The Threat Facing Charities, Social Enterprises or Micro-Businesses.
The 'How Prepared is the Third Sector to Secure their Information' Survey, conducted by IS Know How; discovered that 74% of respondents stated that their third sector organisation wouldn't know if it suffered a data security breach. It also found that 83% of respondents said that their charity does NOT utilise a Strong Password Policy and yet 68% of those responding to the survey, claimed that they are aware of the Gravity and effect that a Data Security Breach would likely have on their organisation, including the resulting reputational damage.
IS Know How's CEO & Founder Robert Stones, believes that;
Third Sector organisations are the next proving ground for many threat actors, due to the type and depth of data that they process and maintain. Add to this the personnel, legal and financial structure for most organisations; they are unfortunately often a very soft target. Therefore, the sector deserves to have the very same best of breed Data and Cyber Security resources at its disposal, that has been tailored to their various needs - including as sector wide affordability throughout and affording the ability to mitigate the many threats going forward beyond the present.
How Cyber Essentials certification can help Charities, Social Enterprises and Micro-Businesses protect data
Penalties for Non Compliance to the GDPR
On 5 April 2017 the Information Commissioner’s Office (ICO) fined 11 major charities for data protection breaches, including Cancer Research UK, Macmillan Cancer Support and NSPCC. These fines totalled £138,000 but under the GDPR regulation that became eforceable on the 25th May 2018, these fines could be significantly higher.
The ICO said that some of the charities had been fined because they had;
Screened millions of donors so they could target them for additional funds, while others had traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.
The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines of this scale could very easily lead to business insolvency.
However, the ICO has consistently stated that fines are their last option and they will prefer to be seen to utilise a proportionate approach where possible. This cannot be your cue to now tread GDPR with corporate ignorance and apathy though, as this on the other hand is likely to be met with rather large raised eyebrows by the ICO, thus increasing your chances of monetary penalties.
Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organisation is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.
Secure Configuration Icon
Boundary Firewalls & Internet Gateways Icon
Access Control Icon
Patch Management Icon
Malware Protection Icon
There are Two Levels of Certification.
There are two levels of Cyber Essentials certification available to your organisation: Cyber Essentials and Cyber Essentials Plus.
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) around the adoption of the five controls, as well as an external vulnerability scan of the externally facing IP addresses. The external vulnerability scan provides independent verification of your cyber security status and is only offered as part of a CREST-accredited Cyber Essentials certification.
Cyber Essentials Plus
The Cyber Essentials Plus certification includes all of the assessments for the Cyber Essentials certification but includes a technical review of the organisation’s workstations and an on-site assessment. Cyber Essentials Plus is a more thorough assessment of the organisation and, as a result, may provide greater security assurance.
Why IS Know How have Partnered with IT Governance to Deliver Cyber Essentials!
IT Governance is a leading CREST-accredited certification body that has awarded hundreds of Cyber Essentials certifications already, including certificates to Action for Children, Barnardos, Core Assets Children’s Services Limited and The Poppy Factory.
This partnership allows Charities, Social Enterprises and Micro-Businesses to conduct the entire certification process online at an incredibly competitive price. The partnership also provides a choice of packaged solutions designed to help organisations of varying levels of experience and expertise through the scheme.
Benefits of Becoming Cyber Essentials / Plus Certified?
With Cyber Essentials you can focus on your core business objectives, knowing that you’re protected from the vast majority of common cyber attacks. You will also be able to drive business efficiency, save money and improve productivity by streamlining processes.
Achieving certification will also help you to address other compliance requirements such as the EU General Data Protection Regulation (GDPR).
Save Vital Funds
Managed Cyber Resilience as a Service All-in-One-Security & Cyber Essentials
We've taken time to extract various aspects of information from the Information Commissioner's Office EU GDPR Guidance - do make use of it, to increase your knowledge and direction that you are likely required to head in, regarding this critical matter.
You may also be interested to read the statistics that IS Know How have extrapolated from the ICO's Quarterly based Data Security Incident Trends and specifically for 'Charitable & Voluntary' that they provide for "Data security incidents (breaches of the seventh data protection principle and personal data breaches reported under the Privacy and Electronic Communications Regulations)"
IS Know How and it's Managed Cyber Resilience Service - All-in-One Security, is in noway endorsed by or working with National Cyber Security Centre in anyway.
What ISKH is doing, whereby clients wish to secure MCRS for their organisation, is to assist your pre Cyber Essentials Application by meeting the '5 Key Controls' that are required as part of any actual application.
ISKH does not imply nor guarantee, that when it comes to submitting your Cyber Essentials application itself and via your chosen provider of the Certification that you are seeking; that Cyber Essentials certification is guaranteed because you have purchased our MCRS Service.