Publication - Progress report

Cyber resilience strategy 2015-2020: progress report

This report entitled 'Firm foundations' highlights the progress of 'Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland' (2015-2020).

Cyber resilience strategy 2015-2020: progress report
4. Conclusions

4. Conclusions

4.1 Lessons learned and continuing challenges

We present some of our reflections in this section, as lessons learned and as priorities for future strategic and action planning.

There is evidence from across different types of organisations in different sectors that progress in cyber resilience is taking place and there is cause for optimism. The Scottish Government and partners have succeeded in delivering many of the aims of the action plans, which have contributed to the outcomes of the Strategy, particularly around learning and skills, and for the public and third sectors. We are in the very early stages of impact for the private sector and we expect a substantial growth in CyberSec products and services beyond 2021.

During COVID-19, organisations have had to deliver services and operate their businesses in a more digitally-dependent way and will most probably continue to do so. With this comes increased cyber risk. Particular areas of concern are around video conferencing, online fraud and security barriers to the use of different digital platforms. 

Since the launch of the Strategy, we have identified and learned new and improved ways better some outcomes in ways that made them more measurable, or in ways that were more time-bound. 

There needs to be a whole-of-government approach to cyber resilience. We have also identified opportunities to better embed cyber resilience in other Scottish Government policy areas. It is already identified in a number of policies and strategies, but we want to see better integration and alignment of cyber resilience outcomes; for example, rather than having cyber resilience as a stand-alone theme within the refreshed Digital Strategy, we intend for cyber resilience to be a fundamental principle of that strategy.

The primary task moving forward, and within the backdrop of response and recovery of COVID-19, is to consolidate our success and momentum, support organisations, communities and individuals to best utilise digital technologies on the one hand, while developing a culture of cyber resilience on the other. The Scottish Government will continue to work with the NCSC to understand the cyber risks in relation to those areas that most test our resilience.

Challenges in measuring the outcomes of the Strategy

It is difficult to measure the outcomes of any strategy that is not tied to a "control" group. We can never say, for example, that a strategic intervention is solely responsible for an observed change. The nearest we can come to linking interventions to outcomes is to write outcomes that are underpinned by clear indicators, so that the strategy is as measurable as possible, and can be said to have contributed to any observed changes.

We propose that future strategic planning should:

  • Be more evidence-based, drawing on up-to-date local and international evidence. Where sources of evidence and/or measurement tools do not appear to exist, a plan should be put in place for introducing these. One example of this could relate to Scotland's global reputation. Currently, we have access to UK-wide data, but no data that is Scotland-specific.
  • Be outcome-focused, with logic models (or "theories of change") produced: creating one for the overall Strategy, and then one for each individual action plan. These logic models should be linked to measurable indicators that identify sources of evidence, data sets and measurement tools where possible. We created these for this Strategy, but retrospectively, in order to "unearth" evidence of impact. In future we will take a more "architectural" approach to impact measurement, whereby we will embed indicators that can evidence impact during the design of our strategy, rather than using an "archaeological", retrospective approach.

Challenges in delivering the action plans

Below, we identify some of the challenges or gaps we encountered in the delivery of the individual action plans. We have identified some emerging priorities that we consider will need attention in future strategic and action planning.

Public Sector 

The Scottish public sector has made substantial progress in increasing its cyber resilience over the last few years with the majority of organisations achieving, and in some cases surpassing, the Public Sector Action Plan baseline cyber resilience requirements. There is a developing skills base across the public sector and an enthusiastic network of individuals helping to improve cyber security and resilience across the sector. However, there are a number of areas where further progress and improvements could be made
as follows:

  • Cyber security standards: 20 public sector organisations have yet to achieve Cyber Essentials or equivalent[4]. Some organisations have been unable to achieve accreditation until they replace legacy hardware. This has required significant investment in new hardware and careful consideration during digital transformation programmes, but these programmes will take time to complete. 
  • Education and awareness raising: 96% of Scotland's public sector bodies have a designated senior manager or board member responsible for cyber resilience matters, but many are not fully cognisant with what this responsibility entails. A range of resources have been developed since the Action Plan was published, but organisations still report that their staff are not adequately trained on cyber security issues. More engagement and education are required. 
  • Intelligence-sharing: 86% of public sector bodies are members of CiSP. Of those on CiSP, most do not share information with others. More work needs to be done on understanding the reasons behind low contributions and improving intelligence-sharing.

