Arts & Business NI, a creative membership network in Northern Ireland, has taken significant strides in cyber security by achieving Cyber Essentials Plus certification through the UK government’s Funded Cyber Essentials Programme.
We spoke to Mary Nagele, Chief Executive at Arts & Business NI who told us about the challenges faced by small charities and arts organisations in addressing cyber security, and the role of partnerships in overcoming these obstacles.
We also talked to Simon Whittaker, a Cyber Essentials Assessor and Cyber Advisor from Vertical Structure. Simon and his team were heavily involved with the funded programme last year in Northern Ireland helping small charities and organisations that provide legal aid services improve their cyber security and obtain their certification. The programme, aimed at small, vulnerable organisations, covers the cost of certification, as well as the fees for a Cyber Advisor to help them achieve Cyber Essentials Plus.
Cyber Essentials is an annually renewable certification consisting of five controls that will reduce the impact of the most common cyber attacks.
Cyber Essentials Plus is also an annually renewable certification based on the same five technical controls as Cyber Essentials, but also includes a technical audit of the IT systems to verify that the controls are in place.
Arts & Business NI is a creative membership organisation committed to forging innovative partnerships between the cultural and commercial sectors in Northern Ireland. “We have a growing network that includes 120 arts members who are primarily charities and 75 private sector business members. Business members benefit from creative training, expert advice and networking opportunities. Our arts members receive support in areas such as governance, fundraising, and sustainable income models to help them grow stronger and more sustainable for the longer term,” says CEO Mary Nagele.
“As a charity ourselves, Arts & Business NI has long recognised the importance of cyber security and was able to benefit from the synergy between culture and commerce at the heart of our efforts. With the help of two of our business members, Vertical Structure and IT service provider, Cirrus IT, since around 2020, we have significantly improved our approach to cyber security. Both members have provided ‘in kind’ assistance to us that certainly went over and above the Professional and Enterprise Development (PED) support provided in their membership.”
Initially, Arts & Business NI engaged in cyber security training and participated in ‘Exercise in a Box‘, NCSC’s free online tool that helps organisations test and practise their response to a cyber attack. The exercise led to an in-depth cyber health check facilitated by Vertical Structure. “This comprehensive review revealed potential vulnerabilities and led to the development of an action plan, which was incorporated into our risk register,” remembers Mary. “It was identified that an outdated on-site server and the use of personal laptops were significant vulnerabilities, and we were able to find solutions by transitioning to Microsoft 365.”
Cyber Advisors like Simon at Vertical Structure play a crucial role in ensuring small and medium organisations are proactive rather than reactive in their cyber security approach and when funding became available through the NCSC’s Cyber Essentials Funded Programme, Simon was able to assist small charities like Arts & Business NI to achieve their certification.
Mary recalls, “The Cyber Essentials certification process itself highlighted gaps in our security, for example, the exposure of personal mobile devices used to access emails, but we were able to secure those devices by implementing multi-factor authentication.“ She goes on, “We felt the opportunity to achieve Cyber Essentials Plus certification demonstrated our commitment to cyber security and gave an extra layer of credibility to us as custodians of good governance.”
Another benefit of certification has been to give confidence to their funders and members. “Our principal source of funding is the Arts Council of Northern Ireland,” says Mary. “Part of our annual funding bid assessment involves an evaluation of our governance systems, and our Cyber Essentials Plus certification certainly ticked a lot of those boxes.“
The challenge of managing cyber security on a fragile income model
The arts sector in Northern Ireland has faced a 40% funding cut over the past ten years, with many organisations operating on less than one-year funding contracts. The financial strain makes it difficult for charities to prioritise cyber security over essential operational costs.
Advice for Small Charities
Cyber Advisors are instrumental in raising cyber security awareness within the cultural sector. As a member of Arts & Business NI, Vertical Structure has presented at their annual governance conference and offered advisory work and awareness sessions, going on to guide several of the arts members through the Cyber Essentials program.
Cyber Advisor, Simon Whittaker says, “I encourage small charities to seek out the reputable advice and support that is available for free. A good place to start is the National Cyber Security Centre’s (NCSC) website which has numerous guides for small organisations and charities, there are many basic things you can do that will significantly improve your cyber security.”