The Cyber Essentials and Cyber Essentials Plus schemes are government initiatives to ensure that any organisations, including charities, can embrace a practical stance on information security. Covering five basic technical controls, the scheme provides a framework to assess the requirements that an organisation must meet in order to assure a minimum adequate approach to cyber security.
Step by step, the framework spells out the objectives and controls that need to be implemented, covering firewalls, secure configurations, user-access controls, malware protection and patch management. Meeting the requirements for each of these areas will go a long way to ensuring an organisation can demonstrate a responsible approach to cyber security. It’s a reasonably straightforward task and it’s acceptable to make a self-assessment if someone is up for the job.
For example, the requirements for firewalls cover not only the firewall that delineates the boundary between the internal networks and the external network that is the internet, but also the routers and switches that make up those internal networks and the local firewalls on computers and laptops that connect to those networks. In brief, in order to comply an organisation must ensure that default passwords are changed, ensure that no one can access the device through an administrative interface, that firewall rules are approved and documented, and that devices using untrusted networks such as wifi hotspots are protected by local firewalls.
When it comes to patch management, which should be part of the IT mantra, the requirements are equally simple. Briefly, to ensure that all software is licensed and, perhaps more importantly, supported, and that it is patched when updates are released, especially when the patch fixes a critical vulnerability. Meeting that requirement could have saved a lot of the disruption caused by WannaCry, for example.
Finding the technical assurances to complete a self-assessment of the Cyber Essentials requirements can take some time and requires the cooperation of the IT team. Alternatively, funds permitting, it might be more prudent to engage an accredited body to make the assessment, bringing the additional benefit of an impartial view to a charity's defences.
It’s a benefit to the charity sector that many people are able and willing to help with the assessment process and often able to share their own experiences to guide the process. The Charities Security Forum, which represents information security professionals working in charities and not-for-profits, is a good place to start, and its members will often freely offer advice and support.
Achieving a successful assessment will entitle an organisation to the Cyber Essentials accreditation. A Cyber Essentials badge displayed on corporate communications proclaims that the organisation has addressed the essential security controls and evidence to supporters, beneficiaries and partners that cyber security is taken seriously.
It should be clear that charities are not immune to cyber security threats and that the risk to their operations is as real as the recent attacks on banks, on governments and on public sector bodies serve to demonstrate. It’s highly likely that some charities will suffer collateral damage from cyber security incidents, even if they are not directly targeted. In the eyes of the public there might be no discernible difference, so it is prudent to deal with the risks sooner rather than later.
In documenting some of the risks and remedies, it’s notable that a plethora of advice and assistance is available. Cyber security for charities is much higher up the board agenda than it ever used to be, and if it isn’t at your charity then it’s time it was.
Read next: 8 Checklist & further information