As part of our Digital Leadership 101 series, we talk to Philip Anthony from CoopSys about Cyber Essentials, an industry standard certification that shows your charity is applying the latest standard to protect itself against cyber threats. Many public sector contracts and some quality standards are beginning to require accreditation.
Cyber Essentials accreditation for small charities
Hello I’m Philip Anthony, I probably could be considered a veteran of the IT industry having started work when PCs were just becoming the norm back in 1985 (yes I’m that old!) and been part of it ever since.
I set up and I’m part of CoopSys which is a 35 strong IT business that focusses on providing IT services, mainly to charities and similar sectors.
What is Cyber Essentials?
Cyber Essentials is a UK Governement backed industry standard certification which, when completed, certifies that the organisation is up to the latest standard to protect them against cyber threats.
These checks include ensuring the client is up to the industry standard for best practices which include (but not restricted to):
- regular password changes
- software / firmware updates on security devices
- best practices across all devices (especially Bring Your Own Device) to ensure data security
Data security is paramount in an ever-changing digital age, and hackers are thinking of new ways every day to breach or steal vital information. The Cyber Essentials certification greatly contributes towards ensuring the risk of data breach or theft is either eliminated or greatly reduced, simply by carrying out simple steps to bolster data security.
As a Managed Sercice Provider we are seeing more and more organisations looking to adopt these best practices as the industry moves further into the digital age with many resources and applications being moved to cloud based technologies.
We have worked with organisations of all sizes across the UK to bring these into use - some multi-thousand user setups at the higher end where this is absolutely paramount, and many smaller organisations who require that extra piece of mind.
We believe every business should consider the benefit of enrolling with Cyber Essentials accreditation.
Why is it a good idea for organisations to work towards this accreditation?
The move towards embracing Cyber Esssentials has come from a number of angles. Due to the ongoing news concerning hacks and data loss groups and organisations of all sizes have started to realise they need to be more careful about access to their information to prevent breach of confidentiality and financial loss.
The consequences of which range from loss of trust to having to close down with resulting loss of jobs.
In parallel to this awareness to get funding and commissioning it has increasingly become a prerequisite to be able to demonstrate adequate care of data. Being Cyber Certified is an easy way to show compliance.
In reality, historically (aside from the financial sectors) care of data and data access was relatively lax.
Being a staff member at any organisation would often give full access to all information (for those inclined to look for it), and for a hacker, remotely accessing it wasn’t that difficult.
It's fair to say that often people took less care of work access to information than they did for their own bank accounts!
A good way to imagine data security is to compare it to physical security:
- Is the information on the door step for all to read?
- Is the information behind a locked door?
- Behind a locked door with multiple locks?
- Once into the building is the information not obviously accessible or even more securely held in a safe?
- Or is the information so sensitive it needs to be held under specialist protection, similar to storing items in a bank vault?
As individuals and as organisations it's important to get the level of security right.
On the one hand it's right to spend appropriately to ensure data security, but on the other remember every pound spent on such back office activities is one less for front line services.
For example in terms of the level of security used, as an individual and as a group running online booking of Yoga sessions does not need to be as secure as transferring money. So in terms of how important Cyber Essentials is to you, it’s often a question of what do you do rather than how big you are.
Park Run, for example, has 3,000,000 members who run in parks. Perhaps stealing their member list might be useful if you sell training shoes but otherwise has probably limited use. Conversely there are quite small charities we know, perhaps 10 staff or less, dealing with under 100 cases a year, but the people they deal with are seeking refuge from violent partners and it's vital to ensure their location is kept confidential.
Whatever your size a fairly effective way to get security right is to imagine the worst case scenarios for a ‘customer’ of your service if there was a data breach.
Would they be likely to suffer financial loss? If so how much? Or would the loss of information you hold cause serious practical difficulties - would clients struggle to gain employment if it was known they were a drug user or had convictions?
Full Cyber Accreditation with its recurring costs may not be needed for everyone. However, carrying out an initial assessment so that you see where you stand versus other similar charities and getting recommendations is a very useful step.
How does Cyber Essentials accreditation work?
