Publication - Strategy/plan

Cyber resilience: third sector action plan 2018-2020

Published: 25 Jun 2018

Plan to develop a common, aligned approach to cyber resilience across the third sector in Scotland, so that all sections of society benefit from being digitally safe and secure.

Cyber resilience: third sector action plan 2018-2020
2. Key Actions

2. Key Actions

Introduction

22. This section provides detail on the key actions that the Scottish Government and its partners will take during 2018-20 to help address these issues and ensure confidence in standards of cyber resilience in Scotland’s third sector.

23. Delivery of the action plan will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, working as close partners with the NCRLB, the NCSC, the UK Government and key Scottish third sector partners.

24. The Scottish Government is clear that it cannot achieve a strong, cyber-resilient third sector in Scotland by taking action on its own. While the Scottish Government will offer targeted funding, support and direction where it is able to do so (as outlined in this action plan), achieving a world leading cyber resilient third sector will also require leadership, commitment and resource from third sector organisations of all sizes in Scotland. As work is taken forward to drive higher levels of cyber resilience in Scotland’s public and private sectors, potential links or opportunities for cross-sectoral knowledge-sharing will also be identified.

25. Action to promote cyber resilience in Scotland’s third sector will of course continue beyond 2018-20. This action plan will be refreshed at the end of this period, to take stock of progress to date and ensure continued progress.

Collaborative working, levers and influence

26. The Scottish Government’s preferred approach to driving up levels of cyber resilience in Scotland’s third sector is one of collaborative working with partners – to that end, this action plan sets out proposals to work in close partnership with the third sector, based on a shared understanding of the importance and benefits of strong cyber resilience across the sector.

27. There are, nevertheless, some areas in which more direct levers of influence may be used to influence third sector partners in different sectors and of different sizes to take action in respect of cyber resilience. These levers sit at different levels ( UK, Scottish, local) and with different organisations. The key actions set out in this action plan seek to maximise use of these levers, which include:

  • Legislation and regulation: Cyber security is a reserved issue. As part of the "Defend" strand of the National Cyber Security Strategy, the UK Government is working with international partners to make sure the right regulatory framework is in place in the UK and Europe – one that incentivises better cyber security but avoids unnecessary burdens on business. This work includes implementation of the Security of Network and Information Systems ( NIS) Directive into UK law from May 2018, which will place requirements on Operators of Essential Services ( OES), specifically in key areas of the private and public sectors, to improve certain aspects of cyber security. Scottish third sector organisations that form part of OES supply chains should expect to deal with an increased focus on their cyber resilience. The General Data Protection Regulation ( GDPR) will also come into force from May 2018, and will apply to all third sector organisations handling personal data. Both pieces of law will effectively require third sector organisations to ensure they have appropriate cyber security arrangements in place, either to ensure continuity of essential services or to protect personal data. Significant fines will be able to be levied by the Information Commissioner or Competent Authorities in the event of breaches.
  • Existing regulatory and advisory practice: Regulators, such as the Office of the Scottish Charity Regulator, support good management and governance. They can therefore play an important role in promoting security and resilience.
  • Supply chain requirements: Whilst large organisations account for only a small percentage of total charity numbers, they represent a significant share of output, and they operate materiel, service and information supply chains that reach into Scottish and wider UK and international structures at all levels. Small and medium sized third sector organisations’ supply chain scope is often smaller and there may not be as many chain partner relationships to manage, but they often form part of more complex business chain activity. The NCSC notes [11] that cyber criminals can identify the organisation with the weakest cyber security within the supply chain, and use the vulnerabilities present in their systems to gain access to other members of the supply chain, including large third sector organisations.

