Safe, secure and prosperous: a cyber resilience strategy for Scotland
Our cyber resilience strategy support the development of a culture of cyber resilience in Scotland.
Section 2 - Becoming Cyber Resilient
This section covers:
What is our vision?
What are the guiding principles of the strategy?
Who needs to be involved?
How can we build cyber resilience?
The Scottish Government has worked with a broad community  to develop this strategy and, having consulted widely, has concluded that Scotland can be a world leader in cyber resilience and be a nation that can claim, by 2020, to have achieved the following outcomes:
- our people are informed and prepared to make the most of digital technologies safely
- our businesses and organisations recognise the risks in the digital world and are well-prepared to manage them
- we have confidence in and trust our digital public services
- we have a growing and renowned cyber resilience research community
- we have a global reputation for being a secure place to live and learn, and to set up and invest in business
- we have an innovative cyber security, goods and services industry that can help meet global demand.
Improving Scotland's cyber resilience will contribute to many of the outcomes in the National Performance Framework, in particular:
- we live our lives safe from crime, disorder and danger
- we live in a Scotland that is the most attractive place for doing business in Europe
- our young people are successful learners, confident individuals, renowned for our research and innovation
- our public services are high quality, continually improving, efficient and responsive to local people's needs
Improvements in cyber resilience also play an important role in achieving the ambitions of Scotland's Economic Strategy by helping Scottish businesses increase their competitiveness, protect their intellectual property, succeed at a global level and tackle inequality through helping all people become resilient when using online digital technologies.
This strategy is underpinned and inspired by the following guiding principles:
A respect for rights and values. Everything we do will enshrine the rights and values contained within the European Convention on Human Rights and the Commonwealth Charter. We are committed to transparency and accountability in government, reducing inequality and promoting sustainable economic development.
National and local leadership. The scope and complexity of the cyber resilience challenge requires clear national and local leadership, coordination of capabilities and responsibilities. This should be aligned with a focus on:
- improving the welfare and safety of Scotland's people
- building our economy
- inspiring us all to benefit from digital connectivity
Personal and shared responsibilities. We are all users of technology and we all have a responsibility to take steps to protect ourselves, our families, our organisations, our customers and service users online. Working together we can create a safer online environment in which we are open to sharing knowledge, skills and effective practice.
Promoting digital inclusion. Activity to build cyber resilience should at the same time promote digital inclusion and ensure that vulnerable people currently excluded from these opportunities can make the most of technologies safely.
Contributing to global citizenship. Cyber threats are a global issue and tackling it is part of Scotland's efforts to contribute as a good global citizen. Our endeavours will be aligned with UK, European and international partners.
Who needs to be involved?
Government alone cannot build the cyber resilience of a nation. Cyber resilience is a shared responsibility. The Scottish Government intends to take the lead and will encourage and engage with all sectors to promote and build a cyber resilient nation.
Everyone has a responsibility to safeguard themselves and their families online, just as they would safeguard themselves, their homes and their businesses from traditional criminal threats.
Stakeholders within the public, private and third sectors are asked to consider this framework in the context of their own settings, and embed cyber resilience within their own strategic and operational plans.
This strategy is for:
•Policy makers - at local and national government level.
The strategy demonstrates the importance of cyber resilience across all policy areas. It is dependent on and, in turn, supports many other national strategies and programmes, including:
- Scotland's Economic Strategy
- Scotland's Digital Future
- Scotland's Serious Organised Crime Strategy
- Digital Justice Strategy
- Curriculum for Excellence
- e-Health Strategy
- Equally Safe
- The forthcoming Resilience Strategy
Cyber risks will continue to grow across all parts of society, and therefore policy makers should refer to this strategy when developing, implementing and reviewing policies, strategies and initiatives of their own.
The Scottish Government is responsibile for driving forward this strategy. Policy makers are responsible for ensuring that all relevant stakeholders are included in, and can actively contribute to, the implementation of measures within the strategy.
Who needs to be involved
- Public sector partners such as:
- Education Scotland
- Highlands and Islands Enterprise
- local authorities
- NHS Scotland
- Police Scotland
- Scottish Enterprise
- Scotland's colleges
- Scotland's universities
- Skills Development Scotland
These and other public sector organisations play central roles in reaching individuals, families and businesses. They are essential partners in leading education and prevention activity to ensure our collective cyber resilience.
