“It is all of our responsibility to keep everybody safe.
This is a new element to keeping people safe.”
In 2021, Black Country Women’s Aid certified to Cyber Essentials Plus for the first time. We spoke to Sara Ward who has been CEO of the charity for the last 20 years, and cyber security consultant and assessor, Chris Blunt about the collaborative, educational and transformative process that the charity has been through.
Black Country Women’s Aid is a progressive charity that provides advice, support, counselling and accommodation to victims of domestic abuse, stalking, rape and sexual violence, forced marriage, so called honour based violence, modern slavery, exploitation and women who offend. With humble beginnings in Sandwell, the charity is recognised not only locally, but regionally and nationally for its innovative, dynamic models of practice.
SARA: Today we have over 180 staff, occupy multiple sites and provide a whole range of services to victims who are abused. We are a very different organisation to the one that started around a kitchen table in Sandwell. With no money to help people,
we were not going to let that stop us from responding to this heinous crime and despite being small in number, we were determined in action. Back in those days, and we’re not talking about ages ago, but in the 1980’s, abuse was still a taboo subject, one that many still felt was a “behind closed doors” matter. There were no systems to help or support and little funding available, yet women and children’s lives were being affected every day. Our response was to open a refuge.
The local council gave us a house due for demolition as a temporary fix, in the hope that we might go away; but we didn’t. We went on to bigger and better things as demand for the refuge increased and the word got around that women and children did not have to live in fear. Topics such as sexual violence, exploitation, honour based violence and forced marriage just weren’t talked about yet, although communities knew they existed. We saw generations of women and children live through horrendous experiences with very few places to go. We wanted to be that place. The fight to combat violence against women and girls now has taken a new approach and great strides have been made for it to be everyone’s responsibility. Now we work collaboratively with police, social care and our local authorities.
I think we’ve moved mountains, although sometimes it has felt as if we’ve been walking in treacle. We are in a good place and the work is recognised.
What is the size of the charity?
Black Country Women’s Aid would now be considered a large charity with a £6.5 million turnover and 180 staff. Our staff are our biggest asset, as they come from a variety of backgrounds. We are classified as a large charity which is based on income, but the spectrum is massive so we’re “bottom of the top” where that’s concerned. We certainly are not in the same league as the large nationals. Our services are spread across Birmingham, Sandwell, Dudley, Walsall and we’re looking for partners to establish a site in Wolverhampton. We’ve made sure that we have funds from a variety of partners and sources and this includes donations in kind, contracts, commissions, and grants. We are always overwhelmed by the kindness of people who donate, even the smallest of things like a bar of soap can really help someone.
What was it that made you formally address your cybersecurity and then achieve certification?
Firstly, it’s necessary to say that it was a contractual requirement, however, I feel our organisation is better as a result of the gentle nudge. Cyber security certainly isn’t our expertise and whilst there have been employees with an interest in IT, this requirement took us to another level, one where you need experts in the room. For a number of years, we have worked with an IT company, Blue Click who helped set up and build our systems, connect us, and keep us with enough capacity to grow as BCWA has expanded. The language of cyber security was new to us and therefore it felt necessary that we have some experts to help us improve and to achieve certification.
We have many referrals from agencies such as the local authority, police and health professionals and along with that, we all need to be confident that we are secure in the way we handle and manage information. Our contracts with the Ministry of Justice and the Home Office meant that they wanted assurance of that security. Although we were heading in the right direction, we needed some extra help to achieve these standards.
We had previously worked with a legal expert to develop our responses to the implementation of GDPR, so we are open to partnership working with experts. This was different, and the risks were high if we got it wrong. Through our excellent partnership with Blue Click, we were introduced to Chris Blunt who is an independent cyber security consultant running a company called Blunt Security. Our starting point was to identify gaps, and we had many. Chris asked tough questions, and we didn’t always know the answer. As the most senior employed person in the charity, Trustees rely upon me to make the right decisions and not to put the work of BCWA at risk and I felt we needed to protect everyone involved.
