Cyber resilience and the third sector - risks, challenges and opportunities: research report

3. Review of current publications and research in the field

This present report is not the first examination and analysis of cyber security and the Scottish Third Sector. There are several industry-specific publications which explore and explain key cyber risks such as data breaches and ransomware, and their impact on social enterprises, charities and other organisations. A challenge identified by several respondents for this report is making those publications relevant and accessible to the Scottish Third Sector – in terms of raising awareness AND issues of jargon – for some of the smaller yet critical Scottish Third Sector service providers.

There are four prominent publications which fall into this category.

• 1. 2022 ACOSVO report, "Not if, But When"
• 2. Cyber Scotland's Incident Response Plan booklet and accompanying PPT presentation
• 3. The SFHA's invitation to a learning programme on cyber security for housing associations
• 4. The Scottish Government's Third Sector Action Plan, part of its larger Strategic Framework for a Cyber Resilient Scotland.

These four documents provide invaluable advice and suggestions for improving the cyber resilience of Third Sector organisations in Scotland. However, a recurring comment in the Cyber Catalyst project launch meeting and in approximately 75% of respondent interviews is that these documents did not "speak the language" of its target audience. Common phrases such as "multifactor authentication", "AV software" (meaning antivirus software), "incident triage" and "proxies" are important terms for cyber security in any sector, but create barriers to implementation for those not familiar with these concepts. The language and terminology used to engage the Third Sector in Scotland with cyber resilience tools, solutions and techniques must be made sector appropriate. This is particularly important for those organisations with high levels of service user management, such as care homes. This is not to say that the information contained in these, and other publications is not useful. On the contrary. It simply must be made more accessible and more effort undertaken to ensure understanding.

A second challenge evident in the current literature is repetition and replication. The publications highlighted above all provide good advice and solutions (jargon notwithstanding). However, a sizeable proportion of that advice is replicated across them. Examples include the importance of staff knowing where incident response plans are stored, having clear communications processes and reporting mechanisms. While these are important enough to emphasise, repetition and replication implies time taken by each publishing organisation separately to produce and achieve the same results. This is inefficient and speaks to Challenge 4.1 of this Report – an overwhelming amount of information being published and pushed on the Third Sector. Greater effort to streamline and consolidate publications and communication processes would avoid replication and duplication, as well as avoiding information overload, thus ensuring messages are heard.

A final point evident in the current literature around cyber security and the Third Sector relates to academic publications. These are journal articles and books which examine the cyber challenges faced by the Third Sector in general, its position in wider cyber security responses, and its impact on digital society. It is not appropriate to undertake a traditional academic review of these publications; however, it is beneficial to point out that a great deal of academic work is being undertaken in this field. In 2022 alone well over 20 journal articles were published around the world. While the majority of these examined the percentage of charities reporting incidents, or the use of fake charities in phishing operations, it would nevertheless be useful to policy makers to work with academic institutions to convert these published findings into practical policy solutions. This is a potential future project the SG and the Cyber Catalyst Group may wish to consider.