Cyber resilience and the third sector - risks, challenges and opportunities: research report

5. Recommendations

5.1. Streamline cyber security communication

One of the most prominent and frequently occurring comments relating to cyber security in the Scottish Third Sector is that the sector feels overwhelmed by the range, breadth and scale of messaging it receives on cyber security and resilience threats, good practice and countermeasures. There is a vast array of regulatory, policy and governance publications from various entities of which Third Sector organisations are expected to note. In addition to the governance and compliance measures from regulators and auditors and the legal frameworks (particularly data protection) within which these entities operate.

While all of the organisations surveyed for this report acknowledged both the importance of digital and cyber security to their and Scotland's wellbeing, a constant refrain was that it was as great a challenge to identify which pieces of advice to pursue, or which regulatory framework with which to comply. Having a single or at least streamlined but reputable communication channel for all or as much information as possible would reduce the information overload currently experienced by many Third Sector organisations. This would also ensure that important information is not lost in the noise.

This report recommends that a single entity be selected as the "voice" of cyber security in Scotland generally, including for the Third Sector. This could be the Third Sector Catalyst Group (see Recommendation 5.5 below) or the Cyber Scotland Partnership which already has third sector representation. Further discussions would be needed to determine the most suitable representative body.

5.2. Streamline terminology

Another repeated comment in the respondent interviews was the need to use clearer and more succinct terminology, especially for the smallest Third Sector organisations. Term such as "cyber security" become progressively less meaningful, and there is a certain level of fatigue amongst many of the respondents when they hear the term. One of the main comments from the launch meeting for this project was that policy-makers and practitioners in general, and those working with the Third Sector in particular, should try to focus on the issues they are dealing with, rather than employ catch-all terms such as "cyber security" or "cyber resilience" that require a degree of technical understanding before progress can be made.

There are two parts to this Recommendation. First, a project should be undertaken to remove jargon from the field and identify how best and most effectively to refer to the various cyber challenges present. Terms such as "cyber security" are not effective when communicating threats, risks, and opportunities to the Third Sector in Scotland. Work is needed to identify what plain English terms would be most effective.

Second, once plain English for the sector is achieved, a central, trusted, verifiable and reliable conduit for messages, announcements, policy changes and recommendations should be established to streamline communications to the sector. This second point is elaborated upon in Recommendation 5.1 above.

5.3. Consolidate Scottish local authority tender requirements

One of the most challenging aspects of operating in the Scottish Third Sector is the variance between local authority digital requirements. As set out in Challenge 4.1 above, Third Sector entities operating in multiple local authority jurisdictions are required to meet different regulatory and compliance criteria for each area. This creates confusion and inconsistency.

It is therefore recommended that the Scottish Government, the Third Sector Catalyst Group and COSLA work together to create a single coordinated metric for the digital aspect of Third Sector service provision. Different regions will have different social needs, but the digital and cyber element of meeting those needs can be made consistent.

5.4. Establish an integrated "cyber assistance office" at the OSCR

The Office of the Scottish Charities Regulator already monitors and manages the activities of the c.25,000 registered charities in Scotland. Regulation of cyber resilience has been identified as an important benefit to the sector, to maintain consistency and improve/increase the resilience of the sector as a whole. Formalising the regulation of cyber resilience in the sector may centralise these efforts.

However, the role and function of this recommended entity should not be one of regulation in the traditional sense. Regulators examine the organisations under their aegis, and then provide recommendations for action/change, sometimes under threat of sanctions. A sanctions regime would not benefit the Third Sector in Scotland.

This report recommends changing the framework of regulation to be one of provision of practical assistance once issues have been identified. This would include not only advice on how to resolve a particular digital vulnerability but involve working with the organisations on a quasi-consultancy bases to take active steps to facilitate and action that resolution. The office should therefore not be labelled as a "cyber regulator", but "cyber assistance office".

