Cyber Resilient Scotland - strategic framework: action plan 2025-2030

Outcome 6

Third sector organisations recognise the cyber risks and are well prepared to manage them

6.1 Positioning Cyber Risk and Assurance as a Leadership Priority

Third sector leaders ensure that cyber risk and assurance are embedded in strategic planning and at board level, and that they drive a culture of accountability and resilience throughout the organisation.

SCVO and other CyberScotland Partners will:

• encourage third sector leaders to build their understanding of cyber risk by promoting NCSC and other authoritative resources, including the Cyber Security Toolkits for Boards and Cyber Governance Training, where appropriate.

Third sector organisations will:

• designate a board member or senior leader responsible for overseeing cyber resilience within the organisation
• foster a culture of accountability and resilience
• keep up to date with common threats to inform risk management and mitigation.

6.2 Embedding Cyber Resilience into Governance

Third Sector organisations integrate relevant cyber security and resilience standards, regulations and compliance into governance, business risk management, planning and daily operations.

Third sector organisations will:

• embed cyber resilience within their governance structures, managing cyber risk as part of overall business risk and strategic planning
• incorporate cyber resilience principles, including the Cyber Governance Code of Practice into their operational policies and processes
• adopt trusted mechanisms to gain assurance that their digital systems and data are protected.

SCVO and other CyberScotland Partners will:

• support third sector organisations to assess and improve their cyber resilience maturity, including through NCSC’s Cyber Action Toolkit
• encourage adoption of Cyber Essentials and Cyber Essentials Plus as baseline protection, using the Cyber Action Toolkit as a pathway.

Third sector advisory and regulatory bodies will:

• promote the ScotlandIS Cyber Directory and ITMS Directory as the central source for Scotland based cyber products and services across the third sector
• include cyber and risk information within their guidance and support broader cyber awareness across the sector.

6.3 Ensuring Incident Readiness

Third Sector organisations have robust incident response capabilities and regularly test and exercise.

Third sector organisations will:

• implement appropriate protective measures to strengthen their cyber security posture
• regularly test and exercise their incident response arrangements against a range of cyber incident scenarios, including through tools such as the open-source TTX Gym and NCSC’s exercising resources
• use NCSC’s incident response and recovery guidance.

6.4 Addressing Legacy Systems

Third sector organisations identify and manage risks associated with legacy systems. Where feasible, implement mitigation measures and/or plan for system upgrades to reduce exposure to cyber threats.

SCVO and other CyberScotland Partners will:

• promote NCSC device security guidance to help organisations manage device security and reduce risks from obsolete or unsupported technologies.

Third sector organisations will:

• review their legacy systems and manage them as part of overall business risk.

6.5 Using Trusted Tools

Third sector organisations use proven security solutions, including NCSC’s Active Cyber Defence services.

Third sector organisations will:

• implement appropriate protective measures to improve their cyber security.

SCVO and other CyberScotland partners will:

• Promote a range of trusted cyber resilience resources available to third sector organisations via CyberScotland Portal, including NCSC Active Cyber Defence services and NCSC Cyber Action Toolkit.

6.6 Raising Workforce and Volunteers’ Awareness

The third sector workforce, including volunteers, demonstrate strong cyber resilient behaviours.

SCVO and other CyberScotland partners will:

• signpost staff, including volunteers, to authoritative cyber resilience resources and training via the CyberScotland Portal, SCVO and the NCSC website.

Third sector organisations will:

• raise workforce awareness on how to identify cyber risks and take appropriate action.

6.7 Reporting Cyber Incidents

Third sector organisations report cyber incidents to Police Scotland, SG, NCSC, OSCR and the ICO where appropriate.

Third sector organisations will:

• report cyber incidents to Police Scotland (via 101) and to the NCSC through the Report a Cyber Incident service
• notify relevant regulatory authorities, such as the ICO, of incidents where required. Scottish charities should also report cyber crime to OSCR via raise a concern form.

6.8 Securing the Supply Chain

Third sector organisations actively manage third-party risks with confidence and throughout the life cycle of contracts.

SCVO and other CyberScotland Partners will:

• encourage third sector organisations to assess the cyber resilience of their supply chains and adopt secure-by-design principles
• promote NCSC supply chain security guidance to help third sector organisations improve their awareness of supply chain security
• encourage third sector organisations to embed appropriate cyber assurance into procurement and contract management.

6.9 Building Professional Capability

Third sector organisations develop their professional cyber security capabilities, through inclusive recruitment, training, professional development and career progression, including volunteers.

SCVO and other CyberScotland partners will:

• encourage third sector organisations to support the continuous professional development of their cyber security workforce
• promote the value of professionalising the cyber security workforce and raise awareness of the UK Cyber Security Council, creating opportunities for the Council to engage with practitioners in Scotland
• provide employers with practical guidance to attract, recruit and retain diverse cyber talent by identifying and removing barriers and biases, including those affecting women and those with disabilities.

6.10 Strengthening Cross-Sector Collaboration

The third sector, government, academia and industry continue to build stronger partnerships to improve incident response and to share knowledge and threat intelligence, innovation and expertise.

SCVO and other CyberScotland Partners will:

• strengthen partnerships between the third sector, government and academia – sharing knowledge, innovation and expertise and collaborating on awareness and delivery alignment
• collaborate on the development and exchange of briefing materials for the third sector
• promote the use of CyberScotland Portal for signposting resources, good practice guidance and support to third sector organisations.