Cyber resilience: private sector action plan 2018-2020

1. Introduction And Background

1. Safe, secure and prosperous: a cyber resilience strategy for Scotland^[1], was published in 2015. It set out the Scottish Government’s vision for Cyber Resilience in Scotland:

Scotland can be a world leader in cyber resilience and be a nation that can claim, by 2020, to have achieved the following outcomes:

(i) Our people are informed and prepared to make the most of digital technologies safely.

(ii) Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

(iii) We have confidence in, and trust, our digital public services.

(iv) We have a growing and renowned cyber resilience research community.

(v) We have a global reputation for being a secure place to live and learn, and to set up and invest in business.

(vi) We have an innovative cyber security, goods and services industry that can help meet global demand.

These outcomes are interdependent – progress towards one may underpin or drive progress towards others.

2. "Safe, secure and prosperous" is closely aligned with the UK National Cyber Security Strategy^[2], which sets out the UK Government’s strategic approach to making the UK secure and resilient in cyberspace. Cyber security is a reserved matter, but it has strong implications for the resilience and security of Scotland’s economy. Scotland has unique partnerships and networks that support resilience across all sectors. As such, the Scottish Government works closely with key partners such as the UK National Cyber Security Centre to ensure appropriate alignment between work on cyber resilience at the UK and Scottish levels.

3. This action plan has been produced by the National Cyber Resilience Leaders Board (NCRLB) and its private sector representatives, in partnership with the Scottish Government. It has drawn heavily on the views and expertise of key private sector stakeholders, including representatives of the SME sector. It sets out the key actions that the Scottish Government and key partners in the private sector will take during 2018‑20, in order to make progress particularly towards outcomes (ii) and (v) above:

Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

We have a global reputation for being a secure place to live and learn, and to set up and invest in business.

It aims to realise the opportunities presented by Scotland’s strong cyber resilience networks and communities of interest to position Scotland as a world leading nation in cyber resilience.

The goals of this action plan and its relationship to wider work on cyber resilience in Scotland

4. The specific goals of this action plan are to move Scotland closer to the above outcomes, and to our vision of being a world leading nation in cyber resilience, by:

• Driving greater levels of good cyber resilience practice across Scotland’s wider private sector, particularly our SME community, thus helping to raise overall fundamental levels of cyber resilience in Scotland’s private sector;
• developing greater cross-sectoral coherence of work on cyber resilience within Scotland’s private sector, and exploring the potential for a more integrated, joined-up, national-level approach to the cyber resilience of Scotland’s private sector as part of wider UK-level arrangements.
• This will be achieved in part by providing appropriate support to work on cyber resilience that is currently being undertaken at the UK and Scottish levels with private sector organisations that form part of the critical infrastructure of Scotland; and
• promoting greater coherence and alignment of work on cyber resilience across the private sector and Scotland’s public and third sectors.

5. The Scottish Government and the NCRLB are developing and implementing complementary action plans for the public and third sectors. The first of these, the Public Sector Action Plan on Cyber Resilience, was published on 8 November 2017^[3], and the Third Sector Action Plan is expected to be published alongside this Private Sector Action Plan. The aim is for all sectors in Scotland to adopt a broadly aligned approach to cyber resilience where possible. As such, development of this Private Sector Action Plan has had regard to the Public Sector Action Plan and the Third Sector Action Plan.

The NCRLB is of the view that the Scottish and UK Governments should support Scotland’s private, public and third sectors to work together as partners, ensuring strong leadership around cyber resilience and digital enablement for the benefit of all citizens and businesses. Many private and third sector organisations are both the supply chain and the purchasers of public sector services, thus increasing the importance of commonality and coherence. In simple terms, the more our citizens and organisations speak a "common language" around cyber resilience, the more likely it is that we will be able to work in partnership to make progress. Identifying common core cyber resilience requirements across more sectors, and encouraging sharing of good practice around cyber resilience, is also expected to help promote greater levels of cyber resilience and potentially reduce compliance burdens.

6. The Programme for Government 2017-18 also committed the Scottish Government and key partners to develop action plans in the following key areas:

• Learning and Skills, focused on how to ensure that (i) our citizens have the appropriate understanding, knowledge and behaviour to live and work safely and securely in the digital world; and (ii) our cyber specialist workforce have the appropriate skills. The success of this action plan, which was published on 7 March 2018, will be vital to establishing a genuine culture of cyber resilience in Scotland (including amongst private sector organisations), and to the longer term success of the private, public and third sector action plans.
• Economic opportunity, focused on how to seize fully the economic opportunities presented by the achievement of fundamental cyber resilience, and take a visible, global role in thought-leadership, research, development and innovation relating to cyber resilience. We expect this action plan to be published in Q3 2018.