- Representative bodies of business and industry such as Chambers of Commerce, Federation of Small Businesses, Scottish Council for Development and Industry and The Confederation of British Industry Scotland have an important role to play to ensure businesses and employees are cyber resilient.
- Private sector organisations play a crucial role in ensuring that the cyber risk is regarded as being as important as any other business risk.
- Third sector organisations are well placed to support families and communities to become more cyber resilient and can often reach the most vulnerable in our society. Third sector organisations are increasingly providing digital services and can themselves be vulnerable online, so there is a need to build their own cyber resilience.
How can we build cyber resilience?
Achievement of the desired outcomes of the strategy will require effective leadership at national and local levels. With its partners the Scottish Government commits to advancing research and innovation, developing education and skills and providing clear communication and public awareness.
The Scottish Government, its agencies and partners, will work together to implement this strategy, focusing on four strategic themes:
- Leadership and Partnership Working
- Awareness Raising and Communication
- Education, Skills and Professional Development
- Research and Innovation
Theme 1: Leadership and Partnership Working
Becoming more cyber resilient requires a sustained and collaborative effort. The Scottish Government will provide a framework that it and its partners can use to coordinate and evaluate the implementation of the strategy. It will encourage stakeholders to embed cyber resilience in their strategic and operational plans. It will continue to work closely with the UK and other governments on cyber resilience and security matters.
Cyber resilience must be regarded as a crucial aspect of business operation and continuity. Public, private and third sector leaders play a vital role in embedding cyber resilience within their own settings.
The Scottish Government intends to demonstrate its commitment to cyber resilience and to lead by example. It will implement cyber resilience arrangements within its own systems to build trust with citizens and businesses. It will work in partnership with the public sector to develop cyber resilience as part of a shared responsibility. The transformation involved in moving to a "digital first" approach for public services goes far beyond the technology which supports these services. Resilience needs to apply to people, processes and technology in every business function and needs to be factored in to all aspects of the design of new digital services.
The high-level priority actions under Leadership and Partnership Working are:
|Priority Actions||Scottish Government||Public Sector||Private Sector||Third Sector|
|1.Establish a strategic governance group under Scottish Ministers to oversee the effective implementation and evaluation of the strategy|
|2.Incorporate cyber resilience into all national and local government policies|
|3.Ensure board/executive level commitment to cyber resilience|
|4.Develop cyber incident reporting measures and link to wider ICT/digital and business continuity plans|
|5.Define the standards relating to cyber resilience for public sector procurement of goods and services|
|6.Ensure the safety and security of online shared services systems|
|7.Embed cyber risk and resilience assessments when developing new products, services and processes|
|8.Consider shared development or procurement of cyber resilient systems and tools for public sector|
Leading by example
The Scottish Government: Cyber Resilience in the Public Sector
To achieve outcome 3: We have confidence in and trust our digital public services, the Scottish Government, in collaboration with key public sector partners, has begun the process of preparing an action plan.
A working group has been established and is using the strategy to begin developing specific actions that the public sector can take forward.
The Scottish Government is committed to implementing cyber resilience arrangements within its own systems with the aim of building trust with citizens and businesses and working in partnership with the public sector, to develop cyber resilience across all our public services as part of a shared responsibility.
Anne Moises, Scottish Government's Chief Information Officer is leading the public sector towards this transformation:
"It is clear that the transformation involved in moving to a digital first approach for public services goes far beyond the technology which supports those services. It is vital that the people, processes and technology within the public sector become more resilient.
"Resilience needs to apply to the essential infrastructure in nearly every business function and we need to ensure that resilience is factored into all aspects of the design of new digital services. The infallible prevention against cyber threat is not achievable and so the focus moves to detection, rapid response and recovery. We need to imagine the unexpected, plan for it and practise our response. We will do this by ensuring that cyber resilience scenarios and cyber incident response plans are regularly reviewed, tested and exercised."
The Digital Champions Development Programme has been developed by the Scottish Government to inspire leaders about the transformational potential of digital tools and technology, and to give them the confidence to take action to release that potential. The programme includes aspects of cyber resilience. More information on:
Theme 2: Awareness Raising and Communication
What we do online has the potential to affect everyone - at home, at work and around the world. Taking a preventative approach and getting the cyber basics right goes a long way towards being safe and secure online and getting the most from being online. It is important that we foster a culture of cyber awareness and readiness among individuals, families, communities and organisations across Scotland, so that they can protect themselves online.
