Charity Digital – Topics – How tech partners can support charity cyber security
Many charities work with contractors who offer an intermittent or regular service such as IT support, accounting, or any number of other roles. According to recent research from Charity Digital, seven in ten charities outsource some or all of their IT provision, with only 15% saying they have adequate internal resources to support their digital strategy.
Working with contractors, therefore, is vital for charities in a digital age, where technology can push organisations closer to achieving their mission. Though these contractors are not employees and, by and large, do not work on premise, they usually have accounts that access organisational data. That might be within the company network or via a cloud service such as Microsoft 365 or Azure.
Because contractors have access to your systems and data, it is important that they are not an afterthought when it comes to cyber security. Cyber Essentials, the certification scheme which prescribes five core controls that can protect against the most common cyber threats, states clearly that all devices that access organisational data and services are counted in its assessment. This includes any devices belonging to trustees, governors, volunteers, contractors, and personal devices (Bring Your Own Device (BYOD)) that access work emails and cloud services.
But how do you apply the Cyber Essentials controls to a contractor’s device? How can charities control things like the router firmware, the operating system, security updates and device locking on a contractor’s laptop?
The answer to these challenges have three possible solutions. Charities can:
-
Look for contractors with their own Cyber Essentials certification
-
Include contractors within their own certification assessment
-
Provide contractors with devices that are managed by the charity itself
Below, we explore these options in more detail, showing how charities can mitigate against cyber attacks and minimise the vulnerabilities that may come from working with third-parties.
Find out more about Cyber Essentials
This would mean mandating that all contractors working with your charity would need their own Cyber Essentials certificate. If a contractor is Cyber Essentials certified, you would know that the Cyber Essentials controls had been applied to their devices.
The accounts that the contractor are using, however, are owned by your charity and it is therefore your responsibility to ensure that the controls such as multi-factor authentication are applied to those accounts.
Cyber Essentials is generally considered the minimum level of certification for a UK organisation to prove that it is compliant with the basic controls that would prevent the majority of cyber-attacks.
If you are using a third-party IT provider, it is highly recommended that you look for one that is Cyber Essentials certified. This demonstrates to you that the provider is serious about cyber security as well as being fully competent and supportive when it comes to implementing the controls to your network.
You include the contractor and their devices and accounts within the scope of your own Cyber Essentials certification. Here, we outline the actions charities should take to ensure contractors match up to the five core criteria of the Cyber Essentials programme.
Devices and operating systems
You will need to provide the make of the laptop, computes, smartphones, virtual desktop that the contractor uses for accessing your organisational data or services. In addition, you will need to provide the edition and feature version of the operating systems used on those machines.
If you have an Microsoft 365 environment, you would be able to use the tools provided with the service to get this information.
Firewalls, routers, and VPNs
Most contractors will have a home router that is provided by their internet service provider and not your organisation. That means that the router and its firewall is not in scope for your Cyber Essentials certification, and you do not need to concern yourself with the router firmware or firewall rules.
The Cyber Essentials controls must be applied to the software or host-based firewall, installed on the contractor’s laptop or computer. Where your organisation does not control the boundary firewall, for example, in a coffee shop, hot desk or conference centre, the host-based firewall on the device will act as the boundary.
Your contractors may use a virtual private network (VPN). To meet the Cyber Essentials requirements, the only secure option is a corporate VPN which is a direct single tunnel that connects remote workers, including in this example the contractor, back to your charity’s office location, or to a virtual or cloud firewall. The corporate VPN must be administered by your charity so you know that the firewall controls have been applied.
Access control and passwords
Contractors will need to follow your charity’s password policy, this will include:
-
That all default passwords on all devices are changed
-
Each user requires their own username and password and there are no shared accounts
-
Details of the process to change passwords promptly if a user knows or suspects the password or account has been compromised. (Please note, in order to answer ‘yes’ to this question, organisations need to be aware of what constitutes a breach and be confident that contractors would recognise and report one.)
-
The importance of using different passwords for different systems
-
Guidance and support on how to create good passwords within your charity
-
The measures needed to protect accounts against brute-force password guessing
Your password policy can be achieved by giving guidance to your employees, volunteers and contractors and this can be as you see fit -through policies, procedures, training or technical controls.
