A single phishing email can do more than cause a bit of disruption. For a charity, it can freeze access to donor records, delay frontline services, knock confidence with trustees and create a safeguarding headache overnight. That is why a clear charity cyber security checklist matters – not as a box-ticking exercise, but as a practical way to protect the people, data and community trust your organisation depends on.

Many charities in Bradford, Leeds, Halifax and across West Yorkshire are working with tight budgets, small teams and a mix of paid staff, trustees and volunteers. That usually means cyber security has to be sensible, affordable and easy to follow. Fancy tools are not always the answer. Good habits, sensible systems and a bit of joined-up thinking usually make the biggest difference.

A charity cyber security checklist that works in real life

The best checklist is one your team can actually use. If it is too technical, it gets ignored. If it is too vague, nothing changes. A good approach covers the essentials first, then builds from there.

1. Know what you need to protect

Start with the basics. What information do you hold, where does it live, and who can access it? For most charities, that includes donor details, beneficiary information, finance records, HR files, email accounts and cloud documents.

Not every file needs the same level of protection, but some data is more sensitive than others. If you support vulnerable people, handle health-related information or process direct debit details, the risk is higher. You cannot protect everything properly until you know what is there.

2. Lock down accounts with strong passwords and MFA

Passwords still cause more trouble than they should. Shared logins, reused passwords and sticky notes under keyboards are more common than many organisations would like to admit.

Each user should have their own account, with a strong unique password and multi-factor authentication switched on wherever possible. Email, Microsoft 365, finance tools and cloud storage should be top priority. MFA adds a vital extra barrier. It is not foolproof, but it stops a huge number of common attacks.

3. Remove access when people leave

Charities often have changing teams. Volunteers move on, trustees rotate, temporary staff finish and old suppliers no longer need access. Accounts can easily be left active for months.

Build a simple leavers process. The moment someone leaves, disable their email, remove access to shared files, collect devices and check whether they had admin permissions. This is one of the easiest wins on any charity cyber security checklist, and one of the most often missed.

4. Keep devices and software updated

Out-of-date systems are low-hanging fruit for attackers. If laptops, desktops, phones, routers or software are missing security updates, you are giving problems a head start.

Where possible, turn on automatic updates. If that is not realistic for every system, make sure someone is responsible for checking and applying patches regularly. Older devices can be a sticking point. If a machine is so old it cannot run supported software, the cheapest option in the short term may become the most expensive later.

Train people, not just systems

Most cyber incidents in charities do not start with a dramatic hack. They start with a person clicking the wrong link, opening the wrong attachment or trusting an email that looked convincing enough.

5. Give staff and volunteers basic cyber awareness training

Training does not need to be formal or frightening. In fact, the best training is short, clear and repeated often. Show people how to spot suspicious emails, what to do if a login page looks odd, how to report concerns and why rushing is when mistakes happen.

Volunteers and trustees should not be left out. If they use your email, access shared records or join meetings with sensitive information, they are part of the risk picture too.

6. Make reporting easy and blame-free

If someone clicks a dodgy link, they need to feel able to say so straight away. Delays turn manageable incidents into messy ones.

Set a simple rule: if anything feels off, report it immediately. No embarrassment, no panic, no finger-pointing. A calm response protects the organisation far better than a culture where people keep quiet because they are worried about being blamed.

Protect the tools you rely on every day

Most charities now depend on cloud platforms, email and shared drives. That is helpful for flexible working, but only if those tools are configured properly.

7. Review Microsoft 365 and email security settings

A lot of charities use Microsoft 365 but never look beyond the default setup. That can leave gaps in email filtering, account permissions and data sharing.

Check forwarding rules, spam protection, login alerts and admin access. Limit who can share files externally. Review old shared mailboxes and groups. If your team uses personal email accounts for charity work, that needs sorting quickly. It creates risk, weakens accountability and makes data harder to control.

8. Back up critical data properly

Backups are your safety net when something goes wrong, whether that is ransomware, accidental deletion or hardware failure. The key word is properly.

A backup is only useful if it runs regularly, covers the right data and can actually be restored. Test it. Make sure important files, finance systems and shared documents are included. If everything is cloud-based, do not assume that means you are fully backed up. Some services protect availability better than recovery.

9. Secure laptops, phones and remote working

Charity work does not always happen from one office. Staff may work from home, travelling between sites or use mobile phones for day-to-day communication. That flexibility is useful, but it needs boundaries.

Use screen locks, device encryption and basic mobile security settings. Keep a record of which devices belong to the charity and who uses them. If staff use their own devices, decide what is allowed and what is not. A bring-your-own-device setup can work, but only with clear rules.

Reduce damage if something goes wrong

No checklist can promise perfect protection. What it can do is reduce the odds of an incident and limit the fallout.

10. Limit admin access

Not everyone needs full control. In fact, the fewer people with administrator access, the better.

Give users the access they need for their role and no more. That applies to files, software, finance tools and system settings. If a standard user account is compromised, the damage is usually much easier to contain than if an admin account is taken over.

11. Have an incident response plan

When a cyber issue happens, stress levels rise fast. People start guessing, repeating steps or making rushed decisions. A simple incident plan helps everyone stay steady.

It does not need to be a thick policy document. It just needs to answer practical questions. Who should be told first? Who can stop access to accounts? Where are backup details stored? When should trustees be informed? If personal data is involved, who handles the reporting side? Even a one-page plan is far better than making it up on the spot.

12. Review suppliers and third-party access

Many charities rely on external providers for fundraising platforms, finance systems, IT support, website management and payment processing. That is normal, but each supplier introduces another layer of risk.

Know who has access to what. Remove old supplier accounts when contracts end. Ask practical questions about security, backups and support response. You do not need to turn procurement into a legal drama, but you do need confidence that the partners handling your systems take security seriously.

The checklist is only the start

A charity cyber security checklist is not something to glance at once a year before a trustee meeting. It works best when it becomes part of everyday operations – joining processes, leavers processes, device setup, training and regular reviews.

That does not mean making life harder for your team. Quite the opposite. Good cyber security should reduce stress, not pile it on. If your current setup feels confusing, patchy or overly dependent on one person who “just knows how it all works”, that is usually a sign you need a clearer plan.

For some charities, the next step is simply tightening a few basics and assigning responsibility internally. For others, especially those juggling limited time and mixed levels of technical confidence, outside support can take the sting out of IT and turn vague good intentions into a setup that is safer, easier to manage and far less likely to unravel when you are busiest.

The useful question is not whether your charity can afford to think about cyber security. It is whether you can afford to leave it to chance while trying to do good work in a very busy world.