The take-up of even relatively simple measures to improve personal cyber resilience is low in Scotland. Just 1 in 12 claim to regularly install software updates; fewer than 1 in 10 password protect their mobile devices; and only 13% check that a website is secure ( e.g. closed padlock symbol) before divulging information. Simple measures can prevent or minimise threats. See Annex C on getting the basics rights for individuals and enterprises.
There is a wealth of well-intended advice and guidance available, so much so that it can be confusing. It is important that cyber resilience messages are communicated in the right way for different audiences. For example, we may talk in terms of "online" and "mobiles", rather than "cyber". Different organisations are well placed to develop specific messages and use the most appropriate language to reach different parts of society, including children and the most vulnerable.
Sharing information on cyber threats and vulnerabilities across sectors will also help us to better manage, respond to and move on from cyber incidents. For example larger industry leads can share their knowledge and expertise with SMEs. The Scottish Business Resilience Centre is a leading organisation providing innovative approaches to building cyber resilience amongst the SME community.
The high-level priority actions under Awareness Raising and Communication are:
|Priority Actions||Scottish Government||Public Sector||Private Sector||Third Sector|
|1.Assess existing awareness raising programmes and identify whether there are gaps that should be addressed by further campaigns|
|2.Develop specific and appropriate awareness-raising activity for a range of audiences|
|3.Establish a cyber resilience network to share evidence of what works|
|4.Establish a central gateway for trusted advice and guidance to citizens and businesses|
|5.Assure the public around the safe use of digital public services|
|6.Encourage the sharing of information relating to cyber incidents, threats and vulnerabilities across sectors|
|7.Develop methods on how to measure impact|
Scottish Cyber Information Network ( SCiNET)
SCiNET is a secure online information sharing platform and a joint collaboration between industry and government to share cyber threat and vulnerability information and to raise awareness of how to respond to a cyber incident.
Owned by Cert UK*, Scottish businesses can:
- obtain early warning of cyber threats
- learn from the experiences, mistakes and successes of other users without fear of exposing organisation sensitivities
- engage with industry, government and law enforcement counterparts in a secure environment
- seek advice from other members
- participate in the building of pooled knowledge with access to UK wide fusion cell outputs/information
"With the ever evolving cyber threat landscape, SCiNET provides Scottish businesses with an online resource to share threat information in real time and with key partners in business and academia. This kind of partnership has the ability to turn the ever-evolving cyber security landscape into a significant opportunity, not only to protect but to grow an industry sector that can be of major benefit to the Scottish economy and the people of Scotland."
DCC Iain Livingstone, Police Scotland
* CERT UK: the UK National Computer Emergency Response Team, formed in March 2014 in response to the UK's National Cyber Security Strategy.
Theme 3: Education, Skills and Professional Development
Education and training, alongside activity to raise awareness, are critical to changing behaviour and making us more effective in the way we engage with digital technologies. They are also key to having enough cyber professionals to effectively prevent or deal with cyber crime.
Every child, young person and adult must have the cyber resilience skills for learning, life and work - to be able to protect themselves online and achieve the full benefits of a digital economy.
In learning settings, relevant curricula should drive the development of skills which will help learners to become more cyber resilient.
Most jobs require knowledge, understanding and skills in digital technology, and this will only continue to grow. Training in all vocational areas, not just digital occupations, must include learning outcomes related to cyber resilience.
If we are to succeed in integrating cyber resilience at all ages and stages of education, from pre-school to post-employment, we need to ensure that our teachers and trainers have the skills, knowledge and understanding to teach cyber resilience. Appropriate learning materials and guidance are required for educators, in both formal and non-formal learning contexts.
It is crucial that we continue to develop and retain cyber expertise in Scotland to ensure we continue to prosper.
The high-level priority actions under Education, Skills and Professional Development are:
|Priority Actions||Scottish Government||Public Sector||Private Sector||Third Sector|
|1.Map existing cyber resilience skills across learning settings to identify gaps|
|2.Explore opportunities to embed cyber resilience into curricula in all learning settings|
|3.Introduce cyber resilience into workplace learning and development|
|4.Explore ways to embed cyber resilience into teacher training|
|5.Grow the number of apprenticeships in cyber security and resilience|
|6.Explore ways to develop and retain cyber expertise in Scotland|
National Progression Awards in Cyber Security
The first school-based national qualifications in cyber security have been developed by the Scottish Qualifications Authority. The National Progression Awards in Cyber Security at SCQF levels 4, 5 and 6 provide foundation knowledge and skills in data security, digital forensics and ethical hacking - and provide a skills pipeline into the cyber security industry.
