Cyber resilience: third sector action plan 2018-2020

1. Introduction And Background

1. Safe, secure and prosperous: a cyber resilience strategy for Scotland ^[1] , was published in 2015. It set out the Scottish Government’s vision for Cyber Resilience in Scotland:

Scotland can be a world leader in cyber resilience and be a nation that can claim, by 2020, to have achieved the following outcomes:

(i) Our people are informed and prepared to make the most of digital technologies safely.

(ii) Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

(iii) We have confidence in, and trust, our digital public services.

(iv) We have a growing and renowned cyber resilience research community.

(v) We have a global reputation for being a secure place to live and learn, and to set up and invest in business.

(vi) We have an innovative cyber security, goods and services industry that can help meet global demand.

Th ese outcomes are interdependent – progress towards one may underpin or drive progress towards others.

2. "Safe, secure and prosperous" is closely aligned with the UK National Cyber Security Strategy ^[2] , which sets out the UK Government’s strategic approach to making the UK secure and resilient in cyberspace. Cyber security is a reserved matter, but it has strong implications for the resilience and security of Scotland as a whole. Scotland has unique partnerships and networks that support resilience across all sectors. As such, the Scottish Government works closely with key partners such as the UK National Cyber Security Centre to ensure appropriate alignment between work on cyber resilience at the UK and Scottish levels.

3. This action plan has been produced by the National Cyber Resilience Leaders Board ( NCRLB) and its third sector representatives, in partnership with the Scottish Government. It has drawn heavily on the views and expertise of key third sector stakeholders. It sets out the key actions that the Scottish Government and key partners in the third sector will take during 2018-20, in order to make progress particularly towards outcomes ( i) and ( ii) above:

Our people are informed and prepared to make the most of digital technologies safely.
Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

It aims to realise the opportunities presented by Scotland’s strong cyber resilience networks and communities of interest to position Scotland as a world leading nation in cyber resilience.

The goals of this action plan and its relationship to wider work on cyber resilience in Scotland

4. The specific goals of this action plan are to move Scotland closer to the above outcomes, and to our vision of being a world leading nation in cyber resilience, by:

• Driving greater levels of good cyber resilience practice across Scotland’s third sector, particularly amongst our small to medium sized third sector organisations, thus helping to raise overall fundamental levels of cyber resilience in the third sector.
• As part of this, there will be a particular focus on raising awareness and increasing learning opportunities for Scotland’s third sector organisations in respect of cyber resilience; and
• Promoting greater coherence and alignment of work on cyber resilience across the third sector and Scotland’s public and private sectors.

5. The Scottish Government and the NCRLB are developing and implementing complementary action plans for the public and private sectors. The first of these, the Public Sector Action Plan on Cyber Resilience, was published on 8th November 2017 ^[3] , and the Private Sector Action Plan is expected to be published alongside this Third Sector Action Plan. The aim is for all sectors in Scotland to adopt a common or aligned approach to cyber resilience where possible. As such, development of this Third Sector Action Plan has had regard to the public and private sector action plans.

The NCRLB is of the view that the Scottish and UK Governments should support Scotland’s third, public and private sectors to work together as partners, ensuring strong leadership around cyber resilience and digital enablement for the benefit of all citizens and businesses. Many third and private sector organisations are both the supply chain and the purchasers of public sector services, thus increasing the importance of commonality and coherence. In simple terms, the more our citizens and organisations speak a "common language" around cyber resilience, the more likely it is that we will be able to work in partnership to make progress. Identifying common core cyber resilience requirements across more sectors, and encouraging sharing of good practice around cyber resilience, is also expected to help promote greater levels of cyber resilience and potentially reduce compliance burdens.