7. To ensure efficiency and maintain momentum, these plans are being developed to differing timelines. Work to identify and take account of the strong interrelationships between the actions set out in this plan and other action plans is being undertaken on a regular basis by the Scottish Government and the NCRLB. In the future, our expectation is that this private sector action plan will be merged with other action plans to constitute a single action plan focused on Scotland’s cyber resilience, as part of work on our overall security and resilience.

8. While the focus of this action plan is on cyber resilience, the actions set out in this plan will also help ensure that Scottish private sector organisations are meeting key requirements in respect of protecting personal data, which will be strengthened by the General Data Protection Regulation (GDPR)^[4] from May 2018. The Information Commissioner has, for example, noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR. Private sector organisations should in general consider how work on cyber resilience aligns with wider work on GDPR compliance.

9. The action plan recognises that the private sector in Scotland is of considerable scale and complexity. SMEs account for 99.4% of Scottish private sector organisations and 55% of private sector employment^[5], but Scotland is also home to a number of large, multinational companies, who have reporting structures and regulatory calls on them from outwith Scotland. Some companies are of significant technical sophistication, or handle significant amounts of personal data, while others operate only very basic IT systems and may be concerned with delivery of goods or services on a small scale. One of the biggest challenges in developing this action plan has been the need to take account of these significant differences in scale and risk profile. The NCRLB private sector lead representatives and other key private sector partners have offered advice to help ensure the action plan meets multiple needs.

The importance of cyber resilience to Scotland’s private sector

10. "Cyber resilience" means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks or accidental events that have a disruptive effect on interconnected technologies. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe and get the most from being online.

11. The importance of ensuring cyber resilience in Scotland’s private sector has never been greater. In the view of the NCRLB, there are compelling arguments for Scotland’s private sector to work together to improve overall levels of cyber resilience now, supported by the Scottish Government. A number of factors make this so. They include:

(i) The scale and nature of the cyber threat to the digital systems upon which our economy increasingly relies, and the risks this presents to: our ambitions for Scotland’s digital economy; our overall security and resilience; and the success of individual businesses in Scotland: Scotland’s refreshed digital strategy^[6] emphasises that the Scottish Government and its partners are fully committed to harnessing the benefits of digital technology across our economy, in order to deliver a step-change in productivity. Digital connectivity offers significant opportunities for innovation and inclusive economic growth. However, with these opportunities come new threats and vulnerabilities, and it is imperative that we take these seriously and take action to address them and minimise their disruptive effects. Much of our prosperity now depends on our ability to secure our technology, data and networks from the threats we face. Yet cyber attacks are growing more frequent, sophisticated and damaging when they succeed.

The National Crime Agency describes the cyber threat as a "major and growing threat" to UK businesses. It assesses that the cost of cybercrime to the UK economy is billions of pounds per annum, and that the accelerating pace of technology and criminal cyber capability development currently outpaces the UK’s collective response to cybercrime. It is assessed that the number and severity of cyber incidents affecting private sector organisations will continue to increase at a significant rate. These threats come from a variety of sources, including hostile state actors, cyber criminals, political activists, opportunists and others. The rise of internet connected devices gives attackers more opportunity. The National Crime Agency reported that 2017-18 was "punctuated by cyber attacks on a scale and boldness not seen before".^[7]

Our SME and micro-business community is particularly at risk. Cyber attackers increasingly understand that SMEs typically have more digital assets than an individual, but less security than a large corporation. This can effectively put small businesses in cyber attackers’ "sweet spot", leaving them at higher than average risk for attack. Many of Scotland’s c. 340,000 micro businesses^[8] operate on mobile devices, the security of which may be fundamental to those businesses’ continued operation.

The threat can be targeted or indiscriminate. Even where cyber criminals attempt to target specific organisations, the nature of the cyber threat is such that there can be significant unintended wider consequences. Businesses of all sizes in Scotland need to understand the risks they face, and be confident they can take proportionate action to mitigate it. The nature of the cyber threat is such that this action is most likely to be effective if private sector organisations commit to working together, both within the private sector and across the public and third sectors, to mitigate the cyber threat across Scotland. The greater the "herd immunity" to the cyber threat in Scotland, the more secure all businesses are likely to be.

