Cyber Resilient Scotland - strategic framework: action plan 2025-2030

Outcome 5

Businesses recognise the cyber risks and are well prepared to manage them

5.1 Positioning Cyber Risk and Assurance as a Leadership Priority

Business leaders ensure that cyber risk and assurance are embedded in strategic planning and at board level, and that they drive a culture of cyber resilience throughout the business.

The CyberScotland Partnership will:

• encourage business leaders’ awareness to build their understanding of cyber risk by promoting NCSC resources, including the Cyber Security Toolkits for Boards and Cyber Governance Training, where appropriate.

5.2 Embedding Cyber Resilience into Governance

Businesses integrate relevant cyber security standards, regulations and compliance into governance, business risk management, planning and operations.

The CyberScotland Partnership will:

• encourage private sector organisations to embed cyber resilience into their governance arrangements so decision makers are equipped to manage cyber risk
• support private sector organisations to assess and improve their cyber resilience maturity, including through NCSC’s Cyber Action Toolkit
• promote the UK Government’s Cyber Governance Code of Practice to all private sector organisations
• encourage adoption of Cyber Essentials and Cyber Essentials Plus as baseline protection, using the Cyber Action Toolkit as a pathway
• build awareness of emerging risks linked to new technologies (e.g. AI, machine learning, IoT, quantum technologies).

ScotlandIS and other CyberScotland partners will:

• promote the ScotlandIS Cyber Directory and ITMS Directory as the central source for Scotland based cyber products and services across the private sector.

5.3 Ensuring Incident Readiness

Businesses regularly test and exercise incident response plans and recovery capabilities.

The SG NCRU and other CyberScotland Partners will:

• encourage private sector organisations to test and exercise their incident response arrangements regularly against a range of cyber incident scenarios, including through tools such as the open‑source TTX Gym and NCSC’s exercising resources
• promote NCSC incident response and recovery guidance.

5.4 Addressing Legacy Systems

Businesses identify and manage risks associated with legacy systems. Where feasible, implementing mitigation measures or planning for system upgrades to reduce exposure to cyber threats.

The CyberScotland Partnership will:

• encourage private sector organisations to review their legacy systems and manage them as part of overall business risk
• encourage private sector organisations to adopt short-term mitigations for legacy vulnerabilities and long-term replacement with secure-by-design and secure-by-default systems
• promote NCSC guidance to help organisations design, review and secure the connectivity within and to their Operational Technology (OT) systems
• promote NCSC device security guidance to help organisations manage device security and reduce risks from obsolete or unsupported technologies.

5.5 Using Trusted Tools

Businesses use proven security solutions, including NCSC’s Active Cyber Defence services.

SG NCRU and other CyberScotland Partners will:

• promote the range of trusted cyber resilience resources available to private sector organisations via the CyberScotland Portal, including NCSC Active Cyber Defence services, NCSC Small Business Guide and NCSC Cyber Action Toolkit.

5.6 Raising Workforce Awareness

All staff, at every level, demonstrate strong cyber resilient behaviours and know where to go to access the appropriate advice, guidance and support.

The CyberScotland Partnership will:

• signpost staff to authoritative cyber resilience resources and training via the CyberScotland Portal and the NCSC website.

Private sector organisations will:

• provide relevant cyber resilience training and awareness raising for staff at all levels of the organisation.

5.7 Reporting Cyber Incidents

Businesses report cyber incidents to Police Scotland, the NCSC and the ICO, where appropriate.

Private sector organisations will:

• report cyber incidents to Police Scotland (via 101) and to NCSC through the Report a Cyber Incident service
• notify relevant regulatory authorities of incidents, such as the ICO, to report cyber security incidents within required timescales.

5.8 Securing the Supply Chain

Businesses manage and actively monitor third-party risks.

The CyberScotland Partnership will:

• encourage businesses to assess the cyber resilience of their supply chains and adopt secure-by-design principles‑by‑design principles
• promote NCSC supply chain security guidance to help businesses improve their awareness of supply chain security
• encourage businesses to embed appropriate cyber assurance into procurement and contract management.

5.9 Building Professional Capability

Businesses develop their professional cyber security capabilities through clear entry points, training and career progression pathways.

The CyberScotland Partnership will:

• encourage businesses to support the continuous professional development of their cyber security workforce
• promote the value of professionalising the cyber security workforce and raise awareness of the UK Cyber Security Council, creating opportunities for the Council to engage with practitioners in Scotland
• provide employers with practical guidance to attract, recruit and retain diverse cyber talent by identifying and removing barriers and biases, including those affecting women and those with disabilities.

5.10 Strengthening Cross-Sector Collaboration

Businesses, government, academia and industry continue to build stronger partnerships to improve incident response and share knowledge, innovation and expertise

The CyberScotland Partnership will:

• strengthen partnerships between the private sector, public sector and academia by sharing knowledge, innovation and expertise, and collaborating on awareness and delivery alignment
• collaborate on the development and exchange of briefing materials for the private sector
• promote the use of CyberScotland Portal for signposting resources, good practice guidance and support to private sector organisations.