6. The Programme for Government 2017-18 also committed the Scottish Government and key partners to develop action plans in the following key areas:

• Learning and Skills, focused on how to ensure that (i) our citizens have the appropriate understanding, knowledge and behaviour to live and work safely and securely in the digital world; and (ii) our cyber specialist workforce have the appropriate skills. The success of this action plan, which was published on 7 March 2018, will be vital to establishing a genuine culture of cyber resilience in Scotland (including amongst third sector organisations), and to the longer term success of the third, public and private sector action plans.
• Economic opportunity, focused on how to seize fully the economic opportunities presented by the achievement of fundamental cyber resilience, and take a visible, global role in thought-leadership, research, development and innovation relating to cyber resilience. We expect this action plan to be published in Q3 2018.

7. To ensure efficiency and maintain momentum, these plans are being developed to differing timelines. Work to identify and take account of the strong interrelationships between the actions set out in this plan and other action plans is being undertaken on a regular basis by the Scottish Government and the NCRLB. In the future, our expectation is that this third sector action plan will be merged with other action plans to constitute a single action plan focused on Scotland’s cyber resilience, as part of work on our overall security and resilience.

8. While the focus of this action plan is on cyber resilience, the actions set out in this plan will also help ensure that Scottish third sector organisations are meeting key requirements in respect of protecting personal data, which will be strengthened by the General Data Protection Regulation ( GDPR) ^[4] from May 2018. The Information Commissioner has, for example, noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR. Third sector organisations should in general consider how work on cyber resilience aligns with wider work on GDPR compliance.

9. The action plan recognises that the third sector in Scotland is of considerable scale and complexity. Some organisations are of significant technical sophistication, or handle significant amounts of personal data, while others operate only very basic IT systems and may be concerned with delivery of services on a small scale. One of the biggest challenges in developing this action plan has been the need to take account of these significant differences in scale and risk profile. The NCRLB third sector steering group and other key third sector partners have offered advice to help ensure the action plan meets multiple needs.

The importance of cyber resilience to Scotland’s third sector

10. "Cyber resilience" means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks or accidental events that have a disruptive effect on interconnected technologies. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe and get the most from being online.

11. The third sector in Scotland plays a huge role in delivering public services, with over one-third of funding ^[5] coming directly from the public sector, totalling almost £1.7bn per year. By the nature of the work they do, third sector organisations often deal with highly sensitive personal data (e.g. on health, employment etc.). However, evidence suggests that there is a need to build the capacity and resilience of third sector organisations to operate safely and securely in a digital world.

12. The importance of ensuring cyber resilience in Scotland’s third sector has never been greater. In the view of the NCRLB, there are compelling arguments for Scotland’s third sector to work together to improve overall levels of cyber resilience now, supported by the Scottish Government. A number of factors make this so. They include:

(i) The scale and nature of the cyber threat to the digital systems upon which our economy and our public services increasingly rely, and the risks this presents to: our ambitions for Scotland’s digital economy; our overall security and resilience; and the success of individual organisations in Scotland: Scotland’s refreshed digital strategy ^[6] emphasises that the Scottish Government and its partners are fully committed to harnessing the benefits of digital technology across our economy and society, in order to deliver a step-change in productivity. Digital connectivity offers significant opportunities for innovation, inclusive economic growth and improved public services. However, with these opportunities come new threats and vulnerabilities, and it is imperative that we take these seriously and take action to address them and minimise their disruptive effects. Much of our prosperity now depends on our ability to secure our technology, data and networks from the threats we face. Yet cyber attacks are growing more frequent, sophisticated and damaging when they succeed.

The cyber threat to third sector organisations of all sizes is increasing, in common with the threat to the public and private sectors. This is outlined by the NCSC’s February 2018 Cyber Threat assessment on the UK Charity sector ^[7] . Some charities are aware their data is sensitive, valuable and vulnerable to attack. However, the NCSC believes that many charities – particularly smaller ones – do not realise this and do not perceive themselves as targets.

