Charities of any size can experience a cyber breach. Around a third of charities in the UK reported experiencing some sort of cyber attack or breach over the last 12 months, according the UK Government’s 2024 Cyber Security Breaches Survey.
Fortunately, there are measures that charities can take to mitigate against this risk. The Cyber Essentials certification scheme, delivered by IASME in partnership with the National Cyber Security Centre, centres around five core controls that will reduce the impact of common cyber attacks:
Firewalls
Secure configuration
Security update management
User access control
Malware protection
With these controls in place, charities can apply for the Cyber Essentials certification, allowing charities to take stock of their cyber security, communicate to their audiences how seriously they are taking it, and ultimately reduce the impact of common cyber attacks by up to 80%.
DuringOctober, which is Charity Cyber Security Awareness month, if you are a registered charity and you sign up and pay for Cyber Essentials between 1 and 31 October you will receive a discount to the price of certification. Working in partnership with selected Certification Bodies around the UK and Crown Dependencies, IASME will be offering free support and guidance to help charities achieve certification.
To test your knowledge on the five core controls that help protect against cyber threats, we’ve set six questions for charities to answer, helping them to understand more about how the Cyber Essentials requirements can help strengthen their cyber security.
Start the quiz below!
Question 1:Cyber security in the UK charity sector
What percentage of charities experienced a cyber breach or attack over the last 12 months, according to the 2024 Cyber Breaches report?
12%
22%
42%
Question 2: User access control
User access control regulates who can access your data and services and what level of access they have. Charities should only provide privileged access to people who need it for their roles, keep track of who has these accounts and regularly review these privileges.
For example, while an IT professional may have an administrator account, allowing them higher levels of control over devices and systems, a volunteer only has access to the digital tools they need for their day-to-day roles.
What actions can an administrator account take that a standard user account can’t?
Create, modify, and delete user accounts
Install new software
All of the above
Question 3: Malware protection
Charities can use anti-malware software to scan web pages and files when downloaded or opened toidentify and deactivate viruses or malicious software before it can cause damage.
Only approved applications should be used on each device. Organisations should have a robust approval process that includes keeping a regular list of apps that are allowed and what they can access.
What is an “allow list”?
A list of internet addresses, protocols, or applications that you know are safe to use and that you need to access
A list of approved email addresses which are safe and allowed through to your inbox unblocked
A list of devices permitted in a “Bring Your Own Device” policy – for example, those with up-to-date operating systems
Question 4: Secure configuration
Secure configuration refers to the way a computer is set up to minimise the ways a cyber criminal can find a way in. This includes the use of passwords, multi-factor authentication, and the removal of software and accounts that you do not use.
When an account is protected by a password alone, according to the Cyber Essentials requirements, what is the minimum length of that password?
12 characters
6 characters
10 characters
Question 5: Firewalls
Firewalls are like a security filter between the internet and your network and on your device. Firewalls check and monitor data in both directions as it moves through the network and can block or permit the data according to the predefined firewall rules.
Which of these statements about firewalls is false?
A firewall monitors network traffic and only allows connections according to a set of security rules
A firewall is a physical device
Most internet routers have a built-in firewall
Question 6: Security update management
Within a piece of software’s functioning life span, as soon as an error or ‘vulnerability’ is discovered, the manufacturer createsan update that that will fix and close the opening to prevent its exploitation by cyber criminals. The process of applying an update is known as security update management or “patching”.
How soon shouldhigh risk and critical software updates be applied after their release?
When you next shut down your computer
Within 14 days or as soon as possible
Within 30 days
Answers
Incorrect!
32% of charities reported experiencing a cyber breach or attack in the previous 12 months, according to the 2024 Cyber Breaches survey.
Click here to go to the next question
Incorrect!
Administrator accounts provide a high level of control over systems. Unlike regular user accounts, they alone are able to create, modify, and delete user accounts, install new software, and change system settings.
Click here to learn more about User Access Controls.
Click here to go to the next question
Incorrect!
An “allow list” is a list of applications that you know are safe to use and that you need to access.
Click here to learn more about Malware Protection.
Click here to go to the next question
Incorrect!
In most cases, 12 characters is the minimum length of a password or pin code for Cyber Essentials. Exceptions include when unlocking a device (6 characters) or where multi-factor authentication is in use (8 characters).
Click here to learn more about Secure Configuration.
Click here to go to the next question
Incorrect!
The false statement is that a firewall is a physical device only. A firewall can also be a piece of software found in most common desktop and laptop operating systems.
Click here to learn more about Firewalls.
Click here togo to the next question
Incorrect!
All modern software will need to ‘update’ on a regular basis as part of its maintenance, ensuring that vulnerabilities are patched within 14 days of the update.
Click here to learn more about Security Update Management.
Click here to try again
Correct!
Correct!
Well done!
Correct!
Well done!
Correct!
Well done!
6. Correct!
All modern software will need to ‘update’ on a regular basis as part of its maintenance, ensuring that vulnerabilities are patched within14 days of the update.
Click here to find out more aboutsecurity update management.
You’ve completed the quiz!
Sounds likeyou’re ready for Cyber Essentials. Check out the Cyber Essentials Readiness Toolto understand whether the cyber security in your organisation meets the requirements for Cyber Essentials.
Discover the Readiness Tool