There should be two specific areas of work for this office. First, an essential element of this assistance- and incentive-based regulatory regime would be the creation of off-the-shelf templates for policies, tools and procedures. Because it is often not clear what is expected of particular organisations, the OSCR should collaborate with other stakeholders such as the SG CRU (inter alia) to support the development of a baseline measure of resilience across the whole Third Sector and produce templates to achieve this. Current tools and metrics provided by organisations such as the NCSC are known, but not seen as relevant to the Sector. Sector-specific tools, potentially as simple as forms to complete outlining what to do in a particular, generic cyber situation, may be more beneficial. This would achieve a number of cyber resilience goals: a metric would be produced as well as specific practical steps to achieving that metric, and the Third Sector would benefit from practical guidance and activities in achieving those baseline security posture.

Second, the proposed "Cyber Assistance Office" (CAO) of the OSCR could also be the central point from which communications regarding cyber resilience in the Third Sector should be published (see Recommendation 5.1 above). This would resolve many of the communications and messaging challenges evidenced in the research for this report. This is not to say that the OSCR should be the sole creator of those messages. Instead, it should function as a conduit and moderator for those organisations such as the Cyber Scotland Partnership (CSP) who are routinely publishing on cyber issues.

It should be noted at this point that the CSP is a collaborative initiative dedicated to increasing and improving Scotland-wide cyber resilience. Its stated aim is to act as "a collaboration of key strategic stakeholders, brought together to focus efforts on improving cyber resilience across Scotland in a coordinated and coherent way^[8]

5.5. Formalise the Third Sector Catalyst Group for leadership and oversight, as well as incident reporting.

While the OSCR can provide a regulation-by-assistance service, leadership and oversight is needed for the sector in cyber resilience. It is recommended that the Third Sector Catalyst group be formally instituted as the entity for that leadership and oversight. Membership is currently informal, but many organisations from across the spectrum of Third Sector services take part. This makes the Catalyst Group an ideal entity for policy development, information-sharing, and leadership.

Communication of messages has been identified as a key challenge for the Sector. This incorporates both communication TO organisations FROM regulators, the Scottish Government and other entities, but also communication FROM the Third Sector TO these entities. A trusted mechanism for reporting cyber incidents affecting the Third Sector would bring greater clarity of the threats and risks faced, as well as (potentially) provide an incident response service. Currently, the Cyber and Fraud Centre Scotland (CFCS) provides an incident triage service that is open to all Scottish entities. However, within some third sector organisations it is unclear whether the CFCS provide a service solely to the private and public sectors. Additional research is required to examine whether there is an assumption that the CFCS service is for the private and public sectors only, or whether there are other barriers. Whatever the findings, this report currently recommends tasking a formalised catalyst group with being the incident reporting and response entity for the sector. This would ensure that important incident information is recorded, as well as providing response tools and suggestions from individuals aware of the nuances of the Third Sector.

That being said one of the key responsibilities of the proposed Scottish Cyber Coordination Centre (SC3) is to improve early warning and intelligence coordination. It is anticipated and expected that the SC3 would have a core role in supporting the Third Sector. A way to achieve this could be by the SC3 sharing information and intelligence summaries with the Third Sector Catalyst Group or other Third Sector representative network so that sensible, informed policy decisions can be made for the sector on the basis of sound evidence.

5.6. Implement a Single Supplier Framework or Trusted Partner programme for provision of digital assets

Where organisations are aware of their responsibilities and are in a position to implement internal cyber resilience or data protection policies, they are required to go to the open market for any tools platforms, software or other solutions to meet their requirements and those of their regulatory bodies. This is the case for several business areas including business development, cloud security, multifactor authentication or secure devices.

It is worth pointing out that this situation – the need to go to the open market for solutions – is not restricted to the Third Sector in Scotland. All sectors around the world rely on third party providers of key infrastructure solutions, whether those are device manufacturers, antivirus developers or office tools platforms. For this reason, this situation is not listed as a challenge facing the Third Sector, as it is universal.