The NCSC notes that the culture of openness in the sector makes charities particularly vulnerable to some types of cyber-criminal activity, such as cyber-enabled fraud and extortion. They also judge there is considerable variation in charities’ understanding, approach to, and application of, cyber security.

Smaller charities may not consider it a priority to commit resources to cyber protection, perhaps in the belief that cyber security will be expensive and divert money away from frontline expenditure. Or it is possible they do not fully understand the threat.

The 2016 Lloyds Banking Group Digital Index identified that 49% of UK charities lack basic organisational digital skills and capability (compared with 38% of small businesses). This includes the ability to keep themselves ‘safe’ online, protecting their own data and that of their service users.

The cyber threat can be targeted or indiscriminate. Even where cybercriminals attempt to target specific organisations, the nature of the cyber threat is such that there can be significant unintended wider consequences. Third sector organisations of all sizes in Scotland need to understand the risks they face, and be confident they can take proportionate action to mitigate it. The nature of the cyber threat is such that this action is most likely to be effective if third sector organisations commit to working together, both within the third sector and across the public and private sectors, to mitigate the cyber threat across Scotland. The greater the "herd immunity" to the cyber threat in Scotland, the more secure all businesses are likely to be.

(ii) Legislative changes and their potential legal, financial and reputational impact: The new GDPR and the Security of Network and Information Systems ( NIS) Directive both come into force in May 2018, and place new duties on third ( GDPR only) and public and private sector organisations to ensure the protection of personal data and the continuity of essential services reliant on network and information systems, and to report personal data/cyber security breaches. Third sector organisations subject to these provisions could face significantly increased administrative fines of up to £17 million for data breaches or cyber security failures leading to service failure. These legislative changes should drive greater awareness of the importance of cyber resilience and the need to have appropriate technical protections for personal data in place. The actions set out in this plan are aimed at supporting organisations to understand how better to comply with the cyber aspects of such legislative duties.

(iii) Operational advantage: The flip side of these threats is that there is a significant operational advantage for Scottish third sector organisations, whether collectively or at an individual level, in working to become more cyber resilient. These opportunities include:

• Avoidance of cost and disruption to business: We cannot fully evaluate the likely impacts of a large, global scale attack across public, private and third sectors but it is widely anticipated that there will be an attempt to achieve this in the near future. Available evidence suggests there would be significant short and longer term disruption across critical digital infrastructure and, as a result, serious disturbance to business activity which would affect us all. The NCSC has indicated publicly that the UK is likely to face its first major "category one" cyber-incident in the next few years. (For the purposes of comparison, the WannaCry ransomware attack in May 2017 was a category two incident.) Lloyd’s of London has reportedly assessed that a serious cyber-attack could cost the global economy more than £92bn, which is as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy. This risk adds to the urgency with which all sectors need to review and address their security.
  
  Recent research by DCMS ^[8] found that one in five charities – surveyed for the first time in 2018 – identified a breach in the past 12 months. Among these, the most common were: staff receiving fraudulent emails (74%); others impersonating the organisation online (27%); and viruses and malware (24%). Small charities can face failure as a result of ransomware attacks, if they have not taken appropriate cyber security precautions. Insurers may also increase or reduce insurance costs depending on their assessment of an organisation’s vulnerability to cyber-attack.
  
  The NCSC notes that cybercriminals are becoming increasingly sophisticated, and are able to make judgements on "Return on Investment" when deciding who to target where – the harder the target, the smaller the ROI, the less incentive there is to invest time and money in an attack on those targets. Making Scotland overall, and individual sectors and organisations within Scotland, more cyber resilient may therefore help tip the balance around these judgements in the future. This may be expected to bring an operational advantage to Scottish organisations through an ability to continue operations unaffected by common cyber attacks.

• The ability to meet supply chain cyber security requirements in the public, private and third sectors: Many Scottish third sector organisations compete to deliver key contracts for public sector organisations (and some private and other third sector organisations). As these sectors strengthen their focus on cyber security in their supply chains, third sector organisations that can demonstrate appropriate levels of cyber resilience should find they are better placed to compete with other potential providers for such contracts.

