Ultimate Guide to Cyber Essentials for Charities and Nonprofits

Cyber Essentials is a UK government-backed cybersecurity certification scheme. It is designed to help charities and nonprofits stay secure and resilient in the face of cyber threats.

Charities and nonprofits are increasingly relying on technology for fundraising, communication, and operations. Digital transformation has become a key element in every business strategy, resulting in the increased collection and online storage of data. This means that charities are faced with a growing need to protect their digital assets from cyber threats. Cybercrime is a growing concern amongst charities throughout the UK. The Charity Fraud Report 2024 was a survey that examined many different charity fraud examples and perceptions about them. According to the report, in 2023, incidents of fraud involving substantial financial losses saw a 60% surge compared to the previous year. This guide will cover the benefits of Cyber Essentials, how to become certified, and best practices for maintaining cyber security. This guide will provide actionable insights to help you secure your organisation against cyber threats.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme that was launched in 2014. Its purpose is to help organisations protect themselves against common cyber threats. It outlines a set of basic security controls that organisations must implement to safeguard their systems and data.

The certification shows that an organisation has taken necessary steps to protect itself against cyber attacks. This effectively guards against the loss of data, revenue, and reputation. Cyber Essentials certification provides organisations with a framework to follow in order to protect their data from cyber attacks.

Cyber Essentials mainly focuses on 5 areas of cyber security:

• Boundary Firewalls and Internet Gateways – Firewalls and gateways help to keep attackers or external threats from gaining access to your system in the first place.
• Secure Configuration – Secure configuration refers to security measures implemented when building and installing computers and network devices to reduce unnecessary cyber vulnerabilities.
• Access Control – Cyber Essentials Certification requires that you control access to your data through user accounts, that administrative privileges are only given to those who need them, and that what an administrator can do with those accounts is controlled.
• Malware Protection – Cyber Essentials also requires you to implement a malware protection mechanism on all devices in scope.
• Patch Management – Patch management is about keeping software on computers and network devices up to date and capable of resisting low-level cyber attacks. Cyber Essentials requires this.

In this webinar from our 2022 Small Charity IT Day, Becca from the National Cyber Security Centre and Neil from IASME, offer their expertise on the certification process and assess the readiness tool to evaluate your current cybersecurity measures. They also walk you through each of the 5 critical controls to secure IT systems in your charity.

Choosing the Right Cyber Essentials Certification Level

With Cyber Essentials, there are two different levels to the scheme:

1. Cyber Essentials
2. Cyber Essentials Plus

Cyber Essentials

Cyber Essentials self-assessment option gives your charity protection against a wide variety of the most common cyber attacks. This certification offers you peace of mind that your defences will protect against the vast majority of common cyber attacks. This is because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

Cyber Essentials Plus

Cyber Essentials Plus is the second level of the scheme. It still has the same Cyber Essentials trademark and required protections as the Cyber Essentials. The difference is that a hands-on technical verification is carried out.

What are the benefits of Cyber Essentials Certification for Charities?

Becoming Cyber Essentials certified provides numerous benefits to charities. The main benefits of Cyber Essential Certification for charities are:

1. Enhance the security for your charity – Cyber Essentials gives your charity more awareness of your current cyber security.
2. Proactive approach to charity cyber security and protection against common cyber threats – this can be done by Implementing the security controls outlined in Cyber Essentials which will effectively reduce the risk of cyber attacks and data breaches on your charity.
3. Increase donor confidence – Donors are more likely to trust an organisation that prioritises cybersecurity and is committed to safeguarding their personal information.
4. Helps charities comply with UK data protection regulations like GDPR – By identifying potential security vulnerabilities, charities can reduce their exposure to legal risks associated with data breaches. To learn more about the General Data Protection Regulation (GDPR) and how to collect, store and process personal data read our The Essential Guide to GDPR and Data Protection For Charities.
5. Simplified procurement – the government requires all contractors and suppliers to hold an up-to-date Cyber Essentials certificate. This applies to all companies that handle sensitive data for or on behalf of the government. Your charity can rest assured that their data is secure with Qlic, as we are Cyber Essentials certified!

How your Charity can get Accreditation

Qlic is not only Cyber Essentials certified but also offers specialised assistance for charities seeking certification in cyber security through its Managed Cyber Security solutions.

We can help your charity to pass the Cyber Essentials criteria and become certified with ease.

We also suggest Cyber Essentials insurance. The presence of cyber insurance will provide vital incident response services and cover your costs in your hour of need. The insurance provided with certification gives you £25,000 limit of indemnity. However, you may want to purchase a higher limit of cover in case you suffer a severe breach.

The NCSC’s Cyber Essentials Partner the IASME consortium is another company that can help your charity become certified. The NCSC stands for National Cyber Security Centre and provides cyber security governance for charities. Nonprofits can leverage the NCSC’s services to gain valuable insights into current threats and vulnerabilities. Moreover, they can receive expert guidance on implementing cybersecurity practices.

Can Charities Get Cyber Essentials For Free?

The NCSC’s IASME offers eligible charity organisations a certain amount of time with expert support. This is to help you implement the five criteria measures needed to gain Cyber Essentials certification. This is then followed by verification that the criteria measures are in place in order to achieve the Cyber Essentials certification.

This offer is currently running for small charities that process personal data. For example, eligible nonprofits would include those working in safeguarding such as domestic abuse charities or online chat support services.

The pricing structure was revised in January 2023 (source:) https://iasme.co.uk/cyber-essentials/

Get started with the Cyber Essentials readiness toolkit

Charities and nonprofits looking to become Cyber Essentials certified should initially take a look at Cyber Essentials readiness toolkit. The Cyber Essentials toolkit provides a list of questions designed to help you learn more about your current cyber security within your organisation. Each question will prompt you to consider a different aspect of security. This will help you to become certified while also providing great cyber security training for charities.

Final Thoughts on Cyber Essentials for Charities

As digital transformation and cloud technologies take centre stage, it’s important that charities take a proactive approach against the threat of cyber attacks and data breaches. By becoming Cyber Essentials certified, nonprofits can enhance their cybersecurity posture, protect sensitive data, and maintain donor trust.

Remember, cyber security is not a one-and-done task but a continuous effort to stay ahead of evolving cyber threats. Demonstrate ongoing security commitment to stakeholders and enhance your reputation and operational integrity.

If you would like to know more about Cyber Essentials, book your free Cyber Essentials consultation by clicking the button below!

If you would like to know more about Cyber Essentials, book your free Cyber Essentials consultation by clicking the button below!