Cyber resilience and the third sector - risks, challenges and opportunities: research report

4. Findings: Challenges facing the Third Sector

4.1. Lack of consistency in key areas of operation causing significant bottlenecks

There are several areas where a lack of consistent approach is causing significant bottlenecks for the Third Sector to achieve or improve cyber resilience. Several respondents reported feeling overwhelmed with the amount of information with which they are being provided, as well as receiving that information from a range of sources. Regulatory bodies, government entities, local, regional, and national cyber security, and resilience entities all routinely publish material, advice and guidance, much of which does not speak to the specific contexts in which the Third Sector operates. Sifting through this wealth of information is, as some of the respondents noted, almost a full-time job.

While the respondents note that the information is often useful and always well-intended, it is counter-productive, particularly for the smallest Third Sector entities. The message that cyber security and resilience in Scotland is something we must all be a part of is being lost, not due to malice or unwillingness to play their part, but simply due to lack of capacity on the part of these smallest entities to engage in any meaningful manner with the subject: they simply have other more pressing and pertinent priorities. As a result, cyber, digital, information or computer security is an afterthought. This is not to say that there are no risks, or that staff are ignorant or burying their heads in the sand. It is simply that there are other more pressing concerns.

One of those concerns is juggling the complex web of regulatory compliance and local authority requirements in Scotland. Many Third Sector organisations operate nationally across Scotland. While this has an impact, it requires these organisations to navigate different local authority regulatory frameworks. Respondents noted that this is particularly problematic when it comes to cyber security certification requirements, such as Cyber Essentials or ISO 27001. One respondent noted that in one local authority in which they operate, Cyber Essentials is desirable but not mandatory for that organisation to provide their service. However, in another area, the same organisation is required to have verifiable Cyber Essentials certification to provide the same service. This inconsistency provides barriers not only to the engagement of Third Sector organisations with particular local authorities, but prevents them from expanding their services.

This lack of consistent frameworks of operation is also reflected in internal processes, particularly as regards regulatory compliance. One umbrella organisation surveyed for this report noted that, due to their members providing a range of care services, they are legally required to comply and be audited by two if not three national regulatory bodies depending on the service being provided. This has the result that two sometimes three regulatory compliance frameworks clash when it comes to data, digital and information security. Work carried out to ensure compliance with one regulator must sometimes be repeated or undone in order to comply with another regulator. Streamlining regulatory compliance would significantly improve Third Sector organisations' capacity to provide their services by reducing red tape.

4.2. Varying levels of board level experience and knowledge in Third Sector

An unexpected finding came about when discussing senior and board-level decision making in Scottish Third Sector organisations. Cyber security needs to be a priority at board level across the public, private and Third Sectors. However, many Third Sector organisations, particularly social care providers, have tenant or service user board members and leadership. This is a challenge for pushing internal policy due to lack of awareness and knowledge of external threats and internal infrastructure or prioritisation when faced with more pressing social challenges. Survey respondents and the authors of this report are at pains to point out that this is not meant to be a judgement of the understanding and capability of board members. Rather, it reflects the fact that many if not most are not cyber security specialists and have a vested interest in ensuring basic services are provided and supported, rather than digital infrastructure. One respondent elaborated that in board meetings with service users, it is challenging to explain the global cyber resilience risk landscape in a way which conveys the importance of protecting against those risks, without fearmongering or providing lectures on the technicalities of cyber and digital security solutions.

This report hypothesises that this may be another reason for the perceived lack of uptake of cyber resilience and cyber security measures and advice in the Third Sector: board-level decision makers are choosing to prioritise other aspects of Third Sector service provision over cyber issues, not just because of funding (see Challenge 4.5 below) but because this is a completely new and different way of living and thinking, with new and different challenges of which they were never aware in their personal lives.

4.3. Current UK and international certification regimes do not suit Third Sector

Cyber Essentials and ISO 27001 are increasingly becoming required certifications for a range of entities operating in Scotland. For private and public sector projects and contracts, these programmes are becoming standard attainment targets for contractors. According to a number of respondents, the same is true for Third Sector organisations. This is a significant challenge and hurdle for these organisations, particularly the smallest entities which provide the most niche services.

The concept of cyber security and cyber resilience certification as a proof of compliance or adherence to a minimum standard is not one with which respondents disagreed. Issues with certification arose during discussions about the level of technical knowledge and understanding required before an organisation attempts assessment. ISO 27001 is out of reach for almost all Third Sector organisations operating in Scotland save the largest, primarily due to cost (See Challenge 4.5 and Recommendation 5.7 below).

However in some areas of the third sector even Cyber Essentials is an almost insurmountable challenge when completing self-assessment. Many smaller organisations, which in turn are often the most vulnerable to cyber incidents, are simply not technically able to engage with the questions and provide answers which would pass assessment; the certification is too advanced for the organisation. This would be less of challenge if certification were not becoming a requirement for many organisations to bid for or provide service contracts. Because Cyber Essentials is being seen as the minimum standard for cyber resilience capability, many contract clients are insisting on service providers demonstrating they have the certification.

