Law Centres from across the UK network certify to Cyber Essentials Plus this year, highlighting the success of the funded programme for legal aid charities
Law Centres are charitable organisations that provide free legal advice to some of the most disadvantaged people in our communities. There are over forty local Law Centres across the country and each specialises in social welfare law – the law that affects people in poverty and disadvantage. Law Centres target their free assistance at those least able to afford a lawyer, helping make the UK fairer place to live in.
The Law Centres Network (LCN) is the national membership body of Law Centres. As such, it works to help Law Centres grow and develop and the network to expand and help more communities. It also aims to strengthen the network’s infrastructure and foster Law Centre collaborations. LCN also serves as Law Centres’ collective voice, bringing their experiences and those of their clients to bear.
Alex Charles is the IT Digital Officer at Law Centres Network and manages LCN’s ambitious national IT project, bringing Law Centres into the same Office 365 tenant to aid hybrid working and collaboration. She spoke to us about the challenges that LCN and Law Centres face in managing data security and the impact of certifying to Cyber Essentials Plus standard.
“Law Centres have a duty of care for their clients. Ideally, they want to make sure that their clients are receiving the best service and that all of their systems are running effectively, and the data is secure. However, charitable funds are stretched. If there’s a choice between spending the money making sure that clients are getting the advice they need or spending the money on the Law Centre’s IT infrastructure, unfortunately the IT tends to come second.”
The Funded Cyber Essentials Programme is a UK government scheme that was open to small charities and organisations that provide legal aid services. The programme covers the cost of certification, as well as the fees for a cyber security consultant to help them achieve Cyber Essentials Plus.
Cyber Essentials is an annually renewable certification scheme consisting of five controls that will reduce the impact of the most common cyber attacks.
Cyber Essentials Plus is based on the same five technical controls as Cyber Essentials, but also includes a technical audit of the IT systems to verify that the controls are in place.
“One of the things I really like about the funded programme is that it recognises that it’s not a level playing field,” says Alex. “For example, if you’re a commercial business, you might have more flexibility than a charity for spending on cyber security. We have been considering supporting the Law Centres with Cyber Essentials for quite some time, so when government funding became available for Cyber Essentials Plus, it was a brilliant opportunity to offer our members a certification process to industry standards. We are now able to certify small groups of Law Centres at a time through the different phases of the scheme.
“In 2016, thanks to funding from the Legal Education Foundation, we started a four-phase programme of digital transformation that continued right up until March this year. Working with digital delivery providers, AspiraCloud, the participating Law Centres, plus us at head office got a complete refresh of equipment, and our IT services were consolidated into a centrally managed cloud network. Today over half of the Law Centres have followed this approach.
The Law Centres Network was the first of the Law Centres to go through Cyber Essentials certification, and because of the consistency across our network, we were able to develop a set of guide answers which could be used as a starting point for the other Law Centres. Of course, some of the answers are completely different for each centre, for example, some had landlord supplied internet connection and for others, AspiraCloud manage the internet connection and network on their behalf. We were put in touch with a Cyber Advisor (Cyber Essentials), Richard Wilding from Achilles Systems, who was very helpful throughout the process. Cyber Advisor is the National Cyber Security Centre’s Industry Assurance scheme that aims to provide small and medium sized organisations with reliable and cost effective cyber security advice and practical support.
Managing Director and co-founder at AspiraCloud, Adrian Edgar was instrumental in the four-phase cloud migration solution across many of the Law Centres. When the centres started to prepare for Cyber Essentials certification, he said, “the Cyber Essentials process was quite repeatable for each of the Law Centres and, allowing for a few tweaks depending on the setup of each centre, we were able to produce a guide template for each of the centres to follow. Our devices are managed through an MDM which makes configuration changes straightforward. Across all of the Law Centres, there really was only a handful of Bring Your Own Devices in place, yet because they are accessing confidential information, they follow a set of rules that we predefined through the portal to make sure that the device is secure.”
Alex continues, “Going through the Cyber Essentials process, we were able to update our policies to include all of the little bits that weren’t quite right or details we hadn’t thought about. There is always something small to fix that you would have otherwise missed. The certification process helps bring those issues and any associated risks to the fore and gives us an opportunity to think about how we want to manage them. So we’re really happy that we’ve been able to offer this opportunity to the network; it’s always good to have those independent checks in place. We are proud to say that at least four more Law Centres are going through the Cyber Essentials Plus process this year.
I do know that if a business or charity wants to win a government contract, Cyber Essentials is mandated as a prerequisite, and we are seeing this requirement start to become more and more commonplace elsewhere. Perhaps it will be the norm, before long, that a cyber security certification is a requirement to work with the local authority. We have already seen a funder require Cyber Essentials for a member Law Centre who was asked for it when making a funding application and dealing with a debt service, and even for a financial audit. I think it just gives that reassurance that an organisation is running in accordance with the best practice that’s out there.”