Cyber Essentials is a Government-backed scheme offering accreditation to organisations who are able to 'tick the boxes' on certain criteria surrounding their cyber security and protection of data.

I was prompted to write by a recent article - Charities must ‘better plan to mitigate cyber risks’, which does highlight that there isn't a charity specific scheme similar to Cyber Essentials.

It is however important to realise that the scheme isn't fool proof, and that charities shouldn't be complacent if they have taken this route and gained accreditation. It isn't the whole solution.

The scheme was set up in 2014, however at the time one of the main reasons for its existence was to protect the Government and its data.  Since October 2014, certification has been required for suppliers to central UK government who handle certain kinds of sensitive and personal information. Arguably in the space of less than three years it is already out-dated, assuming of course that it was really robust enough at the outset...

The focus therefore of the scheme isn't about protecting your organisation as a whole, and this is demonstrated by the five 'technical controls' that it tests;

Boundary firewalls [to prevent unauthorised access]

Secure configuration [setting up systems securely]

User Access control [restricting access to those who need it]

Malware protection [i.e. using anti-virus software]

Patch management [i.e. updating software]

Although these are important, they don't address some of key considerations, including (but not limited to);

Internal Culture. Staff training and awareness of new threats and good practice

Vulnerability Testing. Do you have the opportunity to test your current protections in place, particularly where the threats involved continue to change at great pace?

Incident Management & Disaster Recovery. How do you manage an incident? How do you find out what has happened, what data may (or may not) have been taken, destroyed or encrypted, and how do you get it back? Who do you need to notify (becoming more important with GDPR in May 2018)?

Reputational Risk. How do you manage a potential breach with key stakeholders and those who may be affected - staff, volunteers, service users, suppliers, regulators (the ICO, Charity Commission, OFSTED etc.) and then of course the media?

Although insurance is becoming increasingly important, it can only be a partial answer in the management and control of what is a considerable risk to the majority of charities, whatever their size.

Whether you rely on in-house support or a third-party IT provider, are you reassured that the protection in place is adequate - particularly given the level of technical knowledge required to even just wade through what can be confusing jargon?

Please contact me if you would like to know more about protecting your charity, and the cost-effective solutions that Hettle Andrews' risk management team can offer. These include independent cyber risk assessments/audits, vulnerability testing, disaster recovery planning and also scenario testing.

With many thanks