Cyber Security Guides
Practical, step-by-step guides to protect your devices and accounts — aligned to the UK Cyber Essentials framework. Each guide covers one specific action you can take today.
Firewalls
- Change your router's default passwordYour router comes with a factory default password that is easy for attackers to guess. Change it to a strong, unique password.
- Enable your router's built-in firewallMost routers include a built-in firewall that filters incoming traffic. Check that it is switched on.
- Enable Windows Defender FirewallMake sure Windows Defender Firewall is turned on for both private and public networks on your Windows computer.
- Review firewall rules on your business routerCheck that only necessary ports are open on your business network router. Close any ports that are not required.
- Set up a guest Wi-Fi network at homeCreate a separate Wi-Fi network for visitors and smart home devices. A guest network isolates your main computers and phones from anything you do not fully control or trust.
- Be careful what you do on public Wi-Fi on your phoneAvoid accessing banking apps, email, or any account that contains sensitive information when connected to public Wi-Fi. Public networks in cafés, hotels, and airports are not secure.
Secure Configuration
- Enable full-disk encryption on your laptopTurn on BitLocker (Windows) or FileVault (Mac) to encrypt everything on your laptop's hard drive.
- Remove unused apps and softwareUninstall applications you no longer use from your devices. Every extra app is a potential vulnerability.
- Review app permissions on your phoneCheck which apps have access to your camera, microphone, location, and contacts. Remove permissions that aren't needed.
- Disable remote desktop access if not neededIf you do not use Remote Desktop Protocol (RDP) or similar remote access tools, disable them on your computers.
- Back up your most important filesSet up automatic backup to the cloud for your photos, documents, and important files. If your device is lost, stolen, or infected with ransomware, a backup means you don't lose everything.
- Use a VPN when connecting to public Wi-FiA VPN encrypts your internet connection when you use public Wi-Fi in coffee shops, hotels, and airports. Without one, anyone on the same network can potentially intercept what you're sending and receiving.
- Set up remote wipe on your devicesConfigure your phone, tablet, and laptop so you can erase all data on them remotely if they are lost or stolen. This takes a few minutes to set up and could prevent serious data exposure later.
- Test that your backup actually worksRestore a single file from your backup to confirm it is working correctly. Many people discover their backup has been failing silently only when they need it most.
- Review your social media privacy settingsCheck who can see your posts, your location, and your personal information on each social media account. Fully public profiles give scammers and identity thieves easy access to information they can use against you.
- Apply the 3-2-1 backup ruleKeep 3 copies of important data, stored on 2 different types of media, with 1 copy held offsite or in the cloud. This approach protects against ransomware, hardware failure, fire, and theft simultaneously.
- Review what data Google holds about youVisit your Google account's privacy settings, review what activity and personal data is stored, and turn off any collection you are not comfortable with. Includes location history, search history, and ad personalisation.
- Remove personal contact details from your social media profilesReview every social media profile and remove any personal information you do not need to share publicly — phone number, home address, birthday, and workplace. This information is routinely harvested for use in targeted scams and identity theft.
- Set a strong screen lock on your phoneSet a PIN, password, or biometric lock on your phone so that no one can access it if it is lost or stolen. A screen lock is the single most important protection on a mobile device.
- Set your phone to lock automatically after 30 secondsConfigure your phone to lock itself automatically after 30 seconds of inactivity. If you put your phone down and walk away, it will lock before anyone else can pick it up and access it.
User Access Control
- Set up two-factor authentication on your emailAdd two-factor authentication (2FA) to your email account so a password alone is not enough to get in.
- Use a password managerInstall a password manager and use it to create and store a unique, strong password for every account.
- Change any weak or reused passwordsIdentify and replace passwords that are short, simple, or used on more than one account.
- Review connected apps in your Google or Microsoft accountCheck which third-party apps have been granted access to your Google or Microsoft account and remove any you no longer use.
- Create separate admin and day-to-day user accountsUse a standard (non-admin) account for everyday tasks. Only switch to the admin account when you need to install software or change system settings.
