How-To Guides
Practical, step-by-step cybersecurity task walkthroughs written for real people — no jargon, no IT background required.
48 walkthroughs covering all five UK Cyber Essentials control areas.
Firewalls
Be careful what you do on public Wi-Fi on your phone
Avoid accessing banking apps, email, or any account that contains sensitive information when connected to public Wi-Fi. Public networks in cafés, hotels, and airports are not secure.
Change your router's default password
Your router comes with a factory default password that is easy for attackers to guess. Change it to a strong, unique password.
Enable Windows Defender Firewall
Make sure Windows Defender Firewall is turned on for both private and public networks on your Windows computer.
Enable your router's built-in firewall
Most routers include a built-in firewall that filters incoming traffic. Check that it is switched on.
Review firewall rules on your business router
Check that only necessary ports are open on your business network router. Close any ports that are not required.
Set up a guest Wi-Fi network at home
Create a separate Wi-Fi network for visitors and smart home devices. A guest network isolates your main computers and phones from anything you do not fully control or trust.
Secure Configuration
Apply the 3-2-1 backup rule
Keep 3 copies of important data, stored on 2 different types of media, with 1 copy held offsite or in the cloud. This approach protects against ransomware, hardware failure, fire, and theft simultaneously.
Back up your most important files
Set up automatic backup to the cloud for your photos, documents, and important files. If your device is lost, stolen, or infected with ransomware, a backup means you don't lose everything.
Disable remote desktop access if not needed
If you do not use Remote Desktop Protocol (RDP) or similar remote access tools, disable them on your computers.
Enable full-disk encryption on your laptop
Turn on BitLocker (Windows) or FileVault (Mac) to encrypt everything on your laptop's hard drive.
Remove personal contact details from your social media profiles
Review every social media profile and remove any personal information you do not need to share publicly — phone number, home address, birthday, and workplace. This information is routinely harvested for use in targeted scams and identity theft.
Remove unused apps and software
Uninstall applications you no longer use from your devices. Every extra app is a potential vulnerability.
Review app permissions on your phone
Check which apps have access to your camera, microphone, location, and contacts. Remove permissions that aren't needed.
Review what data Google holds about you
Visit your Google account's privacy settings, review what activity and personal data is stored, and turn off any collection you are not comfortable with. Includes location history, search history, and ad personalisation.
Review your social media privacy settings
Check who can see your posts, your location, and your personal information on each social media account. Fully public profiles give scammers and identity thieves easy access to information they can use against you.
Set a strong screen lock on your phone
Set a PIN, password, or biometric lock on your phone so that no one can access it if it is lost or stolen. A screen lock is the single most important protection on a mobile device.
Set your phone to lock automatically after 30 seconds
Configure your phone to lock itself automatically after 30 seconds of inactivity. If you put your phone down and walk away, it will lock before anyone else can pick it up and access it.
Set your phone up to erase itself if it's ever lost or stolen
Set your phone up so that if it is ever lost or stolen, you can erase everything on it from any other device. This takes a few minutes and could prevent serious data exposure.
Test that your backup actually works
Restore a single file from your backup to confirm it is working correctly. Many people discover their backup has been failing silently only when they need it most.
Use a VPN when connecting to public Wi-Fi
A VPN is a free or cheap app that scrambles your connection when you use public Wi-Fi in coffee shops, hotels, and airports. Without one, anyone else on the same network could potentially read your emails or login details.
User Access Control
Change any weak or reused passwords
Identify and replace passwords that are short, simple, or used on more than one account.
Check and update the passwords on your most important accounts
Check that your email, banking, and social media accounts all have strong, unique passwords. Replace any that are reused across multiple sites or that are short and easy to guess.
Check your credit report for signs of identity theft
Run a free credit check via Experian, Equifax, or TransUnion to see if anyone has applied for credit in your name. Catching identity theft early limits the financial and personal damage significantly.