    Large organisations are both suppliers and contractors and there is an interdependency between the public and third sectors. The public sector in Scotland is a significant purchaser of third sector goods and services., while some larger Scottish third sector organisations have extensive supply chain arrangements, within and outside Scotland. By placing proportionate requirements on third sector organisations in respect of cyber security, both to ensure their own cyber security and to drive up overall levels of cyber resilience in Scotland, public sector organisations can potentially raise awareness of the importance of cyber resilience and wield significant influence over the uptake of good practice and accreditation, etc. not only in the third sector but also in the private sector. The Public Sector Action Plan on Cyber Resilience sets out a proposal to develop a policy on supply chain cyber security for the public sector, which is expected to align with NCSC guidance on supply chain security (including requirements in respect of Cyber Essentials certification, based on management of risk). This third sector action plan includes proposals on supply chain cyber security at Key Action 4.
  • Financial and other incentives: While the public sector (in common with other sectors) at all levels is currently operating under significant resource constraints, there is the potential for targeted financial and other incentives to be offered to third sector operators (particularly small and medium sized third sector organisations) to drive a greater focus on cyber resilient behaviour. These could conceivably include, for example, subsidies for organisations achieving or seeking to achieve certain levels
    of cyber security accreditation.

28. In developing this action plan, the Scottish Government and the NCRLB have sought the views of the UK Government (including the NCSC) and key regulatory bodies. These partners will also play a vital role in the implementation of the plan, and arrangements will be put in place to ensure continued collaboration and coordination as the actions outlined in this plan are taken forward.

Key Actions

A: Develop a common approach to cyber resilience across the Scottish third sector

Key Action 1

The Scottish Government and the National Cyber Resilience Leaders Board will work with the NCSC and key partners to consider options for developing a Third Sector Cyber Resilience Framework/Pathway. This would aim to provide a simple, structured way for organisations in Scotland – particularly small and medium sized third sector organisations – to assess the cyber threat to their operations and select an appropriate set of controls or guidance to help them work progressively towards strengthening their cyber resilience.

As part of this work, consideration will be given to making clear how such a framework/pathway could align with the core common supply chain cyber security requirements of public and larger private and third sector organisations. This should help drive greater consistency in the demands placed on small and medium sized third sector organisations in supply chains.

Third sector organisations in Scotland – particularly small and medium sized third sector organisations – will then be encouraged, incentivised and supported to work towards implementing the most appropriate cyber resilience approach, based on the cyber threat to their operations. (Timing: by spring 2019, and thereafter on an ongoing basis dependent on confirmation of viability)

29. There exists a wide range of standards, guidance and accreditation schemes within the UK and internationally that can help provide assurance to third sector organisations and their customers with regard to managing the cyber threat. However, Scotland and the wider UK currently lack a clear, graduated hierarchy of such measures that can assist third sector organisations (particularly smaller or micro charities) to identify the most appropriate outcomes, standards or accreditations to work towards in order to manage progressively higher levels of cyber threat, and to offer a way of benchmarking against other third sector organisations.

30. Key third sector partners have indicated their support for the development of an easily recognisable Third Sector Cyber Resilience Framework/Pathway, with the aim of increasing awareness of the core common cyber resilience measures (via guidance, standards or accreditation schemes) that they should be considering implementing dependent on the cyber threat to their operations.

31. Feedback from third sector stakeholders has identified that any such Framework/Pathway must be informed by:

  • Existing standards or guidance, particularly those endorsed by the National Cyber Security Centre such as Cyber Essentials and the 10 Steps to Cyber Security. Unless particular gaps are identified in the landscape, there is no appetite to create fresh standards for the third sector – rather, the aim is to help make sense of existing ones;
  • Existing and planned practice in respect of supply chain cyber security amongst larger public, private and third sector organisations – as set out later in this action plan, a key goal should be to promote greater awareness and alignment across different sectors in respect of the core common cyber security requirements they place on small and medium sized third sector suppliers, and to enhance understanding amongst small and medium sized third sector organisations of those core requirements (see Key Action 4); and
  • The views of Scottish small and medium sized third sector organisations on the types of guidance or support that are most likely to help them begin and sustain their journey towards greater cyber resilience. On the basis of initial discussions, the Framework/Pathway should have a particular focus on supporting and influencing the third sector to have in place a Board/Senior Management commitment to understand and manage the risks arising from the cyber threat. There should also be a clear focus on staff training and awareness.

