BACKGROUND
Founded in 1950 by Sir John Wilson, Sightsavers is an international development charity that works to prevent sight loss and fight for disability rights in some of the poorest parts of the world. One of its outstanding achievements is to have been involved in delivering a billion eye treatments to tackle neglected tropical diseases.
Outside of the staff employed in its head office in Haywards Health, Sightsavers has over 350 staff working in 30 countries, predominantly in sub-Saharan Africa, as well as Asia. One of Sightsavers’ principal donors is the UK Foreign, Commonwealth and Development Office (FCDO) and it was a requirement set by the Office in 2017 that prompted Sightsavers to seek Cyber Essentials (CE) certification.
This case study highlights the challenges Sightsavers faced in achieving CE certification, how it overcame them, the benefits this had and some of the key lessons for other charities.
CHALLENGES
The first step for Sightsavers on its journey was to understand what was involved in achieving certification to CE. In order to address this, it approached URM Consulting (URM), a CE certification body and information security specialist, to conduct a CE readiness assessment. The readiness assessment focused on Sightsavers’ level of compliance with the five main control areas.
One of the five control areas that CE requires organisations to address is ‘software updates’, which involves ensuring software and operating systems are regularly checked and updated with the latest patches to protect against vulnerabilities. In a complex organisation such as Sightsavers, who at the start of 2017 had 30 offices spread across Africa and Asia (and staff working in the field using different technologies and different versions of software on different devices), this presented a significant challenge. Software patches at that time were being installed by memory stick by the users themselves, relying on their goodwill and memories to apply them. Hardware installations were also being carried out by engineers flying to and from the UK.
Following URM’s CE certification readiness assessment, it was clear to both parties that meeting the requirements of the ‘software updates’ control in particular was not going to be a quick and easy fix.
SOLUTION
A strategy was formulated where Sightsavers set short term goals to achieve CE certification with a limited geographic scope and then to expand to a global scope once the appropriate infrastructure had been implemented. Central to this strategy was the conscious and commendable decision of Sightsavers’ Board to fully embrace the scheme and use it as an opportunity to transform the cyber security practices and to develop a more resilient IT infrastructure that would improve efficiencies and free up users from any IT admin tasks.
As a result, Sightsavers has made a significant investment in time, money and effort to improve the usability of systems and endpoint security, including the following technical and non-technical initiatives and enhancements:
- Rolling out standardised laptops with local security. Sightsavers were careful to avoid any bloatware scenarios by ensuring that the minimum necessary business software was installed on all laptops and any unnecessary software was uninstalled.
- Setting up remote offices to facilitate the downloading of patches and monitoring the process for all end points.
- Implementing a centrally managed anti-virus solution.
- Establishing a dedicated Information Security Team in 2018 headed by Andrew Blackburn, an experienced CISSP qualified Information Security Manager.
- Developing and improving key operational and security processes, for example, a Joiners, Leavers and Movers Process, which led to improved access control and IT asset management.
- Developing and delivering cyber security awareness exercises, for example, phishing exercises, which not only raised awareness of this particular threat, but have led to many users proactively contacting HQ with reports of phishing attacks; or as Andrew puts it, “Acting as our eyes and ears.”
- Planning cyber and information security themed training events to raise awareness of common threats and promote the need for continued vigilance.
BENEFITS
Andrew Blackburn believes that “CE has provided a very good base level for our cyber security and has had a wide-ranging impact across systems and environments.”
The URM-supported decision to start with a smaller scope and expand served Sightsavers well by starting the journey with a tangible, achievable reward – CE certification. Andrew believes some of the more significant benefits associated with certifying to CE are:
- Major improvements to endpoint security, with all remote staff now using standard laptops and operating system software and with all machines having BitLocker encryption. All laptops have also been installed with AV and firewall protection. Also, by removing bloatware, Sightsavers has reduced the risk of breaching copyright and software licence agreements and improved laptop performance
- Vastly improved centralised management and monitoring of every endpoint, ensuring that all critical patches are installed in a timely fashion
- Greater efficiencies and cost saving, negating, for example, the need for staff to travel to Africa and Asia to install hardware
- Greater organisational resilience, as demonstrated by dealing with COVID-19. Sightsavers’ investment has enabled every user to work productively and securely (every machine has always-on VPN connectivity) from home, even where there are connectivity capacity limitations
- Full engagement and commitment from the Board in cyber security, with an appreciation of the benefits to be derived
- Assisted in the compliance with other regimes such as PCI DSS and the GDPR, e.g. securing personal data at rest through encryption
- Providing reassurance to donors and partners on the protection of their personal data through Sightsavers’ endpoint security controls and its policy of only keeping the absolute minimum amount of personally identifiable information. While CE is a UK- centric scheme (it has lower awareness in other parts of the world), Andrew Blackburn believes that regulations like the GDPR have greatly raised individuals’ interest and concern in what organisations are doing with their data.
SUMMARY
According to Andrew Blackburn “Cyber security is a never-ending journey with constantly evolving threats where organisations can never afford to rest on their laurels. However, CE has provided the ideal base level on which we can build and enhance our security stance.”
When asked whether he would recommend CE to other charities, the answer from Andrew was: “Yes, absolutely. It is something that can be achieved by any organisation. The amount of effort will naturally depend on the existing infrastructure and size of organisation. At Sightsavers, with such a complex and distributed environment the investment has been significant, but so have the benefits. One of the great things about CE is that it is a targetable standard, so you always know exactly where you are. And even if it takes you a while to certify, you can quickly pick off some low-hanging fruit (like managing users where you will increase your security stance as a consequence). I believe it is an excellent framework which you can continually build on and enhance, bringing about even greater benefits to your organisation.”
The annual recertification with URM is a timely reminder and sense check that Sightsavers is still achieving its base line. With regard to the effort involved in achieving and maintaining certification, Andrew was keen to stress, however, that effort to achieve CE is very front-loaded and, provided that you maintain your environment and processes with the necessary tweaks, the annual recertification process should be very straightforward.
For more information on URM Consulting Services
For more information on Sightsavers
For more information on the Cyber Essentials scheme
This is one in a series of case studies across our range of certifications – if you would like to contribute a case study to feature on our website, please contact [email protected]