(ii) Legislative changes and their potential legal, financial and reputational impact: The new GDPR and the Security of Network and Information Systems (NIS) Directive both come into force in May 2018, and in combination place new duties on private (and public and third) sector organisations to ensure the protection of personal data and the continuity of essential services reliant on network and information systems, and to report personal data/cyber security breaches. Private sector organisations subject to these provisions could face significantly increased administrative fines of up to £17 million for data breaches or cyber security failures leading to service failure. These legislative changes should drive greater awareness of the importance of cyber resilience and the need to have appropriate technical protections for personal data in place. The actions set out in this plan are aimed at supporting businesses to understand how better to comply with the cyber aspects of such legislative duties.

(iii) Economic opportunity. The flip side of these threats is that there is a significant economic opportunity for Scottish businesses, whether collectively or at an individual level, in working to become more cyber resilient. These opportunities include:

• Avoidance of cost and disruption to business: We cannot fully evaluate the likely impacts of a large, global scale attack across public, private and third sectors but it is widely anticipated that there will be an attempt to achieve this in the near future. Available evidence suggests there would be significant short and longer term disruption across critical digital infrastructure and, as a result, serious disturbance to business activity which would affect us all. The NCSC has indicated publicly that the UK is likely to face its first major "category one" cyber incident in the next few years. (For the purposes of comparison, the WannaCry ransomware attack in May 2017 was a category two incident.) Lloyd’s of London has reportedly assessed that a serious cyber-attack could cost the global economy more than £92bn, which is as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy. This risk adds to the urgency with which all sectors need to review and address their security.
  
  Recent research by DCMS^[9] found that four in ten of all UK businesses suffered a cyber breach or attack in a 12 month period. Nearly seven in ten medium/large businesses identified a breach or attack, while 42% of micro or small businesses identified a breach during the same period^[10]. The research also showed that businesses holding electronic personal data on customers, and those that have staff using personal devices for work (BYOD) were more likely to have experienced cyber breaches than those that do not. Small businesses may face failure or bankruptcy as a result of ransomware attacks if they have not taken appropriate cyber security precautions. Insurers may also increase or reduce insurance costs depending on their assessment of a business’ vulnerability to cyber-attack.
  
  NCSC note that cyber criminals are becoming increasingly sophisticated, and are able to make judgements on "Return on Investment" when deciding who to target where – the harder the target, the smaller the ROI, the less incentive there is to invest time and money in an attack on those targets. Making Scotland overall, and individual sectors and businesses within Scotland, more cyber resilient may therefore help tip the balance around these judgements in the future. This may be expected to bring economic advantage to Scottish companies through an ability to continue operations unaffected by common cyber attacks.

• Productivity and business growth: As the digital economy matures, it is expected to lead to increased productivity and increased online trading. However, to take advantage of digital innovation, businesses and their employees must be able to operate confidently and safely in the digital world. Cyber resilience is fundamental to productivity and business growth – it supports companies to take calculated risks and should be at the forefront of new business development.

• Reputation: As citizens’ understanding of the cyber threat increases, and as the profile of cyber attacks and data breaches continues to rise, the importance that consumers, investors, insurers and others place on cyber resilience is likely to increase. Being able to demonstrate that cyber security is taken seriously – that services and customer data are protected and resilient – will become increasingly important to a business’ reputation, which in turn may impact on overall performance.

• Inward investment and exporting: More broadly, Scotland has an ambition to become a world leading nation in cyber resilience. An ability to demonstrate that Scotland has strong levels of overall cyber resilience across its private, public and third sectors could become an increasingly important factor in attracting international investment and the development of a cyber security cluster in Scotland. The presence of a vibrant cyber security cluster within Scotland should be to the benefit of all businesses in Scotland, and will assist in keeping in-demand talent and skills close to home and producing the goods and services that Scottish businesses and public bodies need to be cyber resilient. Demand in the world wide security service industry is currently outstripping supply, providing Scotland with an opportunity also to sell goods and services worldwide. Our learning and skills action plan has set out proposals to ensure a strong talent pipeline is in place in Scotland.

• Seizing the economic opportunity: The IT Security industry is fast moving and dynamic. Other countries are already moving to seize the economic opportunity that an increased focus on cyber resilience offers, and major operators are currently exploring a range of potential bases to locate future developments. The NCRLB private sector lead representatives have made clear their view that if Scotland does not move at pace to realise the economic opportunities presented by work on cyber resilience, it risks losing out to competitors. This only adds to the urgency for implementation of this action plan, the need for momentum to be maintained, and appropriate support (including funding) from government and industry.
  