32. In undertaking this work, the Scottish Government, the NCRLB third sector steering group, the NCSC and key third sector partners (including the third sector cyber catalysts) will work together to:

  • develop a stronger understanding of the core cyber resilience requirements that are currently encompassed by NCSC schemes and guidance, other common standards and key supply chain policies as they apply to the Scottish third sector (particularly small and medium sized third sector organisations), and how these relate to progressively higher levels of cyber threat;
  • consider the development of strengthened guidance on the basis of this work where necessary, including in respect of public, private and third sector organisations’ supply chain requirements (see Key Action 4), and the dissemination of such guidance appropriately via key partners, with a view to driving greater consistency in the messages going to third sector organisations (especially small and medium sized third sector organisations); and
  • building on this work, consider options for the development of a Third Sector Cyber Resilience Framework/Pathway, with a particular focus on supporting small and medium sized third sector organisations to assess the cyber threat to their operations and select an appropriate set of core controls (via guidance, standards or accreditation schemes) to improve their cyber resilience.

33. In view of the fact that many strategic organisations operating in Scotland will already be working to a range of UK and international regulatory requirements, it is expected that any such Framework/Pathway is most likely to be of use for smaller organisations (especially small and medium sized third sector organisations) in terms of assessing their own organisational cyber resilience. Such a framework, if appropriately aligned with common core supply chain requirements, could also drive benefits for larger organisations seeking to manage supply chain risk.

34. A broad initial concept for the development of a Third Sector Cyber Resilience Framework/Pathway is at Annex B. The potential for a pilot of this approach (or similar) is currently under discussion with the National Cyber Security Centre, the Scottish Council of Voluntary Organisations and other key partners.

One potentially key factor in securing greater awareness and take-up of any such Framework/Pathway will be an understanding of how supply chain cyber security policies in the public, private and third sectors broadly align with its contents. Key Action 4 in this action plan and Annex B set out how an understanding of the alignment of these policies could help ensure the success of any Framework/Pathway.

Developments in this area at the UK level, including in respect of NIS/ NCSC guidance around supply chain cyber security, will be influential. The EU is also considering the development of a framework to govern European cybersecurity certification schemes, allowing schemes to be established and recognised across the EU in order to address market fragmentation. The current EU proposal outlines the minimum content of what would be required under such schemes. Ensuring alignment with this EU-level framework will be key.

35. The Scottish Public Sector Action Plan sets out a commitment to develop a Scottish Public Sector Cyber Resilience Framework. Alignment between this and any Third Sector Cyber Resilience Framework/Pathway will be carefully considered once both have been finalised.

36. The NCRLB emphasises that accreditation, while a helpful way of assessing and demonstrating good practice, does not offer a "silver bullet" to improving cyber security. Guidance will ensure that third sector organisations and their customers are aware that, ultimately, good cyber resilience is a cultural issue. Organisations should take care not
to reduce cyber resilience to a "tick box" exercise.

B: Strengthening communications, awareness-raising and systems
of advice and support

Key Action 2

The Scottish Government will work with the National Cyber Resilience Leaders Board, the NCSC and key third sector partners to strengthen the promotion of good cyber resilience practice at all levels in the third sector.

This work will include the strengthening of systems of advice and support for the third sector in Scotland. Communications activity will be aimed at raising awareness of the importance of cyber resilience and effective ways of achieving it. An initial "target landscape" for advice and support will be identified with the goal of achieving this by spring 2019, and thereafter improved on an ongoing basis.

37. It is vital that organisations across the Scottish third sector understand the importance of the cyber threat, know where to go to find trusted advice and support, and can take action to enhance their own cyber resilience.

38. The Scottish Government will work with the National Cyber Resilience Leaders Board, the NCSC and key third sector partners to support key messaging and to strengthen the promotion of good cyber resilience practice at all levels in the third sector.

39. The NCRLB have identified that there is a need to "declutter" and simplify the landscape in Scotland with respect to advice and support on cyber resilience for third sector organisations. Organisations of all sizes in Scotland should be able to discover the best official sources of advice and support in respect of cyber resilience, and be provided with high quality, consistent and easy-to-understand messages and advice products to support this. They should also understand where to go to find high quality, independent private sector expertise on cyber security.