That being said, Third Sector entities are often not able to afford the recommended or industry leading solutions. This leads to entities relying on free, open-source tools with limited functionality and little recourse should security issues arise.

This challenge is also not only restricted to security solutions, but to staff training and education. In one of the interviews conducted for this report, three diverse, separate entities were surveyed. When the semi-structured discussion turned to questions of internal staff training, all three organisations stated that they had used online platforms for this purpose. However, they had used three different platforms to achieve largely the same ends.

While this reflects poorly on the overlap and duplication in the open cyber security market, the systemic issue facing Third Sector entities in Scotland is "which provider to trust?". Without prejudice to the quality and comprehensiveness of the three third-party providers, the organisations surveyed all agreed that it was not an ideal situation, that each organisation had independently carried out reviews, for which there was a cost, to select a platform for internal training.

What was missing from this process was a) communication between the three entities to share experiences and b) a single trusted supplier which could potentially provide preferential rates to Scottish Third Sector organisations. An example of this exists already. One of the organisations surveyed stated that they had entered into a single supplier contract with a mobile phone network to supply devices and connectivity to all their workers. The network in question provides preferential rates to Third Sector organisations. However, this was not widely advertised, and the survey respondent advised that they had heard of this promotion during an industry online conference call and had decided to follow it up.

Third Sector organisations are often paralysed by choice and unsure which platform to choose over another. This report therefore recommends compiling a list of vetted third-party providers which Third Sector entities in Scotland would recommend for particular digital or cyber purposes. If possible, preferential rates for third sector organisations could be negotiated. The list could and should be maintained centrally for all organisations to access. If a single supplier is found to be a preferred provider, then a single supplier framework could conceivably by created, thereby removing questions of trust and reliability from the procurement processes of Third Sector organisations, be already cleared by regulators as a provider of services which meet compliance requirements and be potentially low-cost or subsidised by regulators and/or the Scottish Government. An example of such partnerships is the procurement of Microsoft 365 by the Digital Office for Scottish Local Government^[9].

It must be pointed out, that such a process does not eliminate cyber risks. It is a process for managing that risk that may be cost-effective as well as cyber effective.

5.7. Create new Third Sector specific accreditation

Throughout the research for this project, the concept of Cyber Essentials and ISO 27001, the UK and international certifications for achieving a base standard of cyber security, were routinely discussed. The general consensus was that having a certification was a positive measure. It allows organisations to advertise their skills and expertise, while at the same time providing a standardised structure for achieving a base-level of security in an organisation.

As set out in Challenge 4.3 and 4.5 above, the current system of certification is unsustainable and unaffordable for many Third Sector organisations in Scotland. The challenge is further exacerbated because, according to a number of Respondents, many contract clients now require either Cyber Essentials or ISO 27001 before awarding contracts for services. Additionally, as stated above, some organisations provide services in different Scottish local authorities with differing accreditation requirements, creating inconsistencies.

That being the case, a system of accreditation for Third Sector organisations, associated training and support, is perceived as a positive benefit for Scotland. This report therefore recommends the initiation of a Scottish Third Sector cyber security accreditation system based on a sliding scale of cyber security requirements and achievements. Precise details would require a separate consultation, but an example would be as follows (for illustrative purposes only):

• - Bronze level – organisation meets basic legal requirements including GDPR compliance and using recognised free antivirus software
• - Silver level – Bronze plus multifactor authentication on BYOD systems
• - Gold level – Bronze and Silver plus air-gapped servers, encrypted cloud storage and paid-for antivirus

Bronze level would be free to all applicants. Silver and Gold could be achieved for a fee.

The sliding scale would be accredited not just by an independent verifying organisation but be accepted by the various regulatory bodies overseeing the various fields of the Third Sector, such as the SFHA, OSCR and the Care Commission.