• Reputation: As citizens’ understanding of the cyber threat increases, and as the profile of cyber attacks and data breaches continues to rise, the importance that clients, funders, insurers and others place on cyber resilience is likely to increase. Being able to demonstrate that cyber security is taken seriously may become increasingly important to a third sector organisation’s reputation, which in turn may impact on overall performance.

13. Against this background, the NCRLB has articulated its view that Scotland’s third sector must make demonstrable progress towards establishing fundamental standards
of cyber resilience that are in line with world-leading nations. Cyber resilience should
be seen as just as fundamental to third sector organisations in Scotland as health and safety currently is.

14. The NCRLB emphasises that cyber resilience is as much a cultural issue as a technical one. They view it as vital that Scotland’s third sector organisations understand and manage the cyber threat at Board/senior committee level, and take action to promote a culture of cyber security at all levels of the organisation (the Cyber Resilience Learning and Skills Action Plan sets out the actions we will take to achieve this transformational cultural change through our systems of formal and informal learning in Scotland). The NCRLB views it as being vitally important that small and medium sized third sector organisations are supported to understand and manage the threat in an appropriate and proportionate way – a one-size-fits-all approach to cyber resilience in Scotland’s third sector is not desirable.

Current levels of cyber resilience in Scotland’s third sector

15. In developing this action plan, the NCRLB and the Scottish Government have taken account of the diversity of the third sector in Scotland. There are approximately 24,000 registered charities and 20,000 voluntary groups. These range from local community groups run by volunteers to large housing associations and health and social care providers, with multi-million pound budgets and thousands of staff. The approaches to cyber resilience taken across these organisations will inevitably differ significantly according to size, risk profile, resources and capacity.

16. Currently, we do not have a comprehensive picture of the state of cyber resilience across the Scottish third sector. However, evidence suggests that there is a need to build the capacity and resilience of third sector organisations of all sizes to operate safely and securely in a digital world. Many lack an understanding of the issues around cyber resilience and the need to protect themselves. Key issues include: an expanding range of digital devices being used, without appropriate policies or protection; poor cyber hygiene and compliance; and legacy and unpatched systems. The need for a significant increase in awareness and skills around cyber resilience across the sector has been highlighted by NCRLB members.

17. To help create a more cyber resilient third sector, several pilot approaches have been trialled through senior-level engagement and an SCVO small grants programme to support small and medium sized charities to achieve Cyber Essentials certification. Grants of up to £1500 were made available to help cover the Cyber Essentials assessment fee and some of the associated IT support needed to achieve certification.

An evaluation of this funding pilot will be completed in May 2018. In addition, there has previously been financial encouragement (£1500 grants) through the Digital Scotland Business Excellence Partnership for 200 SMEs to become Cyber Essential certified – in 2016 Scotland was the only part of the UK providing this initiative. Key action 5 sets out proposals for this scheme to be continued and to include the third sector, drawing on learning from the initial phase and the SCVO pilot.

18. A number of mechanisms exist to encourage the sharing of threat intelligence across the Scottish and wider UK third sector. The NCSC has worked with industry to set up the Cyber Security Information Sharing Partnership ( CiSP) to provide a secure environment in which to share cyber threat intelligence, increasing situational awareness and reducing the impact on organisations across Scotland and the rest of the UK. The Scottish Government has used National Cyber Security Programme funding to support a CiSP (and Cyber Essentials) coordinator role, located within Scottish Business Resilience Centre ( SBRC), to promote membership of CiSP, including in the third sector. Since the coordinator was appointed in November 2016, active membership of SciNet (the Scotland-specific area of CiSP) has increased from 122 to 307, an increase of 152%. This makes SciNet the largest geographical group on CiSP within the UK. Activity to promote increased active Scottish third sector membership of CiSP, with a goal of ensuring our charities are better informed around the cyber threat, will be supported by this plan.