The aim of the awards is to produce knowledgeable and skilled individuals who are aware of the potential misuses of, and unauthorised access to, computer systems but who use these competences for legal and ethical purposes.
The qualification is available through schools, colleges and training providers. More information is available at - http://www.sqa.org.uk/sqa/74738.html
Schools and Police Scotland working together for a safe online experience
First year pupils at Kyle Academy in Ayr piloted The Cyber Badge - a 12-week course on cyber security.
The Cyber Badge, developed with Police Scotland and Scottish Universities, focused on:
- password security
- online bullying
- computer crime
- social networking
Learners get the chance to take their knowledge home, discovering how much (or little!) their parents and carers know about online security and then helping them to become more cyber resilient.
The Cyber Badge, with support from Education Scotland, is now being promoted to schools throughout Scotland.
Theme 4: Research and Innovation
Effective coordinated research will ensure Scotland's place at the forefront of cyber resilience.
There is currently limited information on cyber resilience in Scotland, including the cost of cyber crime. First and foremost, we need to establish a baseline from which we can measure progress in cyber resilience. Researchers should consider how they can boost existing UK and global data for Scotland's needs and interests.
Ongoing commitment to research will ensure our knowledge and understanding remains fit for purpose. Collaborative research and sharing effective practice across Scotland and other countries will help us stay at the forefront of this rapidly evolving issue. In turn, this will help inform the development of new and innovative technologies and practices. The Higher Education sector has a key role to play in this effort.
Innovation is in Scotland's DNA and there is a real opportunity for us to be global innovators in this field. Universities are producing outstanding graduates in the digital design, ethical-hacking and forensic fields, and it is vital that we grow, nurture and keep these skills in Scotland.
The high-level priority actions under Research and Innovation are:
|Priority Actions||Scottish Government||Publi Sector||Private Sector||Third Sector|
|1.Establish a coherent and sustainable approach to research|
|2.Establish a baseline to identify the economic, societal and individual impacts of cyber crime|
|3.Improve the sharing of research to develop our knowledge and understanding to help us become more effective in building cyber resilience|
|4.Establish a baseline to identify current levels of trust and confidence in digital public services|
|5.Develop new and innovative ways to help businesses and organisations become more cyber resilient|
|6.Learn from other nations and share information to combat cyber crime|
The Cyber Academy at Napier University is a partnership between academia, law enforcement, industry and the public sector. It aims to integrate academic and professional practice, support innovation in cyber security, and provide access to members to an advanced and virtualized training infrastructure for both evaluation and training.
Royal Academy of Engineering ( RAE) Industrial Secondment Scheme
The consequence of being a one-person business is often not having the expertise to adequately secure business information. Sole traders are less likely to have the capacity to employ someone to take care of their digital security. Often, reliance on smartphones means that the long-term survival of their business depends on a portable device that needs to be secure and resilient.
Funded by the RAE, Karen Renaud of the University of Glasgow will spend a year working with the Scottish Business Resilience Centre and strategic partners on a collaborative research project to:
a) understand the particular needs of solo- SMEs with respect to security in their businesses
b) develop an information security pack for solo- SMEs, to support them in improving their cyber security
c) put in place measures to support the launch of a support community
Case Study 1
Individual: Online Shopping Fraud
One of the most popular online auction and shopping websites offers people and businesses a virtual marketplace to buy and sell a broad variety of goods and services worldwide. The website is free to use for buyers, but sellers can be charged for listing items and again when those items are sold.
A man from Stirling was searching for a motorhome on the site when he found a listing that fitted his criteria located in Aberdeenshire. The listing had five days to run so the user sent a message to the seller asking if he could arrange to view the motorhome. The seller claimed to be working away from home and as a result this would not be possible before the auction ended. The listing only offered a few photographs of the van but during a message exchange through the system more details of it were given.
The buyer was cautious as the seller did not have any online selling history but he had stated he'd only joined the site to sell the item on behalf of an aging relative who was uncomfortable with technology. Although the buyer had stated they preferred to use cash, the seller indicated that he would prefer a deposit by bank transfer to secure the deal. The seller provided bank details which showed a London bank and an Eastern European name as the account holder. After doing some research the buyer found some identical photos of the motorhome in a trade magazine. It quickly became apparent that the seller had set up a fraudulent transaction.
The consequences and being cyber resilient
The lack of the seller's trading history, their unwillingness to allow a view before the sale, and the unusual bank details made the buyer cautious which subsequently saved them a huge loss of money.
