National Cyber Resilience Advisory Board (NCRAB) minutes: March 2026

Attendees and apologies

Board Members in attendance: 

Maggie Titmuss (Chair)
Carla Baker (CB)
Phil Ford (PF)
George Fraser (GF)
Martyn Wallace (MW)
Natalie Coull (NC)
Jordan Schroeder (JS)
Don Smith (DS)
Steve Watt (SW)
Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government – Ex Officio (AG)

Apologies:

Deryck Mitchelson (Vice-Chair – DM)
ACC Stuart Houston (SH) – Ex-Officio
Freha Arshad (FA)
Ollie Bray (OB)

Also in attendance:

Head of the National Cyber Resilience Unit (NCRU)
NCRU Head of Policy and Programme
NCRU Public Sector Lead
NCRU Head of Learning and Skills
Scottish Cyber Coordination Centre (SC3) Service Lead 
Scottish Cyber Coordination Centre (SC3) Service Incident Management Lead 
Scottish Cyber Coordination Centre (SC3) Service Standards and Insights Lead 
National Cyber Security Centre (NCSC) Devolved Administrations Lead (YW)
Education Officer, Education Scotland (KMF)
DCS Andy Patrick, Police Scotland (AP) 

Items and actions

Welcome, introductions, last meeting actions and conflicts of interest

The Chair welcomed Members to the meeting. The minutes of the January 2026 meeting were approved. No conflicts of interest were noted. 

The NCRU Head of Policy and Programme ran through outstanding meeting actions: 

SEP25/05: OB to provide update on further developments of the Curriculum Improvement Cycle and the embedding of cyber within the curriculum in March 2026   
The action was closed during the March 2026 meeting.

JAN26/03: YW to investigate and provide Scotland-specific threat update, including information on broader geopolitical tensions and additional data on cyber incidents, at future meetings. 
The action was closed during the March 2026 meeting.

JAN26/04: The Chair and SH to discuss Child Sexual Exploitation separately. Chair to provide update.
The Chair advised that she had met with SH. Action closed. 

JAN26/05: YW to provide an elections focused briefing to Members at the March 2026 meeting. 
The action was closed during the March 2026 meeting.

JAN26/06: SC3 Service Lead to share version of the SCAR with Members. DD and ON providing update.
The action was closed during the March 2026 meeting.

JAN26/07: The Chair and Head of the NCRU to meet and discuss CyberFirst and TechFirst in Scotland. 
The action was closed during the March 2026 meeting.

JAN26/08: OB to provide a paper to Members for discussion, on developments with the Curriculum Improvement Cycle, focusing on the inclusion of cyber and digital literacy within the curriculum for the March 2026 meeting. 
The action was closed during the March 2026 meeting.

JAN26:09: SC3 Service Lead to provide more detailed findings from the 2025 Cyber Resilience Assessment at the March 2026 meeting. 
The action was closed during the March 2026 meeting.

JAN26/11: Final comments on the Action Plan to be returned by 23 January 2026. Complete.

JAN26/12: NCRU Policy and Programme Officer to share CyberScotland Week 2026 asset pack with the Board for them to share across their networks. 
EG shared with Members on 9 February.

Cyber threat landscape

The National Cyber Security Centre (NCSC) Devolved Administrations Lead (YW) provided a general threat update to members. Ransomware remained the biggest cyber threat, but YW noted that not all incidents were reported to NCSC. The NCSC Incident Management Team were working with law enforcement to get more data.
YW also advised that the NCSC Incident management team had reached out to the Scottish Cyber Coordination Centre (SC3) to arrange a meeting to discuss data and have also been asked to look at providing more granular data for Scotland.
YW also provided an elections-focused update to Members. 
GF noted the increased use of deep fakes in election related posts online and asked if SG or UKG were doing any campaign in lead up to election.
AG advised that wider election focused campaigns were not within the policy remit of the National Cyber Resilience Unit NCRU or SC3.
The Head of the NCRU advised that NCSC had provided high level briefings to high-risk individuals in advance of election. NCRU would however investigate if any messaging could be done online in run up to Scottish election.

MAR26/01: Head of NCRU agreed to arranging online messaging on electoral misinformation/disinformation threat as part of monthly social media postings in run up Scottish election run election.

AP provided a short cyber threat update from February 2026 in relation to current cyber crimes.

AP advised that investment scams, sextortion, computer misuse and cryptocurrency were all areas of recurring crimes and incidents. The next focus of the Police Scotland Cyber and Fraud Unit (CAFU) was training and Cyber Choices for young people.

