Charities hold valuable data on beneficiaries, supporters and volunteers as well as invoice and payment details. Criminals attack charities via the internet in the same way as they attack other organisations, seeking to steal information and money, deliver ransomware into their network or access their email account to impersonate them.
Criminals will also try to access the organisations that supply services to the charity to gather information to launch a bigger, more targeted attack. Since the pandemic, more charities than ever have moved their services online and their volunteers to working remotely. This means that the ways to cyber attack the charity have multiplied and there has never been a better time to get the key cyber security controls in place.
Below we explore how some of the Cyber Essentials terminology applies to the charity sector. Once you have read the guidance, you may want to take a look at the Cyber Essentials Readiness Tool – a free, online tool that will help get you started on the Cyber Essentials journey.
What is the scope of your certification?
The scope of your certification determines what will and won’t be covered by the Cyber Essentials assessment. It is important to identify what is in and what is out of scope.
Ideally, your scope should be the whole organisation, including all the networks and IT systems. This gives you the most protection and also means you qualify for included cyber insurance* (*Your annual funding needs to be less than £20 million and you must be based in the UK or Crown Dependencies).
You have the option to certify a sub-set of your infrastructure or to exclude a sub-set of your infrastructure. To create a sub-set you need to implement network segregation to separate it from the rest of your infrastructure. This can be achieved using an additional boundary firewall or setup VLAN segregation. If you only certify part of your infrastructure then whole company certification will not be possible and you will not be eligible for the included insurance.
Any employee working at home, for any period of time at the time of the assessment is classed as a home worker. Home worker boundaries are defined depending on the organisation’s arrangements. If an organisation provides a home router or firewall, then this needs to be listed and the controls applied accordingly.
If a full tunnel Virtual Private Network (VPN) is used to connect to organisational services and data which terminates at a boundary that the applicant controls, this can be declared as the boundary for home workers. Other commercial VPN solutions are not accepted.
In addition to technical controls, charities need to ensure that the appropriate policies for remote/home working are in place.
Where a boundary firewall is not provided and a compliant VPN not used, home workers can rely on their device’s host-based firewalls. Host-based firewalls must always be turned on and configured, regardless of what is declared as the boundary. Click here for charity specific guidance on remote working.
All Mobile devices (phones/tablets) belonging to the charity, which are used to access the internet and can access organisational data and services such as email, are in scope.
Bring Your Own Device (BYOD)
In addition to mobile devices or laptops owned by the charity, user-owned devices which access organisational data or services are in scope. Devices which are personally owned are usually set up in many different ways and verifying controls can be more challenging. Here is a link to charity specific guidance on BYOD.
Organisational data can be defined as any electronic data belonging to the charity. e.g. emails, office documents, database data, financial data. This does include company emails, (so if volunteers receive emails on their own devices these need to be included in the scope).
Organisational services can be defined as any software applications, cloud applications, cloud services, user interactive desktops and mobile device management solutions owned or subscribed to by the charity. e.g web applications, MS 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.
The National Cyber Security Centre (NCSC) recommends that charities consider outsourcing some of their services to the cloud as it easily enables remote working, secure access to data, managed storage and back ups.
Using cloud providers to manage data storage, servers, databases, networking, and software allows charities cost, scalability and security benefits. It is recommended that charities work with their IT consultant to make the necessary checks and due diligence on cloud provider’s security protocols.
Charities often use cloud services, such as Microsoft 365, Google Workspace, Dropbox, Microsoft Azure and Amazon Web Services (AWS). The Cyber Essentials controls should be applied to the elements of the cloud services that you have control over. This information can usually be found within your cloud supplier’s shared responsibility model.
Where you do not have any control over the firewalls and software updates within your cloud service, for example, Microsoft 365 which is Software as a Service (SaaS), these services are not currently in scope for Cyber Essentials*
Presently, the Cyber Essentials question set asks you to apply the controls to the cloud services where your organisation has full control over the cloud environment’s technical controls such as firewall settings and update management. This is known as Infrastructure as a Service (IaaS) . You may have to connect to a cloud provider via a VPN (Virtual Private Network) if your charity uses this kind of cloud service.
*Please note, there will be changes to the Cyber Essentials requirements regarding cloud services coming into action from January 2022. If you register and pay for your Cyber Essentials assessment before January 2022, you will be working with the requirements that are current now, and will have 6 months from the date of registration to submit your self-assessment.
Click here for more information about the cloud.
Remote IT Administration
If a charity is using a third party provider to manage their IT systems remotely, the responsibility of the controls still lie with the charity. The charity needs to be able to demonstrate that it has an understanding of the controls that are in place and confirm that they are Cyber Essentials compliant. The easiest way for a charity to provide evidence that Cyber Essentials requirements have been met by the third party provider is to have a contractual agreement in place with the provider that includes the Cyber Essentials controls.
Click here for more guidance on working with an external IT company.
The government document describing the requirements for Cyber Essentials is available here. If you have a complex structure, you may need to seek advice from your IT support provider on how you can apply controls and whether this would allow all or part of your system to be included in the scope for Cyber Essentials. IASME has trained a team of qualified cyber security companies who are located all over the UK and the crown dependencies, they are available to offer consulting services to help you achieve certification. Certifying Bodies based and operating in Scotland are listed on the SBRC website.
Cyber Security Insurance
An organisation that can certify its whole company to Cyber Essentials AND has an income of less than £20 million AND is based in the UK or Crown Dependancies is eligible for included cyber security insurance of £25,000. This is an annual cover which can be renewed each year when Cyber Essentials certification is renewed.
Cyber Essentials Readiness Tool
Now that you have read the charity specific guidance, why not take a look at the Cyber Essentials Readiness Tool as a starting point for getting certified? Get ready for Cyber Essentials here.