5.8. Greater specificity when allocating funding

As society recovers from the Covid 19 pandemic, the Third Sector in Scotland and the UK is struggling to fulfil its mandates given the cost-of-living crisis. As a result, income and funding are chronic issues for these entities. Many organisations do not have enough funds to carry out the services and functions for which they were established. This was a common refrain across the majority of respondent surveys. It is all very well for the Scottish Government, regulators and cyber security agencies in Scotland and the UK to push for more resilience in the sector, but without making funding available achieving this is a slim possibility.

While funding will always be an issue for Third Sector organisations, a requirement could be made in funding grants that a small percentage of any total be put towards cyber or digital security measures related to the activities the grant in intended to fund. Almost all activities conducted in any sector, not just the Third Sector, have some sort of digital component and so there would always be a role for increased cyber resilience measures.

Allocating funds with this proviso would have the effect of ensuring some money goes towards cyber security but would also highlight the fact that all activities have some sort of cyber or digital component to them.

5.9. Develop a single e-learning portal for Third Sector organisations and make it free at point of use.

Related to Recommendation 5.5 above is the recommendation to create and support an online platform for training Third Sector organisation staff and board members in cyber and digital resilience. This would negate the need for charities to go to expensive and inconsistent third-party providers, as was the case for three of the respondents. Topics covered would include issues such as cloud storage, recognising phishing, or multifactor authentication. What would separate this from some of the other offerings available in terms of training and executive education is that the topics and module content would be specifically geared to Third Sector experiences, priorities and goals. Throughout the entire research project, the different context in which the Third Sector operates as opposed to the private or public sector creates specific challenges not present elsewhere.

A number of organisations have service user board members, thereby necessitating specific training on the use of digital tools from a C-suite perspective, but without the pressure of a C-suite training workshop. Most Third Sector organisations cannot afford to supply their staff with dedicated laptops or mobile phones, so they are required to institute BYOD systems. There are a number of security risks associated with this which would be elaborated upon and mitigated in the training.

Crucially, any platform would require the input of Scottish regulatory bodies to ensure relevance and could have sections for general cyber security requirements based on legal requirements (GDPR, reporting e.g.) and then have separatee sector specific sections (housing, mental health etc.). this would mean that ALL Third Sector organisations in Scotland would have the same base line learning, and then be able to branch off to learn things relevant for them.

This e-learning platform could also be tied into the sliding scale of certification at point 5.7 above or even be the learning and teaching requirement for a single basic certification ("Digital Thistle Mark – Bronze").

Finally, the platform should be provided free of charge, but made a core component of regulatory audit and compliance such as cloud storage, recognising phishing or multi factor authentication.

5.10. Learn lessons from the NHS Scotland and NHS National Services Scotland Digital and Security experience

The NHS across all parts of the UK is routinely targeted by operators of malicious cyber incidents. The WannaCry operation of 2017^[10] and the Adastra ransomware operation of 2022^[11] indicate that complex, national digital infrastructures are an almost constant target for large-scale operations.

While there are a number of lessons to be learned from these incidents for the whole of Scottish (digital) society, one specific aspect is germane for the Third Sector in Scotland. Throughout the research carried out for this report, fully 100% of the respondents reported some level of concern, action or set of solutions for managing personal or private data, or a consideration for the requirements of data protection. A number of organisations stated that they or their members were acutely conscious of the need to ensure the security, confidentiality and integrity of highly personal, sensitive information on very vulnerable service users. The rapid switch to working-from-home and use of digital communications to conduct business pushed this issue even higher up the priority level.

As a result of the need to ensure compliance around data management and ensuring the confidentiality and integrity of often highly sensitive personal data, it would be of benefit for current and future policy makers to look at the examples set by large-scale national infrastructures such as the NHS, and examine the tools, processes, procedures and incident responses undertaken to mitigate cyber risk. Even where breaches occurred (WannaCry 2017 and Adastra 2022) there are lessons to be learned and positive messages for all entities entrusted with sensitive data. The NHS NSS Digital and Security department should be approached, if it has not been already, to provide guidance, mentorship or support to Third Sector organisations.