Create separate admin and day-to-day user accounts
Use a standard (non-admin) account for everyday tasks. Only switch to the admin account when you need to install software or change system settings.
Review and reduce app permissions on your phone
Check which apps have access to your location, camera, microphone, and contacts, and remove any permissions that are not needed. Many apps request more access than they actually need to function.
Review connected apps in your Google or Microsoft account
Check which third-party apps have been granted access to your Google or Microsoft account and remove any you no longer use.
Save your backup sign-in codes somewhere safe
Print or securely save the backup codes for your most important accounts — especially those protected by a login-code app. These codes are the only way back in if you lose your phone.
Set up two-factor authentication on your email
Add two-factor authentication (2FA) to your email account so a password alone is not enough to get in.
Sign up for data breach alerts
When a website is breached, attackers often obtain email addresses and passwords and then try those same details on banking, email, and social media accounts to see what else they can get into. Being alerted as soon as your email appears in a breach gives you time to change passwords and secure accounts before an attacker tries them.
Turn on login alerts for your social accounts
Enable notifications for new logins on your Facebook, Instagram, X, and other social media accounts. You will be alerted immediately if someone accesses your account from an unrecognised device.
Use a password manager
Install a password manager and move your passwords into it. A password manager generates and stores strong, unique passwords for every account — so you only need to remember one.
Use a password manager
Install a password manager and use it to create and store a unique, strong password for every account.
Use a physical security key to lock down your most important accounts
A hardware security key (such as a YubiKey) is the most secure form of two-step verification available. Adding one to your email account and other critical accounts eliminates the risk of phishing-based account takeover entirely.
Use an app for your login codes instead of texts — it's more secure
Replace text message login codes with a free app such as Google Authenticator on your most important accounts. App-generated codes are more secure because they cannot be stolen, even if someone takes over your phone number.
Malware Protection
Enable real-time virus protection on all devices
Make sure a reputable antivirus / anti-malware tool with real-time scanning is active on every computer you use.
Enable safe browsing in your web browser
Turn on phishing and malware protection in Chrome, Firefox, Safari, or Edge to warn you before you visit dangerous sites.
Install approved security software on all business devices
Ensure every device used for work has an approved, up-to-date endpoint protection tool installed and monitored.
Learn how to spot a phishing email
Learn the three things to check before clicking any link in an email. Fake phishing emails are responsible for the majority of hacked accounts in the UK — and they are getting harder to spot.
Learn to recognise common UK scams
Get familiar with the scams most commonly used against people in the UK right now — from fake parcel delivery texts to HMRC phone calls. Knowing what to expect is the first line of defence.
Never open unexpected email attachments or links
Treat any unexpected file attachment or link — even from someone you know — with suspicion before you click.
Only install apps from official app stores
Only download apps from the Apple App Store or Google Play Store — never from links in emails, text messages, or websites. Apps from unofficial sources bypass the security checks that Apple and Google apply to every app.
Set up email authentication for your domain (SPF, DKIM, DMARC)
Add SPF, DKIM, and DMARC records to your domain's DNS settings. These prevent attackers from sending emails that appear to come from your business — protecting your clients, suppliers, and reputation.
Software Updates
Enable automatic firmware updates on your router
Check whether your router can update its firmware automatically and turn this feature on if available.
Enable automatic operating system updates
Turn on automatic updates for Windows, macOS, iOS, or Android so security patches are applied as soon as they are released.
Establish a patch management process for your business
Create a documented process to ensure all business devices and software are patched within 14 days of a critical update being released.
Keep your phone's operating system up to date
Enable automatic updates on your iPhone or Android phone so that security patches are installed as soon as they are released. Outdated phone software is one of the most common ways attackers gain access to devices.
Keep your web browser up to date
Check that your browser (Chrome, Firefox, Safari, Edge) is on the latest version and set to update automatically.
Set a monthly reminder to update all apps
Manually check for and install updates for all installed apps on your computer and phone once a month.
Looking for more? Browse all Android security guides or explore the Cyber Essentials guides.