Protecting Your Charity with Cyber Essentials
Like all organisations, charities increasingly rely on digital tools to manage operations and store sensitive data. However, this reliance also increases their exposure to cyber threats. According to the latest Cyber Security Breaches Survey, around a third of UK-based charities reported experiencing a cyber security breach or attack in the past year.
While many charities operate on tight budgets, cyber security doesn’t have to be expensive or overwhelming. Cyber Essentials, the UK Government’s minimum baseline standard for cyber security, is an affordable and effective way to protect your charity. This annually renewable certification scheme consists of five technical controls designed to prevent the most common internet-based cyber threats.
Here are five simple steps to help your charity start its Cyber Essentials journey:
Step 1: Use the Cyber Essentials Readiness Tool
Before beginning the certification process, evaluate your charity’s current cyber security measures using the free Cyber Essentials Readiness Tool. This interactive tool acts as a gap analysis to help you identify areas where your charity may fall short and provides tailored guidance to address any weaknesses.
At the end of the process, you’ll receive a personalised action plan outlining the steps needed to prepare for certification. This step ensures your organisation is ready to meet the required standards.
Step 2: Prepare for Cyber Essentials
The second step is preparation. Begin by downloading the free assessment questions and Requirements for IT infrastructure document. These resources outline the five key technical controls that form the foundation of Cyber Essentials:
Firewalls – Create a security filter between the internet and your network.
Secure Configuration – Set up computers securely to minimise vulnerabilities.
Security Update Management – Prevent cyber criminals from exploiting software vulnerabilities.
User Access Control – Manage who can access your data and services.
Malware Protection – Identify and immobilise malicious software before it causes harm.
Reviewing these documents will help you understand what’s required for certification. Decide whether to complete the self-assessment independently or seek professional guidance. Thorough preparation is key to success.
Step 3: Consult a Cyber Advisor (if needed)
For smaller charities with limited resources or technical expertise, navigating cyber security can be challenging. Cyber Advisors, assured by the National Cyber Security Centre (NCSC) are available to provide tailored support. Eligible small and medium-sized enterprises (SMEs) with fewer than 250 employees can access a free 30-minute consultation with a Cyber Advisor.
During this session, you’ll receive practical, jargon-free advice on improving your cyber security, insights into the certification process, and recommendations to address gaps. Advisors can also help define the scope of your certification, such as defining which IT systems and devices are included. This support is especially valuable for charities that need guidance in implementing essential cyber security measures.
Step 4: Complete the Self-Assessment
Once you’re ready, register and pay for the certification. You’ll receive login details to access a secure online platform where you’ll answer the assessment questions about your charity’s cyber security. These questions cover the scope of your IT network, including staff, devices, cloud services, and software, as well as the five technical controls.
Take your time to answer the questions thoroughly, ensuring your organisation meets the requirements. A senior member of your organisation must sign a declaration confirming the accuracy of your responses. This step is crucial as it ensures that your charity’s cyber security measures align with the Cyber Essentials standards.
Step 5: Certify to Cyber Essentials
After completing the self-assessment, submit your responses through the secure online platform. A qualified Assessor will review your answers within three working days. If your application meets the requirements, you will receive your Cyber Essentials certificate, which is valid for one year. Additionally, eligible organisations may receive cyber liability insurance as part of the certification.
If the Assessor identifies areas that need improvement, you’ll have the opportunity to make adjustments and resubmit your application within two working days. This process ensures that your charity has the chance to address any gaps and achieve certification successfully.
Why Cyber Essentials Matters for Charities
Implementing Cyber Essentials controls is a vital step in protecting your charity from cyber threats. It demonstrates your commitment to safeguarding sensitive donor and beneficiary data, and gaining certification opens the door to new funding opportunities and contracts, enhancing your reputation.
By following these five simple steps, your charity can strengthen its cyber resilience, protects its operations and ensure it’s well-equipped to protect itself against cyber attacks.