“Daisy has empowered us to achieve a level of cyber security that goes beyond what would normally be possible for a comparatively small team like ours.”
Edward Conway, Director of IT & Security at Mental Health Innovations
The Background
Mental Health Innovations (MHI) is a charity that uses digital innovation, data-driven analysis and the experience of clinical experts to improve the mental health of the UK population through the provision of digital tools, support and resources.
They power the Shout text messaging support service, providing free 24/7 mental health support by text message to anyone in the UK who is struggling to cope. They have also recently merged with The Mix – the UK’s digital safety net for young people, providing free, anonymous advice and crisis support designed especially for under 25s.
MHI employs nearly 200 members of staff across the UK and New Zealand (the latter helping to offer a 24 hour service), and are supported by 2,300 volunteers.
To date, MHI has supported:
- 5 million conversations about mental health
- 830,000 texters
- 88 million text messages
Mental Health Innovations considered a number of suppliers to work with them on data security. In the end, they selected Daisy Corporate Services (Daisy) for three main reasons:
- We were agile enough to put together an agreement quickly and begin work straight away.
- MHI liked that they were able to pick and choose which services they would purchase from a wide selection.
- This solution included the flexibility to add more services as their needs evolved, rather than committing to a large and non-tailored package of solutions.
The Challenge
From the start, MHI had some major challenges.
First and foremost, they had to protect their users’ data. Alongside GDPR and other data protection laws, MHI felt duty bound to go above and beyond to safeguard their texters’ personal information.
Importantly, this was not just the standard data any organisation would need to store. It concerned anonymised, sensitive messages detailing mental health issues. MHI requires this data to operate the service, to prioritise those most at risk of harm and to comply with their legal obligations. They retain effectively-anonymised data to improve the Shout service and understand mental health trends. Keeping this information secure, anonymous and confidential was vital and MHI could only offer this service if users were confident that their information was safe.
Because of this, from the start there was an extremely low risk tolerance from the board. The privacy of MHI’s service users is paramount, and the availability of systems and data is critical, particularly where there is a threat to life.
It’s also worth mentioning that at the beginning, Mental Health Innovations was a small-scale startup, with limited cyber security resources. Those tasked with cyber security were looking to work with an external partner to help navigate the complex technical and legal aspects required.
So, in short, the challenge was to help MHI build a robust cyber security strategy that went well beyond the legal minimum for a small organisation that deals with a large amount of particularly sensitive data. All of this had to be achieved at a low cost and, with the company aiming to launch its service as soon as possible, quickly.
The Solution
We began by performing a Cyber Security Review (CSR). This allowed MHI to take a look at their whole network environment and see where its strengths and weaknesses lay, then create an action plan with a prioritised list of objectives.
Given their skills shortage, MHI also needed the help of an experienced cyber security professional. For this, we suggested a Virtual Chief Information Security Officer (Virtual CISO). A couple of days each month (and extra when needed), a member of our team would work with MHI, offering input, answering questions, offering reassurance, and carrying out any particularly specialist work.
Once we had helped them sort out the basics, in 2019 we helped MHI carry out their first penetration test. Finding it a useful exercise, they chose to continue with annual pen tests going forward. Also in our position as Cyber Essentials+ advisors and assessors, we were able to coach MHI towards achieving the standard, and after a successful assessment, award them with it.
Happy with the progress made and the quality of service, MHI turned to incident response, purchasing a Gold Retainer, and in 2023 participated in an incident response exercise. The former guaranteed them a swift response with no minimum spend in the event of an incident; the latter gave MHI experience in what an incident might look like, and highlighted important issues that would need to be addressed. The exercise was so useful, they are aiming to complete IR exercises annually, with a follow up workshop afterwards to discuss findings and next steps.
MHI also chose to go for ISO27001. With our support, they were able to attain the standard in just five months in 2020. Since 2018, Daisy has helped MHI grow out their in-house capacity and develop a strong, fully capable team, including having the necessary security qualifications.
The Result
Ultimately, we were able to help MHI to build themselves into an organisation with a robust and proactive approach to cyber security, going well beyond the base requirements. This allows them to confidently show their users and stakeholders that their information is effectively-anonymised, confidential and secure.
One thing that MHI particularly liked was that they were able to work with the same people at Daisy again and again since 2018. When offering cyber security support, it’s a massive benefit to have experts that know the customer’s infrastructure inside and out, not needing to be brought up to speed at every meeting.
Edward Conway, Director of IT & Security at Mental Health Innovations said: “With the help of Daisy, we’ve been able to build a proactive security posture that ensures the privacy, anonymity and trust of everyone who turns to us for help.
“The volume of data we hold is far beyond what an organisation of our size would usually manage. Daisy has empowered us to achieve a level of cyber security that goes beyond what would normally be possible for a comparatively small team like ours. Their expert guidance and comprehensive services have allowed us to safeguard sensitive information securely and robustly.”
