A step-by-step guide to cyber security

  • Many organisations across the public and voluntary sectors collect, store and process large quantities of personal data
  • It is important they put in place appropriate safeguards to protect this data and reduce the risk of it falling into the wrong hands
  • Our step-by-step guide to cyber security sets out some of the key questions organisations should be asking themselves

Cyber security has become a critical issue for organisations across the public and voluntary sectors.

While any type and size of organisation could be vulnerable to a cyber attack, there are a number of ways to minimise the risks. We have produced a simple checklist that covers the essential elements of an effective cyber security programme.


  • Does the board/leadership actively support the cyber security programme ensuring sufficient resources are committed to security?
  • Is cyber security, and the potential consequences of a cyber attack, covered in your business continuity plan?
  • Do you actively manage all hardware devices on the network so that only authorised devices are given access and any unmanaged devices are found and prevented from gaining access?
  • Has a secure configuration baseline for both hardware and software been determined, including security controls to prevent users from changing important settings?
  • Are processes in place to ensure new vulnerabilities are identified and existing ones are patched as soon as possible?
  • Are administrative privileges only granted when necessary and is access secured through deployment of multi-factor authentication?

Understanding and prioritising data

  • Do you maintain a current understanding of the location, quantity and quality of data important to the delivery of services?
  • Do you have a clear system for categorising different types of data – e.g. public, internal, sensitive, confidential?
  • Do you take steps to ensure data is removed in accordance with retention schedules?
  • Does everybody in your organisation who handles data understand how to properly store, transfer, archive and destroy sensitive information?

Physical and digital security

  • Is access controlled in areas of your premises where sensitive data may be held?
  • Do you ensure that all mobile devices including memory sticks are encrypted?
  • Have you created a separate wireless network for personal and untrusted devices?
  • Do you configure devices – workstations, laptops and other mobile devices – to automatically lock sessions after a standard period of inactivity?
  • Do you ensure that all data is removed from devices, such as multi-function printers, before disposal?
  • Do you regularly update your antivirus software?
  • Do you deploy tools on network perimeters that monitor for unauthorised transfer of data?
  • Do you ensure backups are properly protected via physical security or encryption when they are stored as well as when they are moved across the network?
  • Do you conduct regular penetration testing of systems in order to understand vulnerabilities and discover how easy it is to access the system?

Managing third-party risk

  • Do you understand what access your suppliers and partners have to your systems, premises and information, and how you will control it?
  • Have you considered building assurance requirements, such as Cyber Essentials Plus, penetration tests, external audit or formal security certifications as part of supplier/partner security requirements?
  • Do you build the “right to audit” into contracts and do you exercise this?
  • Does everybody in your organisation who processes data have a clear understanding of when data may be legally shared with third parties, including instances when the express approval of the data subject must first be obtained?
  • If using cloud services, have you risk assessed your needs and potential providers using a framework such as the NCSC’s 14 Cloud Security Principles?


  • Does your organisation encourage reporting security incidents and data breaches, giving staff the tools to do so and the confidence that they will not face repercussions for doing so?
  • Are you aware of the penalties your organisation could face for data breaches under GDPR?
  • Does your DPO report directly into the highest level of management?


  • Do you provide staff with regular and relevant security awareness training including recognising social engineering attacks, causes of unintentional data exposures and incident reporting?
  • If requested, could you demonstrate evidence of the training you provide?
  • Do you plan and conduct incident response exercises to maintain awareness and comfort in responding to real world threats?
  • Do you have procedures in place to learn from cyber incidents and near misses – including incidents that occur outside of your organisation?