MAR26/02: The Chair and AP to discuss Cyber Choices separately.

The SC3 Service Lead advised of a rise in Distributed Denial of Service (DDOS) attacks. He explained that SC3 had provided election guidance to all local authorities as well as tailored cyber guidance to every returning officer. A leadership guide would also be provided a week before the election. The SC3 Service Lead advised Members that a Scottish Election call had now been stood up which also involved UKG.

The SC3 Service Lead advised Members of two recent incidents that SC3 had dealt with including an incident linked to the Middle East – a “wiper attack” on the NHS supply chain. He advised that there had been no impact on any health supplies on Scotland. The other incident related to a suspected ransomware attack on a Council’s Education Network. SC3 and Police Scotland were working with the Council. 
ON also advised that SC3 were running lessons learned workshops with local authorities.

A discussion on the vulnerabilities of the education network in Scotland followed. DS expressed concern given the number of recent incidents on some local authorities’ education networks. SW also advised that a couple of academics had been targeted in the HE sector and asked if SC3 were involved in helping them.

MAR26/03: SC3 Service Lead and SW to discuss academics cyber incidents separately.

SC3 update, Cyber Resilience Assessment (CRA) findings and overview of the Scottish Cyber Activity Report (SCAR)

The SC3 Service Lead provided an update on the Cyber Resilience Assessment (CRA) 2025 after providing initial findings at the last Board meeting:

•    Dashboard now in place to consider areas of improvement across public sector.
•    98% completion rate for the CRA with returns from 181 public sector organisations
•    Average response time of 27 days, with further functions to be added to Observatory to provide further advice and guidance.
•    35 possible Areas to Consider (ATC), with 7 designated as Areas to Improve (ATI)

In relation to ATCs, he advised that automatic marking by the CRA tool provided immediate feedback. Areas designated as ATIs would include improvements such as Incident Response Plans. 36% of public sector organisations had not exercised in the last 12 months and this would be something that SC3 would take into consideration its exercising plans for year ahead. 
In relation to ATIs, the SC3 Service Standards and Insights Lead advised that CRA had given insights into scoring methods and thresholds that SC3 would continue to review and improve, comparing self assessed data with other data. In relation to sub-sector analysis, he advised that the CRA offered SC3 the opportunity to analyse CRA data to understand different trends and challenges across different communities such as Risk Management Process, which in Local Authorities (LA), was an issue due to continued use of Public Services Network (PSN).  For other organisations, challenges around multi-factor authentication were discussed.

The SC3 Service Standards and Insights Lead advised that CRA plans for 2026 were to:
•    maintain the high response rate,
•    capture information at a contributing outome level
•    highlight gaps with an automated marking scheme
•    publicise initial targets e.g zero ATIs. 

The SC3 Service Lead advised they continued to gain new insights from the CRA and hoped to include more functions in the Observatory to provide further guidance and support to users to complete CRA in future. The CRA has also highlighted systemic challenges in the public sector that would be explored to consider policy levers or regulation to address them.

The Chair welcomed the information and felt it gave a good sense of where the Scottish public sector was positioned. She queried if there was an organisational behaviour score and felt this would be beneficial to scoring cyber resilience. SW noted the huge improvement in the response rate and felt the feedback was very inciteful. He queried the visibility of the CRA findings at Accountable Officer level. 

The SC3 Service Lead advised that they had delivered a leader’s session during Cyber Scotland Week to announce the findings and highlight the challenges across the sector. Further benchmarking would take place over the next few years but this year, SC3 planned to target key leaders in critical organisations.

JS queried if any independent verification was involved in the CRA. The SC3 Service Standards and Insights Lead advised that the benefit of the CRA was that it was based on wider data collection and self asssement. Gov Assure includes independent assessment but this was not seen as an immediate priority.

GF asked if ATIs could be independently assessed and linked to funding. The SC3 Service Lead explained that the CAF included indicators of good practice (IGPs) that could be used for both self-assessment and by an independent assessor. For the CRA, SC3 had sought to focus on controls and ATIs that would be relevant across all organisations but would also allow the identification of priorities for each organisation. 

GF asked what would happen if organisations continued to be poor in their assessment.  The Chair felt mandation was still needed to be considered but that it required clear evidence.  

AG advised that the approach of the SC3 Observatory to the CRA is quite different and the level of responses had tied in with expectations. The biggest issue was bias and changing minds from a cultural perspective to achieve change.

