No organisation, however large or small, is immune from cyber-attacks. The Scottish Government has, this month, set out the actions it will take to help Scottish businesses tackle the cyber threat, and to position Scotland as a world leading nation in cyber resilience.

Cyber threat is assessed as a Tier 1 threat to the UK’s national security, and the National Crime Agency describes it as a “major and growing threat” to UK businesses. The Cyber Resilience Strategy: Private Section Action Plan 2018-20, which sits alongside plans for the public and third sectors, sets out eight key actions to combat the threat, and to ensure Scotland’s overall preparedness and resilience:

Developing a common approach to cyber resilience across the Scottish private sector

Key actions under this head are:

  • Ensuring that the views of the Scottish private sector help inform UK-level consideration of whether to extend regulatory requirements around cyber resilience more widely in the private sector.
  • Development of a Private Sector Cyber Resilience Framework by spring 2019 to provide a simple, structured way for organisations to assess cyber threat and select appropriate controls to strengthen cyber resilience.
  • Exploring the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector, including initiatives to improve cooperation and collaboration between key sub sectors of the Scottish economy that rely on one another for continued effective operation, with a view to strengthening the overall cyber resilience of Scotland.

Strengthening awareness raising and advice and support

The key action under this head is to promote good cyber resilience practice at all levels, including:

  • advice and support for the private (and other) sectors in Scotland; and
  • raising awareness of the economic importance of cyber resilience and effective ways of achieving it.

Strengthening partnership working, leadership and knowledge sharing in Scotland’s private sector

From summer 2018, a cross-sectoral group of private sector cyber catalyst organisations will develop and support implementation of practical solutions to key challenges on an ongoing basis. The Scottish Government will play a leading role in supporting and driving forward the work of the group, and identifying avenues for delivery.

Supply chain cyber security – leveraging requirements to improve the cyber resilience of Scotland’s SME community

The Scottish Government will work with private sector organisations and key partners to clarify the common core cyber resilience requirements on third party suppliers, and their relationship to wider standards and guidance. The potential for greater cross-sectoral alignment and cooperation will be explored, with the goal of promoting greater coherence across Scotland’s public, private and third sectors.

Strengthening incentives to improve cyber resilience in Scotland’s private sector

Consideration will be given to how to strengthen incentives to obtain cyber security standards/accreditation, and the adoption of good cyber resilience practice generally. The Scottish Government has announced funding to help businesses and charities protect themselves from cyber-attacks. The funding, which will be administered through a voucher scheme, will help organisations achieve the National Cyber Security Centre (NCSC)’s Cyber Essentials certification. The aim is to at least double the number of organisations holding certification in Scotland during Financial Year 2018-19. Further details of the scheme will be given in the autumn.

Benchmarking, Monitoring and Evaluation

Benchmarking, monitoring and evaluation arrangements will be developed for implementation by spring 2019.

Comment

A year on from the Wannacry ransomware attack, there is widespread awareness of the chaos that can be caused by a cyber-attack. The NCSC has indicated that the UK is likely to face its first “category one” cyber incident in the next few years; the Wannacry attack was category two. The action plan recognises the need for businesses of all sizes to adopt a “when, not if” mindset and to take appropriate, proportionate preventative action.