Many small organisations are simply unable to meet these criteria but are nevertheless expected, encouraged and in some cases required to achieve these certifications without any support for meeting assessment criteria from a technical or staff capability perspective. Both are costly, require a significant amount of a priori knowledge of computer and digital systems, and there are significant ancillary costs associated with installing systems and infrastructure which meet the basic criteria.

While Cyber Essentials is therefore suitable for the private and public sectors, it does not fit the idiosyncratic contexts of the Third Sector and is proving to be a barrier to improving the level and understanding of cyber resilience in this sector.

4.4. Language and terminology a barrier to the Third Sector achieving cyber resilience

One important recurring theme in the research is the problem of jargon and the (over)use of the prefix "cyber". The overall consensus is that reducing the amount of jargon in current messaging, changing the terminology and simplifying messaging would greatly improve communication to and within the sector. While the prefix "cyber" is a commonly used term in policy, research, the private and public sectors and the media, it is a counter-productive term when used both in the context of the Third Sector itself and in measures intended to raise awareness of cyber challenges in the sector.

The basic challenge is one of comprehension. There is a substantial body of literature, and an entire academic sub-field, devoted to answering the question "what does 'cyber' mean?" The problem is amplified in the Third Sector in Scotland with a number of respondents asking that same question. Because there is a lack of consistent understanding of what cyber security actually is, many messages and recommendations for, e.g., good cyber hygiene are not hitting their mark. This leads to confusion around what is expected of the sector from regulators and the Scottish Government.

This absence of consistent understanding is exacerbated by the fact that "cyber" has become a fear-laden term. The prevailing narrative from official and news-media channels provokes and promotes a climate of fear of imminent digital disaster (cyber Pearl Harbour) or of cyber criminals constantly trying new and innovative techniques to steal things. The term "cyber attack" is routinely used to refer to any malicious incident, large or small, with little to no context provided. As a result, the message being sent out and received is that we are all about to be victims of a cyber attack of apocalyptic levels, when in reality we may be targets for theft or abuse this is not meant to belittle these threats. The point here is at there are many steps that can be taken to avoid or mitigate them, but this message is not being heard.

The final challenge highlighted through the use of "cyber" is that it leads to assumptions that cyber security/resilience is solely an IT issue rather than a social issue. This results in smaller organisations and those without in-house IT teams assuming that it's not a problem for them. The message that cyber security/resilience is vital for everyone using the internet is not getting through.

4.5. Funding

Third Sector organisations are often short of funds to achieve their aims. This means that tough decisions have to be made about where to allocate finite financial resources. 11 of the 12 interviews specifically mentioned funding as a barrier to the Third Sector improving, achieving or working towards better cyber resilience. This challenge came in many guises. The most common comment was around prioritisation. Third Sector entities have only a finite amount of money to spend on all their activities, including staff, infrastructure and the services for which they were established.

Setting aside the question of budget priorities however, there were a number of important points made when the conversations turned to finances and funding. Due to the semi-permanent changes in working practices caused by the Covid-19 pandemic many organisations are instituting home or hybrid working as standard.

The public and private sector have a level of capacity to finance this societal shift. However many if not most Third Sector organisations across Scotland struggle. Not only do organisations not have the resources to provide all staff with the latest secure laptops or mobile phones, many employees and staff do not own high-spec devices of their own. While Bring-Your-Own-Device (BYOD) is becoming more and more prevalent, those devices are themselves often insecure, in part due to a lack of understanding on the part of the staff members themselves, but also due to the staff not being able to afford a new laptop or secure internet connection.

The hidden additional costs of secure digital working extend to certification regimes such as Cyber Essentials or ISO 27001. Both Cyber Essentials and ISO 27001 are expensive processes to undertake. The cheapest rate for Cyber Essentials is that for micro-organisations (0-9 employees) and is £300+VAT. For some Third Sector organisations this is insurmountable when set alongside standard running costs or the costs of providing the services for which they were established. Furthermore, should an organisation undertake the Cyber Essentials certification, pay the fee but fail the assessment, they have 48 hours in which to carry out any remedial actions before being required to pay the fee again for an additional assessment, with no guarantee of passing. The certification must also be annually renewed. For ISO 27001, costs start at around £3750 for an organisation of 1-45 employees. These costs are in addition to the costs involved in acquiring, upgrading, and installing the technological and digital solutions necessary to pass the assessments. For obvious reasons, certification is therefore not a priority for many small and medium-sized Third Sector entities.

The final frequently occurring comment around funding is that many of the sources of assistance are grant-based. While this is welcome, many of these schemes are one-off, with little to no continuity of support. As one respondent pointed out, if society wants the Third Sector to be cyber resilient, then it must invest in this as an ongoing process, with continuous support, not a fire-and-forget mentality of one-off grants.