Cyber resilience and the third sector - risks, challenges and opportunities: research report

1. Executive Summary

In 2021 the Scottish Government published its revised Strategic Framework for A Cyber Resilient Scotland. Instead of addressing cyber security separately by sector, the Scottish Government sought to create a unified approach to cyber resilience and promote the understanding that cyber resilience requires holistic solutions, not silos. The Strategy therefore contains not just strategic objectives for policy and legislation, but measures and recommendations for the public, private and Third Sectors in a series of collated action plans^[1]. For the Third Sector, the Framework set out 20 actions divided into seven overarching aims to improve, increase and promote cyber resilience.

The charitable, social and not-for-profit enterprises comprising the Third Sector provide highly specialised services in Scotland, and the UK in general. As such it is a vital part of society. However, it is not immune to cyber risk. Due to the rapid digitalisation brought on by the Covid-19 pandemic, all sectors of society have become increasingly vulnerable to cyber risk. The Third Sector in Scotland has experienced its fair share of malicious cyber activity, one of the most prominent being the SAMH incident of 2022^[2].

In autumn 2022 the Scottish Government commissioned Dewar Cyber Consulting Ltd (DCC), an independent Edinburgh-based cyber security consultancy, to conduct applied policy research to examine the challenges faced by the Third Sector in Scotland, examine the impact of the Strategic Framework and to provide practical, specific steps for action to develop cyber resilience in the third sector. On completion of the fieldwork for this project, DCC has identified the following five overarching challenges and makes 10 recommendations:

Challenges

1. Lack of consistency in messaging from regulators and government, as well as lack of consistency in regulatory frameworks

2. Variable degrees of board-level experience and understanding of cyber risks

3. Current UK and international cyber resilience certification systems not fit for many Third Sector purposes

4. Use of cyber-industry terminology and jargon is a counterproductive barrier

5. Funding to support cyber resilience across the third sector

Recommendations

1. Streamline cyber security/resilience communication for the Third Sector

2. Streamline terminology and reduce jargon

3. Consolidate and coordinate local authority cyber security requirements

4. Establish an integrated "cyber assistance office" at the Office of the Scottish Charities Regulator or similar

5. Formalise the Third Sector Catalyst Group as an information exchange and reporting authority

6. Implement a Single Supplier or Trusted Partner Framework for digital and cyber tools for the Third Sector

7. Create a new Third Sector-specific accreditation for minimum levels of security with manageable expectations

8. In any government funding processes stipulate the requirement for embedding cyber resilience measures, and fund this stipulation accordingly.

9. Develop free or reduced cost cyber resilience e-learning resources for Third Sector organisations

10. Share lessons learned from cyber security incidents.