top of page

Charities – know how to protect yourself when staff leave your organisation

It might surprise you to learn that there are over 22000 charities across the Eastern region.

26% have reported being a victim of a cyber-attack over the past 12 months.

One of the biggest cyber threats to charities comes from the people that work within them – either through lack of staff awareness or through the insider threat of staff / former staff acting in a malicious way. Whilst we are not telling you to mistrust your people, it is critical that you ensure that you have strong and clear policies and procedures in place to protect your organisations when people move on.

By joining the ECRC free core membership you can learn how to protect your company from common cyber threats.

Employee turnover is a natural part of the life cycle of any company - the voluntary and seasonal nature of charities means that this is even more of an issue.

So, what steps should your company take when an employee leaves?

Here is a checklist to see departing employees out the door, securely.

1. Conduct an Exit Interview

Review document retention requirements including the process for saving electronic and print documents. (This ensures that important documents can still be located and retrieved after they’ve left.)

Discuss any company devices that need to be returned (This ensures that company devices don’t leave ‘accidentally’.)

Review any company-related accounts they have access to – social media accounts, software subscriptions, email accounts etc. (This ensures that these accounts can be properly handed over)

Review access to credit cards including related online reconciliation accounts (This ensures unauthorised use is prevented.)

Identify how they can be reached if the company needs to get in contact after their last day.

2. Retrieve Company Devices

It’s important to maintain a list of all equipment and devices that have been distributed to employees – this can include any laptops, phones, tablets, navigation systems, cameras, cables and peripherals.

You must request that the employee returns any equipment that was issued to them before their departure. This includes any backup devices like flash drives, CDs, and external hard drives. Far too many data breaches are the result of a stolen or a lost device, so take care to mitigate this risk by identifying and collecting all devices.

3. Deactivate Company Email Addresses and Remote Access Accounts

Email accounts and all computer network accounts for this user should be deactivated on the day of departure to prevent the ex-employee from accessing company information after they’ve left the building.

To ensure continued communications with external clients, it’s a good idea to implement a process to allow ex-employee emails to be forwarded to their supervisor.

Check out this short video to learn more about the importance of access controls.

4. Change ALL The Passwords

All accounts linked to the employee should have been reviewed in the exit interview. These important accounts will need to be properly handed over by the employee to their replacement or supervisor. Once they’re gone, you need to update any of the passwords to the accounts they had access to. This includes changing the PINs or passwords to any corporate credit cards or financial accounts.

5. Collect All Company-Related Keys, Pass-Cards, And ID Tags

On their last day, you need to make sure that the employee hands back any items used to gain access to the building/parking. It’s advisable to let the security team know when the employee’s last day is, just to ensure that security knows they’re cutting ties with the company.

If that employee has any access codes to computer-based building security systems, these will need to be changed and new codes will have to be distributed to the necessary staff.

Conclusion: Invest a little bit of time with employees and volunteers who leave your charity.

Given that theft of company information can lead to massive financial loss, coupled with the fact most cyber security breaches occur with inside help (either malicious or unwittingly) – it’s clear that companies need to take precautionary steps when employees leave. Putting these key steps into practice will help prevent incidents of deliberate sabotage to company data (i.e. destruction, alteration or removal of business information) and will help keep the door shut, once the employee has left the building.

Come to the ECRC website to find out more about this and many other areas of cyber resilience. If you sign up for free membership, we will walk you through the basics and help you to protect your company and the data that it holds. Core Membership | The Eastern Cyber Resilience Centre (


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page