Private Sector 

We know that in 2017, only 10% of Scottish businesses had obtained a form of cyber security accreditation, such as Cyber Essentials or Cyber Essentials Plus. Amongst those who did not have cyber security accreditation, only 8% were planning to obtain accreditation in the next 12 months. We do not believe that this position has improved greatly, and remain concerned for SMEs in particular. To that end there remains a pressing need to focus on supporting businesses get the cyber basics right so that
they can be prepared for, prevent and, where necessary, respond and recover from
cyber attacks.

  • Awareness and education: There still appears to be confusion about how businesses access advice, guidance, resources, training and cyber security support services. Businesses struggle to know where to go to access the information they need and many have called for a One Stop Shop to address this gap. We are currently working with our national partners to improve this position.
  • Stronger collaboration with business representative bodies: Identifying and working with the primary stakeholder groups, including the IT Managed Services Sector, who are trusted and have influence, is also recognised as key to gaining better traction with the private sector and in particularly with SMEs as we move forward. We have funded ScotlandIS to map the managed Services Sector in Scotland as a starting point for this work.
  • Front-line incident response for SMEs: With funding support from the Scottish Government, the SBRC has responded to a demand to provide a cyber First Responder service providing a free and impartial single point of contact triage. This service will allow any business in Scotland to call for initial vendor agnostic advice and guidance immediately following a cyber incident. In addition, the SBRC will lead a programme of work to facilitate the delivery of NCSC's Exercise in a Box toolkit to organisations across the public, private, and third sectors between September 2020 and April 2021.

Third Sector 

The provision of cyber resilience support across our Third Sector appears active, attuned to the needs of the sector, and there is evidence to suggest the key actions around communications and awareness raising have been successful. There is a vibrant network of actors engaged in developing the cyber resilience of the sector as a whole, who are energised and motivated to develop this work in partnership with the Scottish Government and other organisations, and are enthusiastic about the developments in cyber resilience over the past five years and going forward. 

  • Sectoral reach: The Third Sector encompasses an estimated 45,000 organisations (including charities, social enterprises and voluntary groups), therefore the potential reach to our communities is significant, particularly reaching organisations and individuals who may be more vulnerable to cyber crime. Given that the sector is mostly made up of a huge number of small to medium-sized charities, any support or intervention measures need to be implemented on a risk-based and proportionate basis.
  • Cyber Health Check: An improved picture of the state of cyber resilience across the sector is required and further exploratory discussions with partners are planned for the development of a Cyber Health Check for the Third Sector. 

Learning and Skills 

There are clearly substantial developments across our cyber security skills pipeline, and a high degree of buy-in and leadership from our national education and skills partners. 

  • Continued and further reaching awareness raising and education: There is a need to increase awareness raising of basic cyber hygiene across the general population, with messages tailored for particular audiences and in alternative and accessible formats. We have begun work to develop an awareness raising programme aimed at carers (both kinship and looked-after children) and are currently working on accessible formats. 
  • Robust Scottish research and data: We have struggled to obtain robust data in relation to cyber security research activity in Scotland. The data available at the moment is only partial and high level. Access to more robust and relevant metrics relating to changes (and the drivers of changes) in individuals' awareness and behaviours to improve targeted interventions is required.
  • Teacher training: We have only scraped the surface in terms of teacher training in cyber security and cyber resilience. Ideally we want to see cyber resilience embedded into initial teacher training to ensure that all educators (especially in schools but also in colleges) can build cyber resilience into teaching and learning across the curriculum.