Case Study 2
This hairdresser uses specifically designed software that holds clients details, appointments and marketing information.
When the manager started his computer, he was confronted with a poorly written ransom note in the form of an electronic notepad document left by hackers saying that they had encrypted "all your important data" and that if they wanted data back, they needed pay a ransom.
Ransomware is a type of virus that prevents or limits users from accessing their system. The victims are then forced to pay the ransom through certain online payment methods in order grant access to their systems, or get their data back. The business paid the 1,000 Euro ransom and were given a keycode to unlock his information, only to find that the majority of information was corrupted.
A full year's worth of data and information which was critical to the business was lost. The attacked systems contained appointments, salary information, customer history, shares information and marketing data. As the appointment details had been lost, the hairdresser wasn't able to plan effectively: they didn't know which clients were coming in nor had they their contact details.
Becoming cyber resilient
The hairdresser is now looking into backing up all data, including using removable back up devices.
The salon is approaching the developer and supplier of the software to ask them to investigate if there are any vulnerabilities in their software.
Case Study 3
Medium-Sized Business: Cyber and Data Breach in a Legal Practice
This practice operated with three Microsoft Windows servers that were not fully managed by their external contractor for cost reasons. All business data was backed up to an old tape drive on a daily basis but there had been no testing of the ability to recover the data. The business had limited spare capacity within their IT service architecture. Whilst anti-virus software was installed, this was not centrally managed and all users had administrative access to their computers allowing them control over the installed solution. There was no perimeter firewall appliance on the network and there was no content filtering on internet and email activity. The business had looked at business continuity but had not addressed the risks from IT believing that the risk and impact to the practice was low on IT dependency.
Becoming cyber resilient
Following a data breach, the practice recognised the need to address data security and business continuity risks due to the impact this had on the practice. The data breach was socially engineered and took advantage of a weak password policy and unnecessarily elevated operating permissions of users. The data breach itself cost the practice over £250,000 in immediate remedial activities and addressing the disclosure of data. The practice was heavily disrupted operationally for five days whilst systems were made secure ahead of the longer-term planned security measures. The practice implemented the following to reduce the chance of this happening again:
- trained staff on cyber security
- installed and maintained a managed firewall appliance
- installed a fully managed anti-virus solution
- content filtered Internet and email activity
- implemented password policies for all users
- removed administrative access from all users
- implemented change management processes to reduce security principle failures
- implemented data backup procedures that tested recovery
- implemented business continuity for loss of access to IT systems
- implemented a process of carrying out external and internal penetration testing
The cost to the practice for the remedial work and the follow up actions was in the region of £100,000.
The benefits of being cyber resilient
The work carried out provided higher levels of confidence of their data systems. It also built up the confidence of both the practice and clients in that the business would be able to handle most unplanned situations whilst managing cyber and data security.
Case Study 4
The company designs, manufactures and installs building steelwork framework for the building industry. The company uses Computer Numerical Control ( CNC) operated cutting, drill and punching equipment as part of the manufacturing process. The CNC equipment is connected directly to the drawing office through the business network which prepares the models using the latest in 2D and 3D software to ensure maximum efficiency and accuracy in their business process.
The business suffered a minor security breach in the office that resulted in multiple drawing model files being corrupted before being transmitted to a CNC drilling machine. The corruption resulted in major project delay as it was not identified until the steelwork was onsite and being assembled. The required secondary fabrication cost the business over £1,250,000 for manufacturing, crane rental and missed contract deadlines with clients.
The root cause of the failure was down to weak security policies between the drawing office and the shop floor. It was also identified that poor patch managemen  by the CNC equipment manufacturer left a number of risks open.
Becoming cyber resilient
The business put new processes in place. It implemented an internal firewall appliance to isolate the shop floor equipment from each other to mitigate the risks of poor patch management by the manufacturers. The firewall appliance was also used to isolate the shop floor from all but authorised traffic from the drawing office with the security software installed on the office computers reconfigured to control the network traffic on the network as a whole. Change control processes were put in place to ensure that any change in the network configuration did not break the security principles of the network design.
Whilst the insurance company underwrote the costs of the claim for the data breach and the associated ongoing costs as a result of the breach, insurance premiums where increased considerably. In addition to this increased premium, the business needed to invest an unplanned £28,000 to complete forensic analysis and secure their network.
There is a problem
Thanks for your feedback