IT Security – What should you be doing?

As a charity manager, CEO or IT lead, you will hear a lot of noise from all sorts of areas about what you should be doing as a charity in terms of your IT setup and security.

Some IT companies will lead you to believe that significant investment in a variety of security equipment is a necessity for your organisation, but what actually should you be doing? Here at IT Services at CAS we have our own views on a number of practical, and often low cost or free steps you can take to safeguard your charities data.

We believe there is a balance to be had between taking security seriously whilst investing carefully in key elements. Funds are not endless so it’s important to prioritise those items that can really make a difference. Some of the things below may seem very basic, but getting the fundamentals is key.

Ensure your devices are updated regularly

As standard most Windows devices are set to automatically up date but it may be worth checking that is happening. Simply search for “updates” in your Windows search bar and ensure it is set to automatically update. Do the same thing with any other devices you might have, such as mobile phones, tablets etc too. If you run servers you may also be able to automate this so updates are pushed out and installed automatically.

Install appropriate anti-virus software

As a minimum you should have some form of third party anti-virus software on desktops, laptops and servers. Ideally this would be paid software from respected providers such as Sophos, Bitdefender or Avast but even free anti-virus like AVG free would provide you some form of protection. If budget is available opt for software that includes anti-ransomeware technology and an internet firewall.


Most paid anti-virus solutions, come with an Internet firewall and we recommend this is activated and turned on. Likewise, most routers which come from your broadband provider, will also have some form of firewall on them. Check that your router has a firewall and ensure it is turned on. If you wanted to take this further then investment in additional firewall technology (either software or hardware) could be an idea but this can often be expensive and not always required.

Back up your data

It may sound obvious but not every charity has this in place. It is vital to have some form of regular backup of your data. In a very basic sense this could just be an encrypted hard drive that you manually back up once a week which you take off site or if budget permits then some form of cloud backup is advisable. Ideally you’d look for something that was both automated and able to be taken offsite at the same time. Don’t just think of this as a waste of annual expenditure – think of it as a key insurance policy much like your building insurance.

Don’t use unencrypted usb drives/memory sticks

If you need to transfer data from organisation devices to other locations – use encrypted hard drives/memory sticks. Often these are not that much more expensive than standard portable hard drives but if you had sensitive organisation data on your portable hard drive and it wasn’t encrypted then it leaves your organisation exposed. It is worth noting that sensitive organisation data probably shouldn’t be transferred in this manner at all but if there is no other way please ensure you use encrypted hard drives.

Password protect any organisation devices

As a bare minimum all organisations devices such as desktops, laptops, phones or tablets should have password protection on any user and “non administrators” who don’t require the ability to change systems should not be afforded the luxury of full adminstrator access. Ensure you have at least 1 administrator on every system and the password of this user is stored in a secure location (physical or digital). Don’t allow users to be set up on your systems with no enforced password – especially if that user has been granted administrator access.

Use MFA (multi factor authentication) where you can

If you can use multi-factor-authentication on your devices and systems. Some devices and online systems have this functionality (like Office 365, banking apps) and some don’t – if you have the opportunity to use it then please do!

Protect your passwords

The modern world dictates that we will have a wide variety of passwords – keeping these secure is of vital importance. Don’t allow your staff to simply leave passwords on post-it-notes on the desk. Passwords should be stored in a secure physical location such as a locked cabinet or in a secure digital platform such as Last Pass ( Ensure that any passwords used on your systems are at least 6 characters long and include some form of capital letter and symbol. Try not to use obvious passwords that can easily be guessed.

Have proper policies in place

Having appropriate IT policies in place for your staff is key. As a minimum you should have an “Acceptable Use” policy which outlines how your staff can use your IT systems and internally you should also have policies to deal with things like starter and leaver processes. Enforcing documented processes will ensure your organisation follows correct procedures around starting and leaving employees which in turn will help safeguard your organisation’s data. Enforcing a staff IT policy will also ensure those existing employees follows correct procedures and are totally clear on what they can and can’t do.

Up skill your staff

Your staff will have a wide range of IT skils – try and up skill them in the area of security where you can. This doesn’t have to be in the form of formal paid training (although this may be appropriate) but can be in the form of regular warnings about online scams, junk emails etc. We have found that showing staff live examples of scams, phishing emails, spam emails can up skill them to not fall victim to one of these scams in the future which in turn will safeguard your organisation’s data. Do this regularly so this knowledge is hard wired into your staff! Get your staff to also respect and cherish that data they hold for your clients and remind them of their own personal responsbility.

Work with trusted partners/suppliers

Volunteers do an amazing job for the charity sector but the temptation to rely on low cost support for your IT systems is not always the best route to take. Allow other specialist IT providers to do this job for you so that you can get the best advice available to safeguard your data. Volunteers don’t have any ties to stay with you so should they leave, all that knowledge and security could literally walk out of the building! List all the suppliers and partners you work with and have this data stored securely so in the event of issues people are clear about who to contact for what. In terms of the suppliers themselves, rely on word of mouth but also do your research and look out for their Cyber Essentials certification. Cyber Essentials certification isn’t everything but it will give you confidence that the organisation you are working with has passed a certain degree of IT certification.

What if i wanted to take it further?

If you had significant funds to invest in this area then why not also think about some of the below items.

  • Install a hardware firewall between your router and your network.
  • Purchase VPN software for your staff to connect to when they are not on your own network.
  • Install network monitoring software that monitors threats and risks on a minute by minute basis.
  • Perform Penetration Testing on your network to spot where your potential holes are.

These are a small but not exhaustive list of elements that you could also invest in if you wanted to further advance your IT security.

If you’d like to discuss any element of this then don’t hesitate to contact us on 01473 345305 or email us at . IT Services at CAS provides a wide variety of IT services including IT Support contracts so we can help with all of the above elements.