Vulnerable organisations to get free Cyber Essentials support

The UK’s National Cyber Security Centre (NCSC) is to fund free Cyber Essentials accreditation for some of the most vulnerable small organisations in the country, including charities and firms offering legal aid.

The Funded Cyber Essentials Programme is designed to offer small organisations in high-risk sectors practical support to establish and maintain a baseline of security controls, funded by the government and delivered via the IASME cyber assurance consortium, which co-created Cyber Essentials with the NCSC in the first place.

Data held by the organisations in scope – such as charities that work with children, domestic abuse victims or refugees – can be of an exceptionally sensitive nature, and such organisations are often operating on such shoestring budgets that cyber security considerations fall by the wayside.

“Charities and legal aid firms do incredible work supporting vulnerable people when they need it most, and that’s why it is vital they take steps to protect sensitive data,” said NCSC’s deputy director for economy and society resilience, Sarah Lyons.

“The new Funded Cyber Essentials Programme is a great opportunity for small organisations to gain free assistance with putting key cyber security protections in place,” she said. “I strongly encourage organisations to register so they can boost their cyber resilience and help reduce the chances of falling victim to a potentially damaging cyber attack.”

IASME CEO Emma Philpott added: “The Funded Cyber Essentials programme is aimed at some of the smallest and most vulnerable organisations in the UK. It is designed to encourage and support them to implement the minimum cyber security technical controls.

“Through the programme, IASME’s network of cyber security experts are able to use their skills to help those who need support most,” she said. “The programme aims to protect small charities and legal aid firms, and the sensitive data they hold, from common internet threats.”

Organisations taking advantage of the offer will receive 20 hours of support from an accredited Cyber Essentials assessor to help implement the five core technical measures that open up the NCSC’s Cyber Essentials Plus certification – these are firewalls, secure settings, access controls, malware and software updates.

While this support is free of charge, it should be noted that the cost of any additional software or hardware that the assessor may identify is needed to achieve Cyber Essentials will have to be met by the organisation itself.

Charities and legal aid firms with less than 49 full-time staff – excluding volunteers – can assess their eligibility and apply to take part in the scheme through the IASME website.

The launch of the programme comes as the NCSC prepares to make a series of small updates to the Cyber Essentials technical requirement, covering subjects such as firewall and router firmware, third-party devices, device unlocking, malware protection and zero-trust.

These updates themselves follow a major overhaul of the programme which began in 2022, and were designed to account for the rapidly evolving cyber security challenges faced by organisations, such as ransomware, and the uptake of public cloud services and hybrid and remote working.

A grace period for organisations to implement some of the new accreditation requirements – around support for thin clients, unsupported software and multi-factor authentication for cloud services – in order to retain their Cyber Essentials badges, is due to expire in April.