  As noted earlier in this plan, a separate economic opportunity action plan focused on how to seize fully the economic opportunities presented by the achievement of fundamental cyber resilience, and take a visible, global role in thought-leadership, research, development and innovation relating to cyber resilience, is under development and will be published later in the year.

12. Against this background, the NCRLB has articulated its view that Scotland’s private sector must make demonstrable progress towards establishing fundamental standards of cyber resilience that are in line with world-leading nations. Cyber resilience should be seen as just as fundamental to business practice standards in Scotland as health and safety currently is.

13. The NCRLB emphasises that cyber resilience is as much a cultural issue as a technical one. They view it as vital that Scotland’s private sector organisations understand and manage the cyber threat at Board/owner level, and take action to promote a culture of cyber security at all levels of the organisation (the Cyber Resilience Learning and Skills Action Plan sets out the actions we will take to achieve this transformational cultural change through our systems of formal and informal learning in Scotland). The NCRLB views it as being vitally important that smaller businesses are supported to understand and manage the threat in an appropriate and proportionate way – a one-size-fits-all approach to cyber resilience in Scotland’s private sector is not desirable.

Current levels of cyber resilience in Scotland’s private sector

14. Currently, we do not have a comprehensive picture of the state of cyber resilience across the Scottish private sector. Work is ongoing to build a strong understanding of the cyber resilience of private sector Critical National Infrastructure (CNI), in support of UK-level work on CNI. Achieving a greater understanding of private sector cyber resilience beyond CNI areas will be important to our ability to establish a baseline and measure progress over time. Key Action 3 in this action plan proposes work that may include improved mapping of the cyber-specific interdependencies between strategic companies in Scotland and other parts of the private, third and public sectors, with a specific focus on identifying ways of strengthening the overall cyber resilience of Scotland at a systemic level. Key Action 8 sets out a commitment to develop appropriate monitoring arrangements on the basis of existing and future information sources, to improve our understanding of the extent to which good cyber resilient behaviour is being adhered to across the Scottish private sector.

15. Many larger companies operating in Scotland are already compliant with the highest levels of cyber security and regularly report on this to shareholders and regulators (e.g. the FCA). There is important work being done by the UK and Scottish Governments, and regulatory bodies, to improve the cyber resilience of key private sector Critical National Infrastructure in areas such as energy, civil nuclear, finance, transport and communications. Scottish Local Authorities and Business Gateway have also been undertaking work to improve the fundamental cyber resilience of mainstream companies, although anecdotally there is significant work to do to ensure even some of Scotland’s largest private sector organisations meet appropriate standards of cyber resilience. The introduction of UK legislation to implement the EU NIS Directive from May 2018 will see the establishment of Competent Authorities to oversee the cyber resilience of Operators of Essential Services in some key sectors, adding further weight to these efforts.

This plan proposes further work on a cross-sectoral basis to help support and complement these activities, by working in partnership with key private sector companies in a "cyber catalyst" group (see Key Action 5).

16. At the SME level, there is wide variation in the ability of Scottish companies to ensure their own cyber resilience, although it is clear that the majority do not have access to the resources or expertise that larger corporates can draw on. Federation of Small Business (FSB) representatives have noted that SMEs struggle to understand and implement the very wide variety of advice currently available on what to do to become more cyber resilient. This plan proposes work to improve systems of advice and support, which will include promotion of simple, straightforward, authoritative messages that are relevant to small businesses, helping raise awareness and promote better cyber resilience practice across Scotland’s private sector (see Key Action 4).

There has been financial encouragement (£1,500 grants) through the Digital Scotland Business Excellence Partnership for 200 SMEs to become Cyber Essential certified – in 2016 Scotland was the only part of the UK providing this initiative. Key Action 6 sets out proposals for a modified version of this scheme to be continued, drawing on learning from the initial phase.

17. A number of mechanisms exist to encourage the sharing of threat intelligence across the Scottish and wider UK private sector. The financial sector has relatively well developed forums for sharing such intelligence with trusted partners. The NCSC has worked with industry to set up the Cyber Security Information Sharing Partnership (CiSP) to provide a secure environment in which to share cyber threat intelligence, increasing situational awareness and reducing the impact on businesses across Scotland and the rest of the UK. The Scottish Government has used National Cyber Security Programme funding to support a CiSP (and Cyber Essentials) coordinator role, located within the Scottish Business Resilience Centre (SBRC), to promote membership of CiSP, including in the private sector. Since the coordinator was appointed in November 2016, active membership of SciNet (the Scotland-specific area of CiSP) has increased from 122 to 307, an increase of 152%. This makes SciNet the largest geographical group on CiSP within the UK, and the second largest private membership group overall at the time of writing. Activity to promote increased active Scottish private sector membership of CiSP, with a goal of ensuring our businesses are better informed around the cyber threat, will be supported by this plan.

