Cyber resilience and the third sector - risks, challenges and opportunities: research report

2. Introduction

Social enterprises represent an influential sector of commerce that are imbued with notable characteristics that make them not only susceptible to cyberattack but also the organization and the individuals with whom they engage have the potential to be harmfully impacted by their effect^[3]

In 2022, it is recognised that we live in a highly digital and digitalised world. While changes were taking place to the way people lived their lives, with more and more interactions taking place on digital devices, the Covid-19 pandemic sped up that change. Many people had to work or study from home, or to live their lives at home due to furlough and lockdown requirements. Cyber security and cyber resilience, already a strategic priority for Scotland, were pushed further up the policy ladder with the publication of the Strategic Framework for a Cyber Resilient Scotland^[4]. More and more people needed to be aware of cyber security risks and opportunities.

It is already acknowledged that the Third Sector in Scotland not only plays a vital role in providing crucial services to society, but that the Sector is just as vulnerable to cyber risks and threats as the public or private sectors. According to figures from the IASME corporation, nearly a quarter of charities reported breaches of one form or another on a weekly basis^[5].

Despite this explicit acknowledgement, however, the Third Sector in Scotland has faced a number of challenges to developing and improving it's cyber resilience posture. The Scottish Government and other agencies promoting a cyber resilient Scotland have conducted a range of activities in recent years, including workshops, seminars, pubic information campaigns and focus groups in attempts to raise awareness of cyber risks in Third Sector organisations, and to increase sector resilience. To date, these activities have met with mixed success.

Dewar Cyber Consulting Ltd. (DCC) has been tasked with conducting research on behalf of the Scottish Government's Cyber Resilience Unit on cyber resilience challenges within Scotland's Third Sector. The objective of this research is to identify what practical steps can be taken to assist the Third Sector in Scotland to increase its cyber resilience. Analysis and research have been conducted before, and Third Sector entities have been surveyed in the past. The purpose of this present research is to collate these previous activities and distil practical and actionable solutions, augmented by further engagement with Third Sector representatives, rather than propose abstract or esoteric policy guidelines.

To that end, the project has three key deliverables:

1. an initial standalone workshop at the third sector catalyst group hosted by the Scottish Government and DCC. This was conducted on 31 May 2022 in Edinburgh

2. a publication comprising academic-quality research (this present report)

3. a closing seminar/workshop for the launch of the publication in 2023

As stated above, the main objectives of this project are to provide the Scottish Government with a piece of applied policy research examining the current state of cyber resilience in the Scottish Third Sector and to identify key opportunities and challenges for development. This includes identifying the needs of the sector as a whole and its constituents and providing effective, practicable and reasonable recommendations for actions to improve the cyber resilience posture of the Third Sector in Scotland.

A series of semi-structured interviews identified five prominent challenges facing the Third Sector in Scotland. Chief amongst these was a lack of consistency in messaging and regulatory compliance requirements which hampered even the best efforts of Third Sector organisations. Respondents reported feeling overwhelmed by the amount of information being provided to them and being inundated with threat analyses from numerous different agencies. In addition, different local authorities across Scotland have different cyber resilience requirements in terms of certifications or infrastructure, which causes problems for those Third Sector organisations operating in numerous authorities. What is required in one region is not required in another. This makes ensuring compliance very difficult and is a costly process to achieve. One of the most prominent recommendations in this report is the establishment of a central "voice" for cyber security in Scotland – ideally for all sectors, but in the first instance particularly for hard-to-reach demographics such as the Third Sector. As will be explored later in this repor, the cyber Scotland partnership already has third sector representation, so could potentially take this role.

Additional challenges arise when cyber security agencies publish guidance, advice and information which utilises significant amounts of technical jargon. With the best will in the world, many organisations simply have not had enough training and education to assimilate this technical detail. This is particularly the case for those organisations with service-user board members. Ensuring cyber security remains a board- or C-suite level policy concern is a strategic goal for Scottish authorities and cyber security agencies but is a challenge for board members who are also Third Sector service users. One of the core recommendations presented here is to simplify the language of cyber security, not to dumb it down, but to make it more accessible. This improvement in language combined with a single voice for cyber security information would alleviate many of the challenges of comprehension and accessibility.

Another significant barrier to increasing cyber security and resilience in the sector is the perception in that sector that policy-makers, legislators and national cyber security agencies do not take enough account of the context of the Scottish Third Sector. The sector is not homogenous, and different organisations, even those operating in the same service user space, have often very different operational requirements and digital needs. A significant issue is funding. While a lack of income, particularly during the 2022 cost of living crisis, affects all aspects of Third Sector operations requiring often brutal spending choices, a number of mechanisms being promoted by national agencies, such as accreditations, require ancillary costs for implementation Third Sector organisations simply are not in a position to meet. Making certification and compliance fit for Third Sector purposes would go a long way to recognising the specific contexts of the Third Sector.