Chris’ challenges enabled us to work through problems and find solutions. I believe this process made us confident, stronger, more collaborative, and more transparent. Chris has been tough and challenged us thoroughly, but he has also been understanding about the environment that we work in, and who we work with and what our values are.
CHRIS: For cybersecurity to be truly effective, it has to be led by management, it has to come from the top down. This is because it is not just about the technical controls, it’s about how you do business.
It was a genuine pleasure to work with an organisation that recognised the need for cyber security certification and dedicated their time and resource into improving this area. Instead of battling for the case of data protection, the senior staff already understand that work and take it seriously. Maybe that’s because of the nature of what they do in their roles, but it is refreshing to see an organisation really get behind information security.
SARA: Once we decided, or it was decided for us, that Cyber Essentials Plus needed to be achieved, we set about dismantling much of our infrastructure and rebuilding something with a much more solid structure. It made us far more accountable and strategic. We now have documented systems and procedures about some of the decision making and actions we take. We didn’t know that the system can work for us as well as working for others. Whilst initially apprehensive, I transformed from a reluctant technophobe to a willing and engaging participant and now enjoy reading and analysis the reports that enable us to better understand our work.
CHRIS: There were a couple of specific points that we picked up. One was around one of the bespoke software systems which was running on some legacy operating systems. Those were upgraded and there was also some remediation to some of the methods for remote access through the external firewall.
What is your advice to other charities?
SARA: Don’t be afraid of what you don’t know. When running a charity, it often feels like you have to know and do everything – a jack of all trades. I am, however, honest in knowing what I can’t do. Money is a precious commodity in a charity and I understand that it’s a real struggle, often with little wriggle room but the professional cyber security advice that we brought in has been worth every penny. I genuinely don’t think that we would be in the positive position that we are in today without Blue Click’s response to our needs and Chris Blunt’s guidance. I know that not all our commissioners want, or specify this certification, however, it puts us above all of those charities that don’t have it. It tells commissioners that we work within national standards of good practice and adds to our USP.
“the level of information that we have, in the wrong hands, could cost lives.”
When we started, it felt like a painful process and we asked ourselves many questions. Did we have the resources? Would this be a tick box exercise? Was it worth it ? Were we just satisfying a contract? Was this taking us away from what we do well- supporting victims of violence and abuse? How wrong could I be. Information in the wrong hands brings significant risk and could cost lives; security is not just about the location of the safe house, but also the information that we hold about our clients. We want to show trustworthiness not just to our commissioners, but also the people who come into our service. Their information is a precious commodity and we’ve got the systems in place to protect it.
I would advise charities to achieve the Cyber Essentials certification as they too will have personal information about the people they support. The hackers are always several steps ahead of us leaving us vulnerable and at risk. We genuinely want to help others achieve certification and we’ve offered to be buddies for other charities and to help them identify funds to enable this to happen. We are an organisation that has wanted to help not only people coming to our door, but other charities to survive. I feel like a cyber security poster girl!
How do you feel now you are certified?
SARA: I’m really proud of BCWA and all it has achieved. We started out with something that was complex and quite scary and now realise that it’s not about fear, it’s about structure, accountability and understanding. I’m proud of everybody who has embraced the need for this change; rather than it is someone else’s job, it’s all of our job, it’s all our responsibility. This is our mantra. It’s everyone’s business to keep everybody safe and this a vital part of keeping people safe.
I’m proud to be the CEO of a charity where the trustees invested in this area of work, got the experts on board and supported the achievement. But it doesn’t stop there. At every level there is a commitment of staff wanting to know more, a real eagerness, a thirst for more training and development. We now own the responsibility and take responsibility because we do that with people’s lives everyday -we should do the same with their data. It has been a challenging time but we are richer for it.
Cyber Essentials is an effective, Government backed baseline scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. Cyber Essentials Plus includes the additional assurance of a technical audit on your IT systems to verify the answers to the self-assessment questionnaire.
Apply for Cyber Essentials Plus here.