This time last year, the National Cyber Security Centre (NCSC) launched the Funded Cyber Essentials Programme to help fund micro and small organisations to protect against many of the most common cyber attacks.
The funded programme initially targeted legal aid and charity sub-sectors, followed by a second roll out in the spring, targeting small domestic abuse charities and legal aid firms. This month, a third programme has been launched, aimed at small businesses working on the development of fundamental Artificial Intelligence (AI) technologies. The programme provides funding and support for small organisations in the specified sectors to gain Cyber Essentials Plus certification.
The background
Cyber attacks come in many shapes and sizes, but the vast majority are basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked.
Unfortunately, though, too many organisations are often still leaving their digital front door ajar.
So, as part of the Government’s National Cyber Strategy, a pledge was made to help businesses and organisations navigate the often complex cyber security market, to make it easier for small organisations to access basic advice. Advice that, if followed, will close the door on the most common cyber attacks.
Cyber Essentials
At the heart of this advice is Cyber Essentials, a government-backed certification scheme that helps organisations, whatever their size, to protect themselves against a whole range of such attacks.
There are two levels of certification: Cyber Essentials is a self-assessed, independently verifying option; while Cyber Essentials Plus requires an independent technical audit.
And while the awareness – and subsequent adoption – of Cyber Essentials continues to grow, the NCSC has taken steps to accelerate this growth by providing free, targeted support to some of the most vulnerable small organisations in the UK, ensuring high risk sectors are protected – along with the sensitive information they hold.
The Funded Cyber Essentials Programme
Some sectors are at greater risk of cyber attack than others. This can be because of the sensitive information these sectors deal with, or that they are seen as an ‘easy target’ for cyber criminals. Or both.
Through engagement with industry and wider government, the NCSC has identified the sectors that require additional support in implementing cyber security protections. Moreover, it has identified those organisations who have a low level of cyber maturity and work with data that’s sensitive and of significant impact if disrupted.
The aim
The NCSC wants to ensure some of the most vulnerable parts of society are receiving the right cyber security advice and have baseline cyber security controls in place. To do that, the Funded Cyber Essentials Programme supports small organisations (those that employ less than 50 staff) – that may not have the resources to implement some of the fundamental cyber security controls needed to protect themselves – to achieve Cyber Essentials Plus certification.
For the first cohort, charities and legal aid were identified as the key sub-sectors to launch this programme as, in the case of legal aid firms, they often have limited financial resources, coupled with highly sensitive data relating to family, vulnerable individuals or criminal cases. The impact of a cyber attack could present not only a potential threat to life, but also impact on judicial procedures. Equally, charities – particularly those that offer support services such as online counselling and helplines – were also singled out as a high-risk, sub-sector.
The results
Qualifying organisations received support from one of IASME’s network of Certification Bodies, to review the technical controls and implement changes to the organisation’s systems as required.
The results from that first programme indicate that of the 369 applications that were approved, 78% were charities and 22% were legal aid firms. The vast majority of organisations found it easy to apply for the Funded Programme and get started.
Further programmes
Following the success of the initial programme, a second cohort was launched in the spring of 2023. The second programme was targeted at small domestic abuse charities and again legal aid firms. The launch of the second cohort allowed the NCSC to utilise the skills of new, assured Cyber Advisors. The Cyber Advisor scheme was launched in April 2023, assuring providers to work specifically with small organisations, to offer advice and hands-on help in meeting the Cyber Essentials technical controls.
A third cohort has been launched this month. This time the programme targets micro or small businesses registered in the UK and working on the development of fundamental Artificial Intelligence (AI) technologies.
The solution
Qualifying organisations receive around 20 hours of remote support with a Cyber Advisor. This time will be spent identifying and implementing improvements that are right for the size and needs of the organisation and supporting them in implementing the 5 Cyber Essentials technical controls. This will be followed by a hands-on technical verification that the controls have been put in place.
Even if it isn’t possible for the organisation to achieve Cyber Essentials Plus, the Advisor will help the organisation implement as many of the controls as possible and give a clear list of the additional actions they need to undertake to become CE+ compliant.
Organisations that have received support from the programme say:
“The programme provided a focus to our cyber security work including increasing senior management buy-in.”
“It provided us with the focus and support to tackle and improve our cyber security – something that had been on our “wish list” for a number of years.”
“We’ve had to learn so much more about our system and structure… We’re so much better positioned now. I’m actually really keen to learn more and see what other improvements we can make with our newfound knowledge and confidence. Please carry on supporting small orgs and charities to do this, it’s so worth it!”
“I already feel that we have implemented some changes which will make a difference moving forward and give me a lot more confidence that our processes and systems are robust.”
Find out more about this year’s funded programme and who is eligible for support.