Insights
We explore how cyber certification is supporting charities in keeping their cyber security up to date and reassure funders
Find out more about Cyber Essentials
Getting cyber certified is an important step charities can take to boost their cyber security. Schemes such as Cyber Essentials, supported by the National Cyber Security Centre, ask charities to put in place core controls that can prevent and mitigate against cyber attacks, reassuring staff, volunteers, donors, trustees, and beneficiaries that their charity is secure.
Charities of all sizes can experience a cyber attack, they often house sensitive data and significant funds, yet may have limited resources to protect them with. Charities are also less likely to see themselves as a potential target, but cyber criminals do not care about the nature of an organisation, just whether they can breach its systems. It is vital that all charities take the necessary steps to stay cyber secure. It is both an ethical and regulatory requirement.
Many charities are already getting cyber certified. Getting certified helps organisations to get to grips with their cyber security, show their audiences that they are protecting their data, and reduce the impact of common cyber attacks by up to 80%.
Just one of those charities to take full advantage of the benefits of Cyber Essentials is the Law Centres Network (LCN), a group of charities that provides free legal advice to disadvantaged communities across the UK. With more than 40 local law centres established around the country, the Law Centres Network serves as their collective voice, supports them to reach as many people as possible, and provides infrastructure to enable collaboration between different centres.
Recently, LCN has embarked on an ambitious national IT project, bringing Law Centres into the same Office 365 tenant to aid hybrid working and collaboration.
Below, Alex Charles, Head of IT and Data at LCN shares the challenges that LCN and Law Centres face in managing data security and the impact of certifying to Cyber Essentials Plus standard.
Find out more about Cyber Essentials
One of the biggest challenges that charities face when it comes to cyber security is budget. While demand for services is rising, funds for digital projects can often be harder to come by, particularly in tough economic climates such as the cost-of-living crisis. Unfortunately, cyber security is often not as much of a priority, as charities would like.
“Law Centres have a duty of care for their clients,” explains Alex. “Ideally, they want to make sure that their clients are receiving the best service and that all of their systems are running effectively, and the data is secure. However, charitable funds are stretched. If there’s a choice between spending the money making sure that clients are getting the advice they need or spending the money on the Law Centre’s IT infrastructure, unfortunately the IT tends to come second.”
The Funded Cyber Essentials Programme is a UK government scheme that was open to small charities and organisations that provide legal aid services. The programme covers the cost of certification, as well as the fees for a cyber security consultant to help them achieve Cyber Essentials Plus.
Cyber Essentials Plus is based on the same five technical controls as Cyber Essentials, which is an annually renewable certification scheme consisting of five controls that will reduce the impact of the most common cyber attacks. But Cyber Essentials Plus also includes a technical audit of the IT systems to verify that the controls are in place.
LCN was put in touch with a Cyber Advisor (Cyber Essentials), Richard Wilding from Achilles Systems, who was very helpful throughout the process. Cyber Advisor is the National Cyber Security Centre’s Industry Assurance scheme that aims to provide small and medium-sized organisations with reliable and cost-effective cyber security advice and practical support.
“One of the things I really like about the funded programme is that it recognises that it’s not a level playing field,” says Alex. “For example, if you’re a commercial business, you might have more flexibility than a charity for spending on cyber security. We have been considering supporting the Law Centres with Cyber Essentials for quite some time, so when government funding became available for Cyber Essentials Plus, it was a brilliant opportunity to offer our members a certification process to industry standards.”
LCN has been through a significant period of digital transformation since 2016, when it received funding from the Legal Education Foundation to start a four-phased programme that saw participating Law Centres get a complete refresh of equipment, while IT services were consolidated into a centrally managed cloud network. Today, more than half of the Law Centres have followed this approach.
“The Law Centres Network was the first of the Law Centres to go through Cyber Essentials certification, and because of the consistency across our network, the charity was able to develop a set of guide answers which could be used as a starting point for the other Law Centres,” says Alex. “Of course, some of the answers are completely different for each centre, for example, some had landlord supplied internet connection and for others, [digital delivery partners] AspiraCloud manage the internet connection and network on their behalf.”
Managing Director and co-founder at AspiraCloud, Adrian Edgar was instrumental in the four-phase cloud migration solution across many of the Law Centres. When the centres started to prepare for Cyber Essentials certification, he said, “the Cyber Essentials process was quite repeatable for each of the Law Centres and, allowing for a few tweaks depending on the setup of each centre, we were able to produce a guide template for each of the centres to follow.”
“Going through the Cyber Essentials process, we were able to update our policies to include all of the little bits that weren’t quite right or details we hadn’t thought about. There is always something small to fix that you would have otherwise missed,” says Alex.
“The certification process helps bring those issues and any associated risks to the fore and gives us an opportunity to think about how we want to manage them. So we’re really happy that we’ve been able to offer this opportunity to the network; it’s always good to have those independent checks in place. We are proud to say that at least four more Law Centres are going through the Cyber Essentials Plus process this year.”
Alex also points out the importance of Cyber Essentials in moving charities forward, even strengthening their ability to seek more funds.
“I do know that if a business or charity wants to win a government contract, Cyber Essentials is mandated as a prerequisite, and we are seeing this requirement start to become more and more commonplace elsewhere,” Alex states. “Perhaps it will be the norm, before long, that a cyber security certification is a requirement to work with the local authority. We have already seen a funder require Cyber Essentials for a member Law Centre who was asked for it when making a funding application and dealing with a debt service, and even for a financial audit. I think it just gives that reassurance that an organisation is running in accordance with the best practice that’s out there.”
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.