Cyber Essentials Guidance For Charities

Charities hold sensitive data on beneficiaries, supporters and volunteers which is attractive to criminals and if breached can lead to regulatory issues and litigation. They also handle frequent and varied financial transactions but often lack resources to provide robust security, modern equipment & staff training. Criminals attack charities via the internet in the same way as they attack other organisations, seeking to steal information and money, deliver ransomware into their network or access their email account to impersonate them.

Criminals will also try to access the organisations that supply services to the charity to gather information to launch a bigger, more targeted attack. Since the pandemic, more charities than ever have moved their services online and their volunteers to working remotely. This means that the ways to attack charities over the internet have multiplied ; it is a crucial time to have some robust cyber security in place.

Cyber Essentials consists of five controls that will reduce the impact of common cyber-attack approaches by up to 80% and could reduce potentially large-scale damage from one phishing email. With Cyber Essentials certification, a charity can take control of its cyber risk and show responsibility towards its customers, supply chain and the information it is trusted with. 

Below, we explore how some of the terminology used in Cyber Essentials applies to the charity sector. 

What is the scope of your certification?

The scope of your certification determines what will and won’t be covered by the Cyber Essentials assessment and certification. The scope should ideally be the whole organisation, including all the networks and IT systems.  This gives you the most protection and could mean you qualify for included cyber liability insurance* (*Your annual funding needs to be less than £20 million and you must be based in the UK or Crown Dependencies).

If part of your network or assets are not compliant with the Cyber Essentials requirements (eg some of your volunteers are using unsupported devices), you have the option to certify just a sub-set of your infrastructure or to exclude a sub-set of your infrastructure. To create a sub-set, you need to separate that part of your network from the rest of your infrastructure. This is to protect the in-scope part of your network from the out of scope part. It can be done by using an additional boundary firewall or a VLAN segregation. If you only certify part of your infrastructure, then whole company certification will not be possible, and you will not be eligible for the included insurance.

Guidance on creating a sub-set.

Home workers

Any of your employees or volunteers working at home, for any period of time, at the time of the assessment are classed as a home workers. A worker’s home router does not have to be included in the Cyber Essentials assessment unless it is provided by the charity, in which case, it needs to have the Cyber Essentials controls applied to it.

In addition to technical controls, charities need to ensure that the appropriate policies for remote/home working are in place.
(See guidance on remote working and BYOD)

It is important that home workers enable and correctly configure the software firewalls on their computers. 

Guidance on remote working. 

Guidance about Multi-factor authentication . 

Mobile devices

All Mobile devices (phones/tablets), whether belonging to the charity or the employees (BYOD) , which are used to access the internet and can also access organisational data or services, such as email, have to be included in the Cyber Essentials assessment.

Bring Your Own Device (BYOD)

Bring Your Own Device (BYOD) is a widespread term for when an organisation allows employees to use their own laptops, tablets or phones for work purposes. All devices which access organisational data or services have to be included in the assessment including devices that are personally owned by the employees or volunteers but used for work.
Devices which are personally owned usually have a wide range of different makes, models and settings and so verifying that the Cyber Essentials controls are in place can be difficult but it is important to ensure the correct security is in place.

See Guidance on BYOD

Organisational data

Organisational data includes any electronic data belonging to the charity. e.g. emails, office documents, database data, financial data. This does include company emails, (so if volunteers receive emails on their own devices these need to be included in the scope).

Organisational services include any applications or services e.g web applications and email accounts. 

Cloud services

The National Cyber Security Centre (NCSC) recommends that charities consider outsourcing some of their services to the cloud as it easily enables remote working, secure access to data, managed storage and back ups.

Using cloud providers to manage these aspects can give charities cost, scalability and security benefits. However, it is important that charities do check the cloud provider’s security provision.

Charities often use cloud services, such as Microsoft 365, Google Workspace, Dropbox, Microsoft Azure and Amazon Web Services (AWS). The Cyber Essentials controls need to be applied to all your cloud services. What does this mean and how can you check this has been done? When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is your charity’s responsibility . Who implements which controls will vary depending on the design of the cloud service being subscribed to.

Guidance about applying the Cyber Essentials controls to cloud services

Guidance about the shared responsibility model

Guidance about Multi-factor authentication

Remote IT administration

If a charity is using a third party provider to manage their IT systems remotely, the responsibility of the controls still lie with the charity. The charity needs to be able to demonstrate that it has an understanding of the controls that are in place and confirm that they are Cyber Essentials compliant. The easiest way for a charity to provide evidence that Cyber Essentials requirements have been met by the third party provider is to have a contractual agreement in place with the provider that includes the Cyber Essentials controls.

Guidance on working with a third party IT provider.

Further Support

 

The government document describing the requirements for Cyber Essentials is available here.

If you have a complex structure, you may need to seek advice from an IT support provider on how you can apply controls and whether this would allow all or part of your system to be included in the scope for Cyber Essentials.

IASME works along-side a network of  qualified cyber security experts who are located all over the UK and the Crown Dependencies. They are licensed to certify against Cyber Essentials and available to offer consulting services to help you achieve certification. Find an IASME Certification Body near you.

Cyber Security Insurance

 

An organisation that certifies its whole organisation to Cyber Essentials AND has an income of less than £20 million AND is based in the UK or Crown Dependencies is eligible for included cyber liability insurance of £25,000. This will be provided without any additional charges or forms to complete. It is an annual cover which can be renewed each year when Cyber Essentials certification is renewed. The insurance provides the peace of mind through 24 hour technical and legal incident response service in case your charity does experience a breach.

Cyber liability insurance for charities.

Cyber Essentials Readiness Tool

Once you have read the guidance, head over to the Cyber Essentials Readiness Tool – a free, online tool accessible in the form of a set of interactive questions on the IASME website. The process of working through the questions will inform you about your charity’s level of cyber security and what aspects you need to focus on. Based on your answers, you will be directed towards guidance written in plain English and at the end of the process, be presented with a tailored action plan and detailed guidance for your next steps towards certification.