Cyber Essentials Guidance For Charities
Charities hold sensitive data on beneficiaries, supporters and volunteers which is attractive to criminals and if breached can lead to regulatory issues and litigation. They also handle frequent and varied financial transactions but often lack resources to provide robust security, modern equipment & staff training. Criminals attack charities via the internet in the same way as they attack other organisations, seeking to steal information and money, deliver ransomware into their network or access their email account to impersonate them.
Criminals will also try to access the organisations that supply services to the charity to gather information to launch a bigger, more targeted attack. Since the pandemic, more charities than ever have moved their services online and their volunteers to working remotely. This means that the ways to attack charities over the internet have multiplied ; it is a crucial time to have some robust cyber security in place.
Cyber Essentials consists of five controls that will reduce the impact of common cyber-attack approaches by up to 80% and could reduce potentially large-scale damage from one phishing email. With Cyber Essentials certification, a charity can take control of its cyber risk and show responsibility towards its customers, supply chain and the information it is trusted with.
Below, we explore how some of the terminology used in Cyber Essentials applies to the charity sector.
What is the scope of your certification?
If part of your network or assets are not compliant with the Cyber Essentials requirements (eg some of your volunteers are using unsupported devices), you have the option to certify just a sub-set of your infrastructure or to exclude a sub-set of your infrastructure. To create a sub-set, you need to separate that part of your network from the rest of your infrastructure. This is to protect the in-scope part of your network from the out of scope part. It can be done by using an additional boundary firewall or a VLAN segregation. If you only certify part of your infrastructure, then whole company certification will not be possible, and you will not be eligible for the included insurance.
Home workers
Any of your employees or volunteers working at home, for any period of time, at the time of the assessment are classed as a home workers. A worker’s home router does not have to be included in the Cyber Essentials assessment unless it is provided by the charity, in which case, it needs to have the Cyber Essentials controls applied to it.
In addition to technical controls, charities need to ensure that the appropriate policies for remote/home working are in place.
(See guidance on remote working and BYOD)
It is important that home workers enable and correctly configure the software firewalls on their computers.
Mobile devices
All Mobile devices (phones/tablets), whether belonging to the charity or the employees (BYOD) , which are used to access the internet and can also access organisational data or services, such as email, have to be included in the Cyber Essentials assessment.
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD) is a widespread term for when an organisation allows employees to use their own laptops, tablets or phones for work purposes. All devices which access organisational data or services have to be included in the assessment including devices that are personally owned by the employees or volunteers but used for work.
Devices which are personally owned usually have a wide range of different makes, models and settings and so verifying that the Cyber Essentials controls are in place can be difficult but it is important to ensure the correct security is in place.
Organisational data
Organisational data includes any electronic data belonging to the charity. e.g. emails, office documents, database data, financial data. This does include company emails, (so if volunteers receive emails on their own devices these need to be included in the scope).
Organisational services include any applications or services e.g web applications and email accounts.
Cloud services
Using cloud providers to manage these aspects can give charities cost, scalability and security benefits. However, it is important that charities do check the cloud provider’s security provision.
Charities often use cloud services, such as Microsoft 365, Google Workspace, Dropbox, Microsoft Azure and Amazon Web Services (AWS). The Cyber Essentials controls need to be applied to all your cloud services. What does this mean and how can you check this has been done? When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is your charity’s responsibility . Who implements which controls will vary depending on the design of the cloud service being subscribed to.
Guidance about applying the Cyber Essentials controls to cloud services
Remote IT administration
If a charity is using a third party provider to manage their IT systems remotely, the responsibility of the controls still lie with the charity. The charity needs to be able to demonstrate that it has an understanding of the controls that are in place and confirm that they are Cyber Essentials compliant. The easiest way for a charity to provide evidence that Cyber Essentials requirements have been met by the third party provider is to have a contractual agreement in place with the provider that includes the Cyber Essentials controls.
Further Support
The government document describing the requirements for Cyber Essentials is available here.
If you have a complex structure, you may need to seek advice from an IT support provider on how you can apply controls and whether this would allow all or part of your system to be included in the scope for Cyber Essentials.
IASME works along-side a network of qualified cyber security experts who are located all over the UK and the Crown Dependencies. They are licensed to certify against Cyber Essentials and available to offer consulting services to help you achieve certification. Find an IASME Certification Body near you.
Cyber Security Insurance
An organisation that certifies its whole organisation to Cyber Essentials AND has an income of less than £20 million AND is based in the UK or Crown Dependencies is eligible for included cyber liability insurance of £25,000. This will be provided without any additional charges or forms to complete. It is an annual cover which can be renewed each year when Cyber Essentials certification is renewed. The insurance provides the peace of mind through 24 hour technical and legal incident response service in case your charity does experience a breach.