- Use a password managerInstall a password manager and move your passwords into it. A password manager generates and stores strong, unique passwords for every account — so you only need to remember one.
- Switch to an authenticator app for two-step verificationReplace text message codes with a dedicated authenticator app (such as Google Authenticator or Authy) on your most important accounts. Authenticator app codes cannot be intercepted by SIM-swap attacks.
- Audit your most important account passwordsCheck that your email, banking, and social media accounts all have strong, unique passwords. Replace any that are reused across multiple sites or that are short and easy to guess.
- Sign up for data breach alertsRegister your email address on Have I Been Pwned (haveibeenpwned.com) to receive free alerts if your details appear in a future data breach. You will hear about it before an attacker tries to use it.
- Check your credit report for signs of identity theftRun a free credit check via Experian, Equifax, or TransUnion to see if anyone has applied for credit in your name. Catching identity theft early limits the financial and personal damage significantly.
- Add a hardware security key to your most important accountsA hardware security key (such as a YubiKey) is the most secure form of two-step verification available. Adding one to your email account and other critical accounts eliminates the risk of phishing-based account takeover entirely.
- Turn on login alerts for your social accountsEnable notifications for new logins on your Facebook, Instagram, X, and other social media accounts. You will be alerted immediately if someone accesses your account from an unrecognised device.
- Store your account recovery codes safelyPrint or securely save the recovery codes for your most important accounts — particularly those protected by an authenticator app. Recovery codes are the only way back in if you lose access to your authenticator.
- Review and reduce app permissions on your phoneCheck which apps have access to your location, camera, microphone, and contacts, and remove any permissions that are not needed. Many apps request more access than they actually need to function.
Malware Protection
- Enable real-time virus protection on all devicesMake sure a reputable antivirus / anti-malware tool with real-time scanning is active on every computer you use.
- Enable safe browsing in your web browserTurn on phishing and malware protection in Chrome, Firefox, Safari, or Edge to warn you before you visit dangerous sites.
- Never open unexpected email attachments or linksTreat any unexpected file attachment or link — even from someone you know — with suspicion before you click.
- Install approved security software on all business devicesEnsure every device used for work has an approved, up-to-date endpoint protection tool installed and monitored.
- Learn how to spot a phishing emailLearn the three things to check before clicking any link in an email. Phishing is responsible for the majority of account takeovers and business email compromises in the UK.
- Learn to recognise common UK scamsGet familiar with the scams most commonly used against people in the UK right now — from fake parcel delivery texts to HMRC phone calls. Knowing what to expect is the first line of defence.
- Set up email authentication for your domain (SPF, DKIM, DMARC)Add SPF, DKIM, and DMARC records to your domain's DNS settings. These prevent attackers from sending emails that appear to come from your business — protecting your clients, suppliers, and reputation.
- Only install apps from official app storesOnly download apps from the Apple App Store or Google Play Store — never from links in emails, text messages, or websites. Apps from unofficial sources bypass the security checks that Apple and Google apply to every app.
Software Updates
- Enable automatic operating system updatesTurn on automatic updates for Windows, macOS, iOS, or Android so security patches are applied as soon as they are released.
- Keep your web browser up to dateCheck that your browser (Chrome, Firefox, Safari, Edge) is on the latest version and set to update automatically.
- Enable automatic firmware updates on your routerCheck whether your router can update its firmware automatically and turn this feature on if available.
- Set a monthly reminder to update all appsManually check for and install updates for all installed apps on your computer and phone once a month.
- Establish a patch management process for your businessCreate a documented process to ensure all business devices and software are patched within 14 days of a critical update being released.
- Keep your phone's operating system up to dateEnable automatic updates on your iPhone or Android phone so that security patches are installed as soon as they are released. Outdated phone software is one of the most common ways attackers gain access to devices.
Track your progress — free
Create a free account to check off tasks, see your Security Score, and build toward Cyber Essentials alignment.
Start your free security check