How to secure your charity
“All charities ultimately rely on public trust and continued public generosity. So the impact of any cyber attack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support.
Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance.”
Helen Stephenson, Chief Executive of the Charity Commission for England and Wales
As a trustee of two charities, I understand first-hand the challenges trying to balance prudent investment in back-office systems and infrastructure with the need to deliver the core front line service that meet the charitable aims. However, without the back-office systems the charity’s work will quickly grind to a halt and key systems such as safeguarding, record keeping, and financial controls cannot operate without IT systems. Which means the disruption that comes from a cyber-attack such as ransomware can be devastating to the daily operations of the charity and the loss of trust and donations that would follow a data breach could leave the charity unable to continue operation. Several jurisdictions have started taking legal action (including prison) against the officers of commercial organisations for failing to provide essential cyber protections for customer and client data, I predict that UK regulators and insurance companies will soon start to move in this direction as well.
How can you, as a trustee, know that your charity’s IT systems and networks are cyber secure – whether you rely on an in-house team or external help to manage your IT?
One very effective approach is to ensure your policies and practices align with a recognised standard that defines ‘good cyber security’ for you. In the UK, the definition of the minimum acceptable standard for cyber security is called Cyber Essentials. It does, as the name implies, define the bare essentials necessary to keep your network and internet-based services cyber secure.
We have created a free resource – The Trustees Guide to Cyber Essentials which you can get here.
Get started with Cyber Essentials
Cyber Essentials is a great starting point as it gives you a clear list of all the things you must do. However, it does not tell you how to do those things.
As a Cyber Essentials Certification Body, our team evaluates many Cyber Essentials applications every month. The sad truth is that firms and charities which apply directly through the central Cyber Essentials portal have a greater than 90% failure rate for their first applications. Not because Cyber Essentials is hard to achieve but because the questions are not as clear as they could be or require certain processes and policies to be in place. This is why we created a special service to guide charities through the Cyber Essentials process with 4 hours of discounted consultancy and included provision of template policies and procedures that will ensure you are Cyber Essentials compliant – if you follow them.
Learn more about Cyber Essentials with Expert Help.
Getting Cyber Assurance
When you are ready to step up your cyber protections beyond the bare necessities of Cyber Essentials, the next step is Cyber Assurance – a scheme run by IASME, the same people who manage the Cyber Essentials Scheme for the NCSC.
Cyber Assurance is a comprehensive, flexible and affordable cyber security standard. It provides assurance that an organisation has put into place a range of important cyber security, privacy and data protection measures.
The IASME Cyber Assurance standard emerged from a UK government-initiated project, aiming to provide an affordable and realistic alternative to some of the prevailing international cybersecurity standards. Tailored for small and medium enterprises (SMEs), this standard offers a balanced way for businesses to showcase their cybersecurity measures, emphasising the safety of customer data.
Key Highlights of IASME Cyber Assurance:
Recognised Across Sectors: Various industries in the UK and abroad, including notable entities like the UK Ministry of Justice and the Government of Jersey, acknowledge the IASME Cyber Assurance certification as an alternative to other international benchmarks.
Inclusive of GDPR Requirements: IASME Cyber Assurance incorporates GDPR guidelines allowing you to demonstrate compliance with UK data protection laws.
Two levels for phased adoption: With two available levels, Level 1 Verified Assessment and Level 2 Audited, charities can choose the depth of assessment that suits them.
Prerequisite for Assurance: It's worth noting that businesses looking to adopt the IASME Cyber Assurance standard should first hold a valid Cyber Essentials certificate, ensuring a foundational level of cybersecurity.
Cyber Essentials Level 1 Verified Assessments cost between £300 and £500 annually depending on the number of employees.
For more information on Cyber Assurance or to book your assessment, click here.
International Recognition
For larger charities and those working with NHS data or safeguarding issues, the highest level of internationally recognised certification is the ISO 27001 standard for information security.
ISO 27001 is a management system which will affect almost every part of your charity, not just the IT team - so it is important that you choose to work with an implementation consultancy like Cool Waters Cyber who can help you smoothly manage all the changes that will be required to your organisation.
Once your ISO 27001 Information Security Management System (ISMS) is in place, you will need to be audited by an external and independent auditor. Pick one who is registered with UKAS to ensure your ISO certificate is recognised as valid by your stakeholders. We can recommend auditors we often work with.
Learn more about ISO 27001 or book a free initial consultation with one of our experts.
Need Help with your Charity’s Cyber Security?
Book a free initial consultation with one of our experts to better understand the options available to secure your charity. With our special charity sector terms you will find that all charities can afford the right cyber security for their size and risk profile.