There are a large number of consultants able to assist you in embracing Cyber Essentials. In the charity sector we of course have CoopSys (and Superhighways) and several Cyber Essential certification bodies such as CyberSmart, ECSC and IASME. At CoopSys we’ve been using IASME, mainly as we’ve found them to be quite cost effective.
The process of Cyber Assessment and Accreditation usually looks likes this
- Initial audit assessing compliance against the Cyber Essentials checklist (for smaller groups typically a day or less)
- Summary of findings, along with an action plan of what is required. NB – full accreditation may not be needed
- Rectification steps carried out by the organisation, if needed with external technical assistance (typically 1-2 days)
- If certification is being applied for, submission of Cyber Assessment via online portal to Certifying body
- Answer queries and carry out any further steps needed by Certifying body
- Certification issued by Certifying body
- Rolling plan to ensure ongoing compliance agreed – eg monthly or quarterly brief checks, and set date for next full assessment.
Quick ways to fail your Cyber Essentials accreditation
Most of the organisations we work with would ‘fail’ assessment if they applied for Cyber Accreditation immediately. The most common weaknesses are:
- Password policies - weak passwords or passwords that are never changed
- Infrequent or no software or firmware e.g. no updates on PCs or firewalls
- Poor control of Bring Your Own Device (BYOD) use e.g. no encryption or password needed to access organisation email on personal device
These fail points are common even in groups that have good internal or external IT support.
Often the reality is that time is not budgeted to do the updates needed and ‘custom and practice’ on data handling and access is lax. Previous easy-going approaches may have been perfectly adequate, but as hacking has become more prevalent, now is the time to get more secure.
Typical practical examples where better practices are needed:
- Staff are given no guidance on passwords e.g. the password must not be a real word, it must be 7 or more characters and contain at least one number and one other symbol
- After the initial internet connection was set up the firewall and router have never been updated or settings checked
- Staff now use personal mobiles to access office email but have not been given guidance so they have not enabled encryption or passwords on their phones
The most common consequences of weak cyber security are:
- Email hacks – brute force / malicious attacks to cloud based services resulting in data breaches
- Email spoofing – hackers may use a technique known as “spoofing” to use any email address to contact users, resulting in potential identity theft / phishing attempts (see Superhighways' phishing blog for information on how to stay safe)
- Ransomware – attachments masquerading as “normal” files are in fact malicious code packages which when executed encrypt all data the logged on user has access to. This could also include critical system files if the program runs under an administrator level account.
A really key point is that good Cyber Essentials is not just a technical matter of applying updates regularly but also very much about better behaviours by individuals. Moving away from ‘Password123” being acceptable!
Download our Cyber Essentials check list, a quick read through this with whoever looks after your IT, should give a feel for how aligned you are.
What does the future hold for small charities?
Cloud based services and devices continue to get better every day. And there are more of them - take the example of the increase in people using their phones to make touch payments.
The need for everyday better Cyber practices will become the norm. In the same way that it would be seen as careless to leave your front door unlocked it will be seen as careless not to have at least PIN protected your phone.
On the downside the need for Cyber protection is going to increase over time - the amount of hacks we have witnessed has continued to increase. However, looking forward both software and hardware will increasingly have Cyber protection enabled by default as standard and this should reduce some of the day to day effort needed.
All groups should do a Cyber assessment annually, even if they do not need a formal accreditation.
A good time to do this is to tie it in with producing the annual report and accounts. Once groups have made themselves compliant, thereafter typically a maximum of a day's worth of work will be needed for ongoing assessment and tweaking.
Personal devices - the biggest threat
One of the most challenging areas is in the ongoing shift towards people accessing organisational information from their personal devices, laptops or home PCs. Often the same protections are not in place for these devices and there can be some resistance to the safety controls needed.
Being given the right to access group information carries the responsibility to ensure its done securely.
This blog has been produced as part of our Digital Leadership 101 series of training and advice for CEOs and trustees of small charities, funded by the Department of Digital, Culture, Media and Sport and run in partnership with The FSI, NAVCA and London Plus.