The SC3 Service Incident Management Lead provided an update on the Scottish Cyber Activity Report (SCAR) 2026.
The SCAR will be an annual publication examining cyber incidents and cyber exercises across Scotland's public sector. It provides an evidence-led, broad view of the incidents experienced, supported by analysis that identifies recurring themes and lessons.  He advised that data for the report comes from:
•    SC3 internal data on cyber incidents and exercising
•    the Cyber Resilience Assessment and the responses from 181 public sector organisations
•    the NCSC Annual Review providing a UK-wide context for Scotland’s position
•    the Cyber Breaches Survey 2025.

The SC3 Service Incident Management Lead advised that the SCAR was focused around 3 key areas - sector preparedness, incidents and exercising.  The Report had identified 11 themes and lessons of which 4 had been identified of key importance: 
•    Leadership and Governance was primary outcome driver in driving clear ownership of cyber security.
•    Business Continuity Plans need improvement and scoped for cyber scenarios.
•    Education networks in local authorities lacked same level of security investment as corporate networks which was a concern given sensitive data they handled for children and young people.
•    Lessons learned needed to be identified and shared faster – not seeing pickup would like across sector of SEPA and Comhairle nan Eilean Siar (Western Isles Council) lessons learned reports. 

The Chair asked if there was any reason for the slow pick up of lessons learned.  The SC3 Service Incident Management Lead explained that resourcing constraints were an issue.  By time reports were circulated within the public sector, they were not seen as high priority.  The Chair expressed concern and felt that mandation could be a way to make Chief Information Security Officer’s (CISOs) accountable for raising threat risk on risk registers.

Update on UK developments

The Head of the NCRU shared an update on the development of the UK Cyber Action Plan. The Chief Secretary to the Prime Minister and Chancellor of the Duchy of Lancaster, supported by the Security Minister in the Cabinet Office, would provide overarching leadership and responsibility for delivery of the National Cyber Action Plan. She advised there would be shared responsibility for the three pillars of the UK Cyber Action Plan. The Department for Science, Innovation and Technology (DSIT) would be responsible for the Strengthening Resilience and Securing Growth Pillars while the Foreign, Commonwealth and Development Office (FCDO) and Home Office would jointly lead the Countering Threat Pillar.

Members were advised that most measures in this action plan related to reserved matters, but the development and implementation of this plan depended on input, action and investment by the devolved governments. This was especially true where it related to devolved policy areas and the cyber resilience of our public sectors and certain critical sectors. The UK Government had engaged with the Devolved Administrations on the drafting of the Plan. Discussions were ongoing on projects that would be put forward to DSIT across the DAs for funding consideration.

The NCRU Head of Learning and Skills provided an update on TechFirst. Launched by UKG in June 2025, the £187 million TechFirst programme aimed to give 1 million students and 7.5 million workers the opportunity to learn and develop their tech and AI skills. TechFirst will be delivered across the UK by a network of regional delivery partners. 

The NCRU Head of Learning and Skills expanded and explained that TechFirst comprised of four strands: TechYouth for 11-18 year olds, TechGrad for UK university students wanting to pursue a tech career, TechExpert which focused on encouraging domestic graduates to take up doctoral training, and TechLocal, delivered by InnovateUK to help regional innovators and small businesses find skilled people. TechGrad and Tech Local were now closed for 2026 funding applications and Tech Expert had not yet been advertised. TechYouth would build on the success of CyberFirst, with CyberFirst activity continuing to the end of 2025/2026. Discussions were underway about how the TechYouth strand of the programme might be delivered in Scotland from August onwards, but Cyber remained a priority and the CyberFirst brand would remain in Scotland.

NC advised that Abertay University had submitted 2 applications for TechLocal funding, but DSIT is piloting TechGrad through Doctoral Training Centres and none of the DTCs for the pilot were in Scotland.

PF advised that SDS had been asked to undertake a skills needs assessment of different sectors and were currently co-designing with SG Skills Planning policy team. PF further advised that Enterprise Agencies were part of the discussion through their involvement in the Digital Economy Skills Group.

Update on Curriculum Improvement Cycle 

KMF shared that cyber resilience and internet safety were both part of the Scottish curriculum with CyberFirst embedded in the curriculum unlike other parts of the UK. As well as the school programme, Education Scotland were also working with colleges to ensure there were clear pathways to cyber courses and qualifications.

