the following in your checklist: 

 A strong onboarding process creates a secure foundation for your team and your charity’s operations 

6. Certify to Cyber Essentials 

Once your organisation has scoped its systems and applied the necessary measures, seek certification to Cyber Essentials. Certification provides external validation of your efforts and demonstrates your commitment to security. 

Consider working with an Assessor from a Certification Body to guide you through the process and ensure your remote setup meets the required standards. Certification not only ensures compliance but also boosts donor confidence and operational resilience. 

7. Regularly update your asset list 

Security is not a one-time event. Fully remote charities should schedule regular check-ins to update their asset spreadsheets, particularly when: 

To make this easier, schedule quarterly reminders or include it as a standing agenda item in team meetings. Keeping your records accurate ensures readiness for annual Cyber Essentials recertification. 

Putting it all together 

Securing a fully remote charity may seem daunting, but by following these steps, you can simplify the process and stay compliant with Cyber Essentials. Nominate a responsible person, maintain a robust asset list, conduct regular device checks, and implement strong onboarding practices. With consistent effort, your charity can protect its mission from cyber threats and build trust with its supporters. 

Cyber Essentials is the Government approved, annually renewable cyber security certification scheme for organisations of all sizes.  

Cyber Advisor is the National Cyber Security Centre’s (NCSC) scheme to help small and medium-sized organisations find reliable, cost-effective cyber security consultancy. Cyber Advisors are assessed against whether they can understand and communicate with small organisations to give proportionate and sensible cyber security support.