Cyber resilience: third sector action plan 2018-2020

Executive Summary

1. The importance of cyber resilience in Scotland’s third sector has never been greater. Digital technologies bring significant opportunities for our third sector organisations and our economy – but they also bring with them new threats and vulnerabilities that we must take decisive action to manage.

2. The cyber-threat is assessed as a Tier 1 threat to the UK’s national security. The National Crime Agency describes it as a "major and growing threat" to UK organisations. Increasingly we have seen major cyber attacks affecting large numbers of organisations worldwide as a result of unintended consequences.

3. The National Cyber Security Centre notes that cybercriminals are becoming increasingly sophisticated, and are able to make judgements on "Return on Investment" when deciding who to target where – the harder the target, the smaller the ROI, the less incentive there is to invest time and money in an attack on those targets. Making Scotland overall, and individual sectors and organisations within Scotland, more cyber resilient may therefore help tip the balance around these judgements in the future, bringing economic advantage to Scottish organisations through an ability to continue operations unaffected by common cyber attacks. Being able to demonstrate that cyber security is taken seriously – that services and customer/client data are protected and resilient – will become increasingly important to an organisation’s reputation, which in turn may impact on overall performance.

4. To combat the threat, and to ensure Scotland’s overall preparedness and resilience, third sector organisations of all sizes must be supported to adopt a "when, not if" mindset in respect of future cyber attacks, and to take appropriate, proportionate preventative action.

5. This Third Sector Action Plan has been developed in partnership by the Scottish Government and the National Cyber Resilience Leaders Board ( NCRLB). It has drawn heavily on the views and expertise of key third sector stakeholders, including representatives of small and medium sized third sector organisations. It sets out the key actions that the Scottish Government and key partners will take during 2018-20 to help make Scotland’s third sector, and Scotland overall, more cyber resilient. It aims to realise the opportunities presented by Scotland’s strong cyber resilience networks and communities of interest to position Scotland as a world leading nation in cyber resilience.

6. Delivery of the action plan will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, working in partnership with the NCRLB and Scottish third sector partners.

Key Actions

A. Developing a common approach to cyber resilience across the Scottish third sector

7. The Scottish Government and the National Cyber Resilience Leaders Board will work with the NCSC and key partners to consider options for developing a Third Sector Cyber Resilience Framework/Pathway by spring 2019. This would aim to provide a simple, structured way for organisations in Scotland – particularly small and medium sized third sector organisations – to assess the cyber threat to their operations and select an appropriate set of controls or guidance to help them work progressively towards strengthening their cyber resilience. As part of this work, consideration will be given
to making clear how such a framework/pathway could align with the core common supply chain cyber security requirements of public and larger private and third sector organisations. This should help drive greater consistency in the demands placed on small and medium sized third sector organisations in supply chains. ( Key Action 1)

B. Strengthening communications, awareness-raising and systems of advice and support

8. The Scottish Government will work with the National Cyber Resilience Leaders Board, the NCSC and key partners to strengthen the promotion of good cyber resilience practice at all levels in the third sector. This work will include the strengthening of systems of advice and support for the third sector (and other sectors) in Scotland, and activity aimed at communicating key messages and raising awareness of the operational and reputational importance of cyber resilience and effective ways of achieving it. An initial "target landscape" for advice and support will be identified with the goal of achieving this by spring 2019, and thereafter improved on an ongoing basis. ( Key Action 2)

C. Strengthening partnership working, leadership, and knowledge sharing in Scotland’s third sector

9. The Scottish Government will work in partnership with the NCSC, UK Government and key Scottish third sector organisations to help catalyse better cyber resilience practice across Scotland’s third sector. From summer 2018, a cross-sectoral group of third sector cyber catalyst organisations will work with the Scottish Government and the NCSC to develop and support implementation of practical solutions to key challenges on an ongoing basis, with an initial focus on:

• strengthening leadership for, and helping drive greater awareness and uptake of good cyber resilient behaviours in, Scottish small and medium sized third sector organisations, including through the use of supply chain measures;
• strengthening coordination and knowledge sharing in respect of cyber resilience across key third sector organisations operating in Scotland; and
• supporting and promoting uptake of key educational initiatives in Scotland, including cyber security apprenticeships.

Appropriate support will be offered to the third sector cyber catalysts to help achieve desired outcomes. The Scottish Government will play a leading role in supporting and driving forward the work of the group, and identifying avenues for delivery. ( Key Action 3)

D. Supply chain cyber security – leveraging requirements to improve the cyber resilience of Scotland’s small and medium sized third sector organisations

10. The Scottish Government will work with third sector organisations and key partners to clarify the common core cyber resilience requirements that are currently placed on third party suppliers, and their relationship to wider standards and guidance. Thereafter, the potential for greater cross-sectoral alignment and cooperation in respect of common core supply chain requirements will be explored, with the goal of promoting greater coherence across Scotland’s public, private and third sectors. A key aim of this alignment will be to improve the cyber resilience of Scotland’s small and medium sized third sector organisations as part of the supply chain of larger public, private and third sector organisations. ( Key Action 4)

E. Strengthening incentives to improve cyber resilience in Scotland’s third sector

11. The Scottish Government and the National Cyber Resilience Leaders Board will work with the UK Government and key third sector stakeholders to consider how best to strengthen incentives to support the uptake of cyber security standards/accreditation, and the adoption of good cyber resilience practice more generally. This will include the continuation of a modified voucher scheme to support the achievement of Cyber Essentials or Cyber Essentials Plus by Scottish small and medium sized third sector organisations. On the basis of activity across all action plans, we aim to at least double the number of organisations across the public, private and third sectors holding Cyber Essentials or Cyber Essentials Plus certification in Scotland during Financial Year 18-19. ( Key Action 5)

F. Benchmarking, Monitoring and Evaluation

12. The Scottish Government will work with the NCRLB, the NCSC, Regulatory Bodies and key partners to develop appropriate benchmarking, monitoring and evaluation arrangements for implementation by spring 2019. ( Key Action 6)

A summary of these key actions, along with timelines, can be found at Annex A to this action plan.