18. There is only limited information at present on the levels of cyber security accreditation achieved across different sectors in Scotland. Some larger companies are accredited to relatively sophisticated standards such as ISO 27001/2, although there is no publicly available central registry to make clear which companies have achieved this, and to which parts of their networks such accreditation applies (companies holding such accreditation often choose to advertise their compliance for business/reputational purposes). Uptake of the NCSC-endorsed Cyber Essentials^[11] scheme in Scotland’s private sector is improving. As of May 2018, 426 live Cyber Essentials certificates and 62 live Cyber Essential Plus certificates have been issued in Scotland. Those figures represent a 78% and 265% increase over the 12 months from May 2017 (a total 91% increase for both types of certificate combined). The number of Cyber Essentials certifying bodies in Scotland is increasing^[12]. These figures suggest growing awareness of the scheme and the importance of the good practice it promotes amongst organisations in Scotland.

Scottish public sector organisations do not currently require the adoption of certification such as Cyber Essentials by private and third sector organisations wishing to do business with them (the UK Government currently mandates this only if bidding for central government contracts which involve handling of sensitive and personal information and provision of certain technical products and services). The practice of private sector organisations with extensive supply chains in Scotland varies significantly, with no consistent approach currently in place (although there is effectively much commonality of approach). Implementation of the NIS Directive, and NCSC technical guidance in respect of supply chain security, may assist with developing greater consistency in the key sectors it covers.

Both this plan and the Public Sector Action Plan on Cyber Resilience^[13] propose work to help improve the uptake of appropriate cyber security accreditation/certification across Scotland’s private sector, particularly in respect of Cyber Essentials and Cyber Essentials Plus. These include proposals to develop appropriate, proportionate, more aligned supply chain procurement policies in respect of cyber security accreditation/certification.

On the basis of all this activity, we aim to at least double the number of organisations across the public, private and third sectors holding Cyber Essentials or Cyber Essentials Plus certification in Scotland during Financial Year 18-19. (See Key Actions 2, and 4 to 6)

19. There is currently a lack of a clear framework or pathway for Scottish private (and public and third) sector organisations to work within and towards when managing the cyber risk, providing assurance and opportunities for benchmarking. Feedback suggests this is particularly problematic for SMEs, who lack the resources that large companies have to make sense of the many different existing standards. Cyber Essentials and Cyber Essentials Plus offer a clear entrance point – however, even these may be beyond the initial reach of some micro businesses who have yet to achieve even a basic understanding of the cyber threat. Scottish private sector organisations have indicated that achieving greater clarity on a progressive cyber threat management model beyond Cyber Essentials, towards more sophisticated measures thereafter, would be helpful.

Such a framework or pathway would need to have a particular emphasis on supporting SMEs to understand the cyber risk and what options they have to manage it on a progressive basis. It must encompass standards or guidance that, at more sophisticated levels, ensure a robust, holistic, effective approach to cyber resilience, avoiding "checklists" and encouraging the management of cyber security with a multi-layered approach that encompasses people, processes and technology. It must also be adaptable to ensure it keeps up with fast-paced technological change and emerging threat. This action plan sets out proposals for the Scottish Government and the NCRLB to work with key private sector organisations, and key partners such as the NCSC, to explore the potential for the development and endorsement of such a framework or pathway, making it easier for our businesses (especially SMEs) to understand the cyber threat and work progressively towards more sophisticated ways of managing it. (See Key Action 2)

20. Some private sector partners have argued there is currently a need for a more integrated, joined-up, national level approach to the cyber resilience of Scotland’s private sector. This action plan proposes that consideration of this issue be undertaken in partnership with private sector cyber catalyst organisations, with a view to shaping recommendations to the Scottish and/or UK Governments. (See Key Actions 4 and 5)

21. Other private sector partners have argued that in the longer term a more fundamental approach to cyber security is required, treating digital communications services similarly to the way in which other utilities in Scotland and the rest of the UK are treated. Consideration will be given to undertaking initial research into this area through the SICSA Cyber Nexus and/or alternative expert groups, and identifying any resulting potential opportunities for Scotland.