Multi-factor authentication
When accessing cloud services where the accounts belong to your charity, in addition to a minimum length password of 8 characters, user identity must be confirmed with multi-factor authentication (MFA). Your contractors will need to use one of the following methods to authenticate their accounts:
-
Using a managed/enterprise device as an extra factor
-
Using an app on a trusted device as an extra factor
-
Using a physically separate extra factor
-
Using a known or trusted account as an extra factor
A Bring Your Own Device Policy
As your contractor’s devices are in scope for your Cyber Essentials certification, your charity will need to take some administrative control over them, treating them as Bring Your Own Devices ( BYOD).
Charities should therefore adopt a a BYOD policy, addressing the use of personal devices that connect to your organisational networks, and cloud services like Microsoft 365. The contractor/ owner of the device must understand and accept the terms and conditions of the BYOD policy.
Ideas to include in your BYOD policy
-
The Operating System and apps must be fully supported by the manufacturer and receive security updates
-
Software based firewalls must be activated and configured in line with the Cyber Essentials requirements
-
All critical and high security updates must be installed within 14 days
-
Cyber Essentials password controls are applied to users own devices (BYODs)
-
Users logging in on computers and tablets have a day-to-day account, and this is separate to the administrator account
-
The device automatically locks when not in use and requires a 6 digit or more pin/pass code to unlock, (use a biometric if available)
-
Anti-malware software is installed on Windows and Mac machines and kept updated. All other devices should use application allow listing in line with the organisations allow list.
-
Unused apps should be uninstalled
-
If lost or stolen, it must be reported to the charity promptly
-
Rooting or jailbreaking is not permitted
-
A remote erase and tracking app must be installed and activated so you can track a lost device, lock access and erase data. Obtain written consent in advance from the device owner to remote wipe the device in the event of loss, theft or termination of employment. (This suggestion is beyond the Cyber Essentials requirements.)
-
Clarify how, when and why monitoring will take place and require the device and passwords to be delivered up on reasonable request (This suggestions is beyond the Cyber Essentials requirements.)
Technical controls in a BYOD policy
Although all of your security requirements can be explicitly referenced in your policy and included in your SLA or contract, a written policy cannot substitute applying controls to a BYOD device; technical measures also need to be in place.
Some of the tricky issues such as managing security updates, software firewall rules, controlling unnecessary accounts, malware protection and application allow listing can be more effectively managed with a technical solution.
-
Container Apps or Managed Apps are types of software that separate the organisation’s data and personal data on the device and would enable the charity to limit monitoring and remote wiping to company data only.
-
Mobile Device Management software (MDM) allows you to monitor, manage, and secure employees’ mobile devices. There are different software models ranging in price.
-
Mobile application management (MAM) is software that secures and enables IT control over enterprise applications on users’ personal devices. MAM software allows IT administrators to apply and enforce security policies on mobile apps and limit the sharing of charity data among apps.
-
Desktop virtualisation software, such as Citrix, allows employees and contractors to securely access data stored on the charity network using their own device. Organisational data is accessed remotely and stays on a secure server. It may be necessary for staff to agree not to copy the charity data onto their own device.
If you are certifying to Cyber Essentials Plus, a sample of devices will be tested for compliance by an Assessor. Even if you are not going for the audit this time, you could always follow this approach and look at a sample as part of your management checks.
An alternative to mandating that your contractors are Cyber Essentials certified or including their personal device within your Cyber Essentials scope, is to provide all your contractors with devices that are managed by your organisation.
This would mean that you are in complete control of the devices and can dictate the technical controls that are in place to protect those devices to mirror those applied to all devices within your organisation.
Because these devices are owned and managed by your charity, these would form part of the scope of your Cyber Essentials assessment.
Option C is often considered as the simplest solution when working with contractors and offers you the most control over the devices that are interacting with your organisational services and data.
Providing equipment for contractors could have implications with tax; these rules can be difficult to understand, and we would recommend that you discuss this with your accountant or the HMRC.
With limited time and resources available to them, working with external contractors and suppliers is essential to keep charities up and running, delivering much-needed services for their beneficiaries. But with access to a charity’s networks and data, charities must also consider these third-parties within their cyber security, ensuring that any vulnerabilities that cyber criminals could exploit are closed.
The Cyber Essentials scheme provides a useful framework for charities to optimise their cyber security, allowing all stakeholders to be sure that the correct cyber security measures are in place to defend against a cyber attack.
A Cyber Essentials certification can communicate your commitment to keeping your audience’s data safe. It can also be the catalyst to help you improve your cyber credentials as you need to meet the certificate criteria.
To find out more about the Cyber Essentials scheme, click here.
link