This report sets out a number of specific recommended actions policymakers and legislators should implement in order to take account of that context. One size does not fit all when it comes to achieving cyber security or cyber resilience, and nowhere is this more true than in the case of the Third Sector. Accreditation and certification regimes must be made fit for purpose or made anew with specific reference to Third Sector organisations. The terminology used must be relatable and comprehensible, particularly for service user board members tasked with taking important decisions for the organisations they represent. This recognition of context goes both ways, however. Funding is being made available for core activities. One recommendation in this report is that any funding allocations include a portion being set aside for digital or cyber tasks. This would ensure that the message that all societal aspects in 2022 have a digital or cyber component would be heard, and a fraction of funding be set aside to ensure that.

This report is constructed as follows. Chapter three out the research methodology employed to gather data for analysis. While chapter four includes a list of the Third Sector entities interviewed demonstrating the cross-sectional analysis required to make effective recommendations.

Chapter five of the report examines the current literature and publications relating to cyber security in the third sector. While not a literature review in the traditional academic sense of the term, it makes the point that there is a great deal of academic study of the problem being published but not captured in policy. This is something decision-makers may wish to consider.

Chapter six of the report sets out five specific challenges facing the improvement of cyber resilience in the Third Sector in Scotland:

1. Lack of consistency in key areas of operation

2. Board level experience and knowledge

3. Current UK and international certification requirements not suitable for the Scottish Third Sector

4. Language and terminology must be adapted

5. Funding needs to be more creatively allocated

Chapter seven sets out ten practical actions for decision makers to implement in order to meet those challenges.

1. Streamline cyber security/resilience communication for the Third Sector

2. Streamline terminology and reduce jargon

3. Consolidated and coordinated local authority cybersecurity requirements

4. Establish an integrated "cyber assistance office" at the Office of the Scottish Charities Regulator, or similar umbrella organisation

5. Formalise the Third Sector Catalyst Group as an information exchange and reporting authority

6. Implement a Single Supplier or Trusted Partner Framework for digital and cyber tools for the Third Sector

7. Create a new Third Sector-specific accreditation with manageable expectations

8. In any funding grant, stipulate a portion or provide additional funding for cyber-related measures.

9. Develop a free or reduced cost e-learning portal for Third Sector organisations

10. Learn lessons from the NHS digital and cyber security departments.

2.1. Methodology

This project was conducted using recognised academic research principles and tools. Following initial and project-launch discussions with the Cyber Resilience Unit of the Scottish Government (SG CRU), a project scope was agreed which enabled research tools and techniques appropriate to this level of analysis to be deployed.

Following project initiation, the most important aspect of the research was fieldwork. This comprised a series of semi-structured interviews with senior staff and decision-makers in Scottish Third Sector service providers, umbrella organisations, compliance auditors and regulators. The objective, agreed with the SG CRU, was to conduct and achieve a cross-sectional analysis of cyber resilience issues, challenges, and requirements across the whole of the Scottish Third Sector, including regulatory bodies, not just front-line entities.

Once an initial respondent list was agreed with the SG CRU, DCC Ltd reached out to Third Sector entities to secure interviews with introductions from the CRU. These were conducted online using MS Teams. Once interviews were secured and conducted, a snowball process was utilised to encourage and gain further meetings.

The interviews themselves were conducted using "semi-structured" techniques. Semi-structured interviews are conducted in a formal environment with a set of pre-determined questions, but which allow additional or supplemental questions to arise during the conversation^[6].

Where permission was given the interviews were recorded. On completion of the interview a transcript was produced, and the text uploaded into NVivo computer-assisted qualitative data analysis software. This enabled common themes and views to be identified and correlated. This research process was developed by Dr Robert Dewar for conducting large scale policy analysis while at the University of Glasgow^[7].

2.2. Organisations interviewed

The project parameters required a minimum of 10 Third Sector organisations be interviewed for the project. This total was to include membership and umbrella organisations, and those entities with a direct interest or mandate for operating with front line Third Sector entities.

On completion of the fieldwork component of the project, a total of twelve organisations were successfully interviewed. These were:

• - Scottish Federation of Housing Associations (SFHA)
• - Scottish Social Services Council (SSSC)
• - Association of Chief Officers of Scottish Voluntary Organisations (ACOSVO)
• - Lead Scotland
• - The UK National Cyber Security Centre (NCSC)
• - Scottish Council for Voluntary Organisations (SCVO)
• - Office of the Scottish Charities Regulator (OSCR)
• - Glasgow Council for the Voluntary Sector (GCVS)
• - Turning Point
• - Coalition of Care and Support Providers in Scotland (CCPS)
• - Aberlour Children's Charity
• - Sight Scotland

Interview subjects were drawn from C-suite decision makers and directors of IT or operations, indicating a high level of interest and engagement with the project, the seriousness with which cyber security is taken in the Third Sector and the level of engagement and decision making at the entities surveyed.