Economic Opportunity 

The CyberSec products and services industry is in its first phase in Scotland and the Economic Opportunity Action Plan is a key initial document to support the integration of cyber into broader economic development planning of the tech-ecosystem – linking cyber and digital, and cyber and fintech. 

  • Growth of the Cluster Management Organisation The CMO is in its infancy. We now understand the ecosystem and have laid the foundations of supporting the growth of a CyberSec products and services community in Scotland. Substantial effort will be required to build momentum going forward. 
  • Public sector demand for CyberSec products and services It was anticipated that there would be a significant increase in public sector demand for CyberSec products and services, but Scotland's cyber security companies report that this market still feels "hard to crack". The recently-introduced Dynamic Purchasing Scheme (DPS) procurement tool may generate more demand, and we may need to do more to influence the use of this through awareness raising with public sector customers. Additionally, we may need to work with other parts of the tech sector (fintech, data, AI etc.) to build collaboration across different areas of digital expertise so that they are better positioned to sell "total" digital solutions which may be easier for public sector buyers to understand.
  • Innovation Again in relation to the public sector, we anticipated public sector-led innovation challenges. It has, though, proven virtually impossible to identify a public sector "owner" for such a challenge. We have taken an alternative approach and worked with CENSIS to develop an Internet of Things innovation programme. We expect that in the future Scottish Enterprise and the likes of CENSIS will continue to catalyse innovation. 
  • Academic – Industry collaboration The need to harness economic opportunities arising from research is critical, however this area needs to be concentrated on. We understand that the number of university cyber security spin outs in Scotland is low. We do not have many indigenous companies of scale (they tend to either remain small or be acquired). If we draw comparison with Northern Ireland, they seem to do this better than Scotland. We believe that a cyber innovation centre or cyber-specific accelerator working at scale may make a difference here and this should be explored further. The new Cyber Quarter in Tayside might address this to an extent, however we need to get better at addressing the challenge of how to identify and nurture the great ideas and innovation, and how to grow (and retain) cyber companies that can scale up beyond micro/small business level. There also needs to be closer connections with other tech industry developments coming out from the Scottish and UK Governments, so that the cyber security industry benefits from broader links and initiatives.
  • Attracting Investment Looking at DCMS figures, levels of investment in Scotland seem disproportionately low (again – Northern Ireland provides a good comparator where they seem to do better). Scottish Development International is leading on international cyber campaigns to attract inward investment, so this might just need time to start generating impact. In the future we expect to give more focus to equip Scottish entrepreneurs to attract investment. 

4.2 Going forward

This report has set out our progress against the Strategy we published in 2015. 

Overall, there has been some good progress made across the outcomes of this first Strategy for Scotland, with clear strengths in how we have developed the cyber resilience of the public and third sectors, and in learning and skills. We have made some progress to better secure our private sector, but substantially more remains to be done, particularly around SMEs. Furthermore, we have only just begun to establish a thriving CyberSec industry and to position Scotland as a safe and secure place in which to live and work, and in which to do business and invest. 

The risk of cyber attacks will not go away; indeed, as the COVID-19 pandemic has reminded us, cyber criminals will see opportunities in fast-changing situations and quickly adapt to take advantage of any vulnerabilities they perceive. We need to redouble our efforts to keep abreast of the criminal threat, working alongside law enforcement and our allies to help protect our people, our organisations and our infrastructure.

We are moving towards our strategic vision to make Scotland a world leading country
for cyber resilience: one that people will want to live and work in, and one that businesses will want to invest in. Our current focus must be on how we can be as agile and adaptable as possible as we recover from the pandemic. We aim to publish a new Strategic Framework for Cyber Resilience in Scotland. during Cyber Scotland Week 2021.