Why charities are getting cyber certified

Charities of all sizes are at risk of experiencing a cyber attack. Whether they’re micro or super-major, charities are likely to be targeted by cyber criminals due to the wealth of data they look after and, in some cases, limited cyber security protocols in place to protect it.  

 

Many charities have already risen to this challenge, and shown their commitment to cyber security through cyber certifications, such as Cyber Essentials. Cyber Essentials covers the five core elements of cyber security that can prevent a cyber attack – once an organisation has achieved those five core controls, they can become cyber certified.

 

Getting certified helps charities to take stock of their cyber security, show their constituents that they are protecting their data, and reduce the impact of common cyber attacks by up to 80%.  

 

Nearly a fifth of charities said they had received a cyber security accreditation in 2021, according to a report by Charity Digital and the National Cyber Security Centre. But the reality is that many more are ready to take that next step and shore up their cyber protection.  

 

Below, we explore the journey of domestic abuse charity Black Country Women’s Aid and discover how they became cyber certified with Cyber Essentials.  

 

 

Black Country Women’s Aid’s story 

 

Black Country Women’s Aid is a charity that provides advice, support, counselling and accommodation to victims of domestic abuse, stalking, rape and sexual violence, forced marriage, exploitation and women who offend.  

 

With humble beginnings around a kitchen table in Sandwell, it now has 180 employees working across multiple locations and is recognised not only locally, but nationally for its innovative models of practice. 

 

The charity already received a high number of referrals from agencies such as local authorities, police and health professionals. But with that came an increased need to be confident and secure in the way information is handled and managed. Contracts with the Ministry of Justice and the Home Office meant that further assurance of that security was required.  

 

“Although we were heading in the right direction, we needed some extra help to achieve these standards,” says Sara Ward, Chief Executive of Black Country Women’s Aid. “Cyber security certainly isn’t our expertise and the requirement for Cyber Essentials Plus took us to another level. The language of cyber security was new to us and therefore it felt necessary that we have some experts to help us improve and to achieve certification.” 

 

The charity worked with an independent cyber security consultant, Chris Blunt, from Blunt Security, to identify gaps in its cyber protection. “We had many,” admits Sara. “Chris asked tough questions, and we didn’t always know the answer. But we worked through the challenges to find the solution.”  

 

One of the issues noticed by Chris was bespoke software systems which were running on legacy operating system – these needed to be upgraded in order to plug potential vulnerabilities. Some of the methods for remote access through the organisation’s external firewall also had to be remedied to ensure that cyber criminals couldn’t exploit them to get in.  

 

 

Growing in confidence 

 

While gaining Cyber Essentials was a contractual requirement, Sara feels the charity is better as a result of the “gentle nudge”. The process has made the charity confident, stronger, more collaborative, and more transparent.  

 

“It made us far more accountable and strategic,” she says. “We now have documented systems and procedures about some of the decision making and actions we take. We didn’t know that the system can work for us as well as working for others.  

 

“Whilst initially apprehensive, I transformed from a reluctant technophobe to a willing and engaging participant and now enjoy reading and analysis the reports that enable us to better understand our work.” 

 

That isn’t to say it was an easy journey to begin with. Sara acknowledges that it sometimes felt like a painful process, and she often questioned what they were doing.  

 

“Did we have the resources? Would this be a tick box exercise? Was it worth it? Were we just satisfying a contract? Was this taking us away from what we do well – supporting victims of violence and abuse?”  

 

But she reflects now that these questions were unfounded. “How wrong could I be?”  

 

“Information in the wrong hands brings significant risk and could cost lives; security is not just about the location of the safe house, but also the information that we hold about our clients. We want to show trustworthiness not just to our commissioners, but also the people who come into our service. Their information is a precious commodity and we’ve got the systems in place to protect it.” 

 

 

Helping other charities  

 

Now that Black Country Women’s Aid has achieved the Cyber Essentials Plus certification, Sara notes that other charities would reap the benefits of doing so too and have even offered to be buddies for other organisations taking that next step.  

 

“They too will have personal information about the people they support,” Sara says. “The hackers are always several steps ahead of us, leaving us vulnerable and at risk. We genuinely want to help others achieve certification and […] to help them identify funds to enable this to happen.” 

 

“I’m proud to be the CEO of a charity where the trustees invested in this area of work, got the experts on board and supported the achievement. But it doesn’t stop there. At every level there is a commitment of staff wanting to know more, a real eagerness, a thirst for more training and development. We now own the responsibility and take responsibility because we do that with people’s lives everyday - we should do the same with their data. It has been a challenging time but we are richer for it.”  

 

For charities looking to become cyber certified and follow in Black Country Women’s Aid’s footsteps, IASME Consortium, which delivers the Cyber Essentials certification, has created a handy tool to help them identify if they are ready.  

 

The Cyber Essentials Readiness Tool is an interactive website that takes you through some simple questions that address different parts of your organisation’s security.  

 

Based on your answers, you will be directed towards the appropriate guidance on the five core controls and related topics written in non-technical language. 

 

Like Black Country Women’s Aid, all charities can begin to hold themselves accountable for their cyber security and send the message to their donors, beneficiaries, and funders that protecting their data is important to them. Show them it’s certified.