19. There is only limited information at present on the levels of cyber security accreditation achieved across different sectors in Scotland. Some larger third sector organisations are accredited to relatively sophisticated standards such as ISO 27001/2, although there is no publicly available central registry to make clear which organisations have achieved this, and to which parts of their networks such accreditation applies (companies holding such accreditation often choose to advertise their compliance for business/reputational purposes). Uptake of the NCSC-endorsed Cyber Essentials ^[9] scheme across Scotland is improving. At this time we do not have a breakdown by public, private and third sector.

Scottish public sector organisations do not currently require the adoption of certification such as Cyber Essentials by third and private sector organisations wishing to do business with them (the UK Government currently mandates this only if bidding for central government contracts which involve handling of sensitive and personal information and provision of certain technical products and services). The practice of third sector organisations with extensive supply chains in Scotland varies significantly, with no consistent approach currently in place (although there is effectively much commonality of approach). Implementation of the NIS Directive, and NCSC technical guidance in respect of supply chain security, may assist with developing greater consistency in some of the key sectors it covers (e.g. healthcare).

Both this plan and the Public Sector Action Plan on Cyber Resilience ^[10] propose work to help improve the uptake of appropriate cyber security accreditation/certification across Scotland’s third sector, particularly in respect of Cyber Essentials and Cyber Essentials Plus. These include proposals to develop appropriate, proportionate, more aligned supply chain procurement policies in respect of cyber security accreditation/certification.

On the basis of all this activity, we aim to at least double the number of organisations across the public, private and third sectors holding Cyber Essentials or Cyber Essentials Plus certification in Scotland during financial year 18-19.

20. There is currently a lack of a clear Framework/Pathway for Scottish third (and public and private) sector organisations to work within and towards when managing the cyber risk, providing assurance and opportunities for benchmarking. Feedback suggests this is particularly problematic for small and medium sized third sector organisations, who lack the resources that large organisations have to make sense of the many different existing standards. Cyber Essentials and Cyber Essentials Plus offer a clear entrance point – however, even these may be beyond the initial reach of some smaller charities who have yet to achieve even a basic understanding of the cyber threat. Scottish third sector organisations have indicated that achieving greater clarity on a progressive cyber threat management model beyond Cyber Essentials, towards more sophisticated measures thereafter, would be helpful.

Such a Framework/Pathway would need to have a particular emphasis on supporting small and medium sized third sector organisations to understand the cyber risk and what options they have to manage it on a progressive basis. It must encompass standards or guidance that, at more sophisticated levels, ensure a robust, holistic, effective approach to cyber resilience, avoiding "checklists" and encouraging the management of cyber security with a multi-layered approach that encompasses people, processes and technology. It must also be adaptable to ensure it keeps up with fast-paced technological change and emerging threat. This action plan sets out proposals for the Scottish Government and the NCRLB to work with key third sector organisations, and key partners such as the NCSC, to explore the potential for the development and endorsement of such a Framework/Pathway, making it easier for our organisations (especially small and medium sized third sector organisations) to understand the cyber threat and work progressively towards more sophisticated ways of managing it. (See Key Action 1)

21. There is no clear monitoring framework in place to provide Government, Parliament and citizens with a sense for the progress being made towards the overall cyber resilience of Scotland’s third sector (the public sector action plan sets out proposals to establish such a monitoring framework for public bodies). The development of the proposed Scottish Third Sector Cyber Resilience Framework/Pathway (Key Action 1) could help provide a consistent way of assessing the prevalence of good (accredited or certified) practice and perception of risk more widely across the third sector. Key Action 6 sets out a commitment to develop appropriate monitoring arrangements on the basis of existing and future information sources, to improve our understanding of the extent to which good cyber resilient behaviour is being adhered to across the Scottish third sector.