The number of schools involved in the CyberFirst programme had risen from 34 in 2024/25 to 83 out of a possible 365 schools in Year 2 of the programme. KMF advised that there was a desire to have all schools involved in CyberFirst, but it was not possible to mandate this engagement. There was a great deal of interest in schools and an increased number of pupils taking advanced courses. The support from and use of TryHackMe had been instrumental in supporting this activity. KMF highlighted that the Cyber Security NPA had not reached the level of uptake anticipated but hoped this would increase with CyberFirst involvement. Education Scotland recognised the need for more balanced gender engagement in cyber qualifications well as more interest from areas of deprivation and were continuing to monitor the data. This would be supported through increased scalability and sustainability of CyberFirst within the broader TechFirst Initiative, driven by Scottish priorities. This had been agreed with DSIT and Scottish Ministers

KMF also referred to the Curriculum Improvement Cycle (CIC) which had emerged from various reviews of Curriculum for Excellence and the need for a systematic process to ensure the curriculum remained relevant and coherent for children and young people from 3 to 18. A holistic review of Scotland’s Curriculum happened every 10 years. Digital literacy was a cross-cutting theme across the curriculum, including cyber resilience. Cyber Security sat within Computing Science.

MAR26/04: Education Scotland to provide further update on CIC by June.

GF asked if there was a need to be more radical in the general curriculum around cyber content to engage and enthuse pupils, such as through bringing industry into classrooms.

KMF agreed that computing science curriculum content needed updating to become more current, but there was also an issue with having sufficient teachers to deliver the curriculum across Scotland’s 32 local authorities. Possible solutions could include using teachers from wider backgrounds, while Skyscanner, for example, were working with UHI to support remote teacher training. 

AG agreed that different approaches were needed given upheaval in technology.

Strategic Framework for a Cyber Resilient Scotland – Action Plan update

The Head of the NCRU provided an update to Members on the Strategic Framework for a Cyber Resilient Scotland Action Plan 2025-2030. 

She shared that it was launched during CyberScotland Week and the Plan set out key actions to deliver the priorities of the Strategic Framework.

She advised that there were a range of national indicators and data sets that would be used to measure change through a range of qualitative and quantitative insights. These included the Cyber Resilience Assessment (CRA) which would provide detailed change data for the public sector and the UK Cyber Breaches Report for the private sector. All this information would help in monitoring the cyber maturity of all sectors.

The Head of the NCRU explained that in relation to measuring the Framework, full causation could not be derived from all of the indicators, but they would inform direction of travel. A full programme of work had been established, and the work of delivery partners would also be tracked. This would contribute to shifting cyber behaviour.

She advised that there was also the opportunity to identify patterns and trends over time such as Cyber Essentials uptake, and campaign impacts that could also be used to drive improvements.

The Chair felt that as long as Ministers were clear on what was being measured and that it would inform direction of travel, the proposed approach was reasonable.

Horizon Scanning

DS and JS provided Members with an update on realistic, actionable threats.

DS highlighted AI and the elevated risk and vulnerability from a cyber perspective of people/organisations inadvertently creating AI networks and not understanding risks. JS agreed and commented that use of AI from threat actors was now becoming more of an issue with hackers using AI to develop zero-day exploits. This included using AI to exploit vulnerabilities in software. There was a need to develop safeguards around vibe coding (using AI to generate software) so that it did not introduce unintended vulnerabilities.
JS suggested there needed to be revised proactive guidance to encourage quicker patching. Australia recommended patching in 72 hours due to the pace of exploitation, but NCSC recommended 14 days which he felt was too long. JS further recommended that this would be a good exercise for SC3 to undertake.
The Chair recognised this as an issue and asked what could be done for both the public and private sectors. The SC3 Service Lead felt it would be a challenge to get the public sector to patch in less than 14 days. 

Additionally, the Head of the NCRU advised that through recent engagement with South of Scotland Enterprise (SOSE), there had been the opportunity to raise cyber concerns around a recent AI adoption programme for SMEs across Scotland and there had been agreement that action needed to be taken.

JS also highlighted that quantum, and quantum computing was still not being seen as a credible threat and more may need to be done in this area to raise awareness.

The Chair agreed that there was a need to move quicker on quantum.

GF noted that while the timescale to create a quantum computer had dropped by about 6 years, the priority for public sector was to move to post-quantum cryptographic (PQC) options as soon as they become available. 

The NCSC Devolved Administrations Lead advised that a NCSC colleague who led on this work would be happy to speak to the Board.

MAR26/05: YW to arrange NCSC to speak to Board on AI at June meeting.

Any other business

No other business was discussed.  

Close

The Chair thanked members for their attendance and advised the next ordinary meeting would be 23 June 2026, in Glasgow.