1. The importance of cyber resilience in Scotland’s private sector has never been greater. Digital technologies bring significant opportunities for our businesses and our economy – but they also bring with them new threats and vulnerabilities that we must take decisive action to manage.
2. The cyber-threat is assessed as a Tier 1 threat to the UK’s national security. The National Crime Agency describes it as a "major and growing threat" to UK businesses. Increasingly we have seen major cyber attacks affecting large numbers of businesses worldwide as a result of unintended consequences.
3. The National Cyber Security Centre notes that cyber criminals are becoming increasingly sophisticated, and are able to make judgements on "Return on Investment" when deciding who to target where – the harder the target, the smaller the ROI, the less incentive there is to invest time and money in an attack on those targets. Making Scotland overall, and individual sectors and businesses within Scotland, more cyber resilient may therefore help tip the balance around these judgements in the future, bringing economic advantage to Scottish companies through an ability to continue operations unaffected by common cyber attacks. Being able to demonstrate that cyber security is taken seriously – that services and customer data are protected and resilient – will become increasingly important to a business’s reputation, which in turn may impact on overall performance.
4. To combat the threat, and to ensure Scotland’s overall preparedness and resilience, businesses of all sizes must be supported to adopt a "when, not if" mindset in respect of future cyber attacks, and to take appropriate, proportionate preventative action.
5. This Private Sector Action Plan has been developed in partnership by the Scottish Government and the National Cyber Resilience Leaders Board (NCRLB). It has drawn heavily on the views and expertise of key private sector stakeholders, including representatives of the SME sector – a vital part of the Scottish economy. It sets out the key actions that the Scottish Government and key partners will take during 2018-20 to help make Scotland’s private sector, and Scotland overall, more cyber resilient. It aims to realise the opportunities presented by Scotland’s strong cyber resilience networks and communities of interest to position Scotland as a world leading nation in cyber resilience.
6. Delivery of the action plan will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, working in partnership with the NCRLB and Scottish private sector partners.
A. Developing a common approach to cyber resilience across the Scottish private sector
7. The Scottish Government and the NCRLB will work to ensure that the views of the Scottish private sector, including SMEs, help inform UK-level consideration of whether there is a case for extending regulatory requirements around cyber resilience more widely across parts of the private sector. This will include a particular focus on ensuring input from any sectors that are critical to the functioning and health of the Scottish economy, and key areas of competitive advantage. (Key Action 1)
8. The Scottish Government and the National Cyber Resilience Leaders Board will work with the NCSC and key partners to consider options for developing a Private Sector Cyber Resilience Framework or Pathway by spring 2019. This would aim to provide a simple, structured way for organisations in Scotland – particularly SMEs and those in currently unregulated sectors – to assess the cyber threat to their operations and select an appropriate set of controls or guidance to help them work progressively towards strengthening their cyber resilience. As part of this work, consideration will be given to making clear how such a framework or pathway could align with the core common supply chain cyber security requirements of public and larger private and third sector organisations. This should help drive greater consistency in the demands placed on SMEs in supply chains. (Key Action 2)
9. The Scottish Government will work with the NCRLB and private sector partners to explore the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector (and public and third sectors). This will include consideration of initiatives to improve cooperation and collaboration between key sub sectors of the Scottish economy that rely on one another for continued effective operation, with a view to strengthening the overall cyber resilience of Scotland. (Key Action 3)
B. Strengthening awareness-raising and systems of advice and support
10. The Scottish Government will work with the National Cyber Resilience Leaders Board, the NCSC and key partners to strengthen the promotion of good cyber resilience practice at all levels in the private sector. This work will include the strengthening of systems of advice and support for the private sector (and other sectors) in Scotland, and activity aimed at raising awareness of the economic importance of cyber resilience and effective ways of achieving it. An initial "target landscape" for advice and support will be identified with the goal of achieving this by spring 2019, and thereafter improved on an ongoing basis. (Key Action 4)
C. Strengthening partnership working, leadership and knowledge sharing in Scotland’s private sector
11. The Scottish Government will work in partnership with the NCSC, UK Government and key Scottish private sector organisations to help catalyse better cyber resilience practice across Scotland’s private sector. From summer 2018, a cross-sectoral group of private sector cyber catalyst organisations will work with the Scottish Government and the NCSC to develop and support implementation of practical solutions to key challenges on an ongoing basis, with an initial focus on:
- strengthening leadership for, and helping drive greater awareness and uptake of good cyber resilient behaviours in, the Scottish SME community, including through the use of supply chain measures;
- strengthening coordination and knowledge sharing in respect of cyber resilience across key organisations operating in Scotland;
- supporting and promoting uptake of key educational initiatives in Scotland, including cyber security apprenticeships;
- helping shape recommendations in respect of the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector.
Appropriate support will be offered to the private sector cyber catalysts to help achieve desired outcomes. The Scottish Government will play a leading role in supporting and driving forward the work of the group, and identifying avenues for delivery. (Key Action 5)
D. Supply chain cyber security – leveraging requirements to improve the cyber resilience of Scotland’s SME community
12. The Scottish Government will work with private sector organisations and key partners to clarify the common core cyber resilience requirements that are currently placed on third party suppliers, and their relationship to wider standards and guidance. Thereafter, the potential for greater cross-sectoral alignment and cooperation in respect of common core supply chain requirements will be explored, with the goal of promoting greater coherence across Scotland’s public, private and third sectors. A key aim of this alignment will be to improve the cyber resilience of Scotland’s SME community as part of the supply chain of larger private sector organisations. (Key Action 6)
E. Strengthening incentives to improve cyber resilience in Scotland’s private sector
13. The Scottish Government and the National Cyber Resilience Leaders Board will work with the UK Government and key private sector stakeholders to consider how best to strengthen incentives to support the uptake of cyber security standards/accreditation, and the adoption of good cyber resilience practice more generally. This will include the continuation of a modified voucher scheme to support the achievement of Cyber Essentials or Cyber Essentials Plus by Scottish SMEs. On the basis of activity across all action plans, we aim to at least double the number of organisations across the public, private and third sectors holding Cyber Essentials or Cyber Essentials Plus certification in Scotland during Financial Year 18-19. (Key Action 7)
F. Benchmarking, Monitoring and Evaluation
14. The Scottish Government will work with the NCRLB, the NCSC, Competent Authorities/Regulatory Bodies and key partners to develop appropriate benchmarking, monitoring and evaluation arrangements for implementation by spring 2019. (Key Action 8)
A summary of these key actions, along with timelines, can be found at Annex A to this action plan.