Insights
We share advice on how to maintain Cyber Essentials requirements, making it easier to protect your charity and its stakeholders all year round
Robert Connor is a Cyber Essentials Assessor and Cyber Advisor at Cyber Sense. He offers some valuable advice about how to maintain good cyber hygiene all year round, making recertifying to Cyber Essentials as painless as possible.
Cyber Essentials is an effective, government-backed cyber security scheme, centred on five core controls that, if implemented correctly, will help you to protect your charity against the most common cyber attacks.
Cyber Essentials certifies that charities have put the necessary measures in place to be cyber secure. Having met the five criteria, charities certified by Cyber Essentials are showing their donors, beneficiaries, trustees, and funders that they are taking cyber security seriously and protecting their data and funds.
For many small charities with stretched resources, staying secure online can feel overwhelming. But by putting simple processes in place, you can keep your organisation safe and ensure compliance with Cyber Essentials all year round.
Just like dental health, good hygiene isn’t just about the check-up but about good habits and regular care all year round. In a similar way, cyber security requires consistent attention to prevent bigger problems down the line.
In this guidance, we’ll suggest some easy-to-implement ideas to help you maintain security without needing technical expertise.
Find out more about Cyber Essentials
The first step in ensuring your charity stays on top of cyber security is to nominate a trustee or senior member of staff to take responsibility for information security. This doesn’t mean they need to be a technical expert. Instead, they’ll be the key person who ensures security tasks are completed, policies are reviewed, and the charity stays compliant with the requirements for Cyber Essentials.
One of the simplest ways to maintain security is to introduce clear processes for onboarding new employees and offboarding those who leave. Onboarding and offboarding are critical points where security issues can easily arise, so having a well-documented process for account creation and deactivation is vital. This minimises the risk of unauthorised access and ensures your charity’s data remains secure.
When onboarding new staff, create a checklist to ensure they:
When employees leave, it’s equally important to have a checklist to promptly remove their access to systems and accounts. This ensures that no one can access sensitive data once they are no longer part of the charity, safeguarding your organisation from potential data breaches.
When acquiring new devices, it’s important to ensure that you don’t fall out of compliance with Cyber Essentials. It’s far easier to configure devices correctly from the start, giving you peace of mind that the device is secure and ready for use. Having a checklist in place is essential to ensure you meet the basics of Cyber Essentials and maintain security from day one.
If staff use their own devices, include this in the onboarding process or make sure they are aware they must notify the responsible person when switching devices.
When setting up new computers or devices, follow a checklist to ensure the following:
Employees are using standard user accounts, not admin accounts, to reduce the risk of unauthorised changes
Firewalls are enabled on all devices
Up-to-date anti-malware software is installed
Only applications for business purposes are installed
The latest software updates and patches are applied.
This simple step can prevent potential security threats before they arise, helping to keep your charity’s systems secure and compliant with Cyber Essentials.
It’s a good idea to schedule a formal review of your charity’s cyber security every six months to ensure everything is running smoothly and nothing has slipped through the cracks. If your charity has completed Cyber Essentials certification, you should already have an asset register in place. Use this as a reference during your review to track all devices and systems in use.
A quick and practical way to do this is by setting aside 10 minutes of a regular team meeting to conduct a simple audit of employees’ devices. During this meeting, you can:
You can also share your screen to demonstrate how staff can check their computer and mobile device versions, as well as how to run updates. After gathering this information, update the asset register and ensure everything remains in compliance.
Use the Operating System Support pages on the Cyber Essentials Knowledge Hub to help you identify if any systems or software are no longer supported, ensuring your charity’s technology remains secure and up to date.
If you find anything that is unsupported, make plans to update or upgrade the device promptly to avoid security vulnerabilities and maintain compliance.
For small charities, reviewing cyber security policies on an annual basis is sufficient to keep up with changes in technology and security threats. Cyber Essentials requires certain key policies, such as a Password Policy and an Administrator Account Tracker but having a broader Information Security Policy can be highly beneficial.
Spend some time each year reviewing your policies to ensure they remain relevant to your charity’s operations. After updating them, or at least once a year, reshare the policies with your staff and volunteers, encouraging them to review the content and raise any concerns or questions.
Keeping policies fresh and visible helps maintain compliance and ensures everyone remains engaged in protecting your charity’s security.
About a month before your Cyber Essentials certification is due for renewal, it’s important to start preparing. By taking consistent steps throughout the year, this final review will be much easier. Here’s what to do:
Maintaining Cyber Essentials doesn’t have to be overwhelming for small charities. By nominating a responsible person, creating checklists for onboarding and off-boarding, configuring new devices securely, conducting regular cyber security reviews, and updating policies, your charity can stay secure all year round. With these consistent practices, you can identify potential risks before they become major issues.
Charities can find free cyber security guidance and information about Cyber Essentials in the Cyber Essentials Knowledge Hub here.
For the sixth year in a row, we're bringing back an action-packed event filled with Digital Fundraising insights from the charity and tech sectors. Join us on 7th October 2024 for a free, one-day online event featuring informative webinars and interactive workshops.