40. To help achieve this, the Scottish Government and the NCRLB will work with Police Scotland and other key public and third sector partners to:

  • finalise analysis on the cyber resilience advice and support landscape in Scotland, to identify the key strengths and weaknesses in current arrangements;
  • develop and implement proposals to promote easier access to trusted sources of advice and support on cyber security for the third sector, with a focus on "decluttering" and simplifying the landscape; and
  • build on this work to ensure third sector organisations are provided with high quality, consistent, and easy-to-understand messages and advice products through key partners to help raise awareness and support organisations’ progress in respect of cyber resilience. These communications and awareness raising activities will be delivered through a range of key partners, including:
    • Third Sector representative organisations;
    • The Scottish Government, local authorities and other government bodies or agencies, including Skills Development Scotland and Business Gateway;
    • Regulatory bodies;
    • Third sector cyber catalyst organisations (see Key Action 3).
    • Specific charity bodies.
    • Awareness raising activities will have a particular focus on:
  • Increasing understanding of the cyber threat, its importance to third sector organisations of all sizes, and the business arguments for adopting good practice.
  • Raising awareness of the Scottish Third Sector Cyber Resilience Framework/Pathway (if developed successfully – see Key Action 1), and the operational benefits of managing the cyber risk more effectively (including meeting the requirements of Scottish public sector procurement policies and those of third and private sector cyber catalysts).
  • Providing/signposting best practice guidance on how to build cyber resilience effectively into workplace learning, and opportunities to benefit from educational initiatives/apprenticeships and retraining and upskilling programmes, in line with the Learning and Skills action plan. [12]
  • Publicising widely any incentives that exist or that have been developed (see Key Action 5) to support the achievement of standards/accreditation schemes.
  • Promoting and encouraging uptake of free, reputable services aimed at strengthening cyber security in the third sector.
  • Promoting and encouraging active [13] membership of the Cybersecurity Information Sharing Partnership ( CiSP) by eligible organisations.
  • Promoting and encouraging small and medium sized third sector organisations to access key NCSC resources available from the NCSC website, including Cyber Alerts and Advisory and Guidance reports, incident management guidance, etc.
  • Supporting the third sector with the process and follow-up on confidently reporting cyber incidents, working with Police Scotland, NCSC and OSCR.

41. The role of the NCSC as a trusted source of advice is expected to be central
to this work.

C: Strengthening partnership working, leadership and knowledge sharing in Scotland’s third sector

Key Action 3

The Scottish Government will work in partnership with the NCSC, UK Government and key Scottish third sector organisations to help catalyse better cyber resilience practice across Scotland’s third sector.

From June 2018, a cross-sectoral group of third sector cyber catalyst organisations will work with the Scottish Government and the NCSC to develop and implement practical solutions to key challenges on an ongoing basis, with an initial focus on:

  • strengthening leadership for, and helping drive greater awareness and uptake of good cyber resilient behaviours in, Scottish small and medium sized third sector organisations, including through the use of supply chain measures;
  • strengthening coordination and knowledge sharing in respect of cyber resilience across key third sector organisations operating in Scotland; and
  • supporting and promoting uptake of key educational initiatives in Scotland, including cyber security apprenticeships.

42. Discussions with key Scottish third sector organisations have made clear that they fully understand the leadership role they can play in respect of cyber resilience in their sector. If we are to succeed in our shared goal of raising standards of cyber resilience across the whole of the Scottish third sector, it will be vital that influential Scottish third sector organisations commit to wielding their influence to encourage others to adopt good cyber resilience practice.

43. To help achieve this, from summer 2018 the Scottish Government will begin work in partnership with the NCSC, UK Government and a cross-sectoral group of third sector cyber catalyst organisations to develop and support implementation of practical solutions to key cyber resilience challenges in the Scottish third sector on an ongoing basis.

The Scottish Government will play a leading role in supporting and driving forward the work of the group, and identifying avenues for delivery.

Membership of this working group will be refreshed on a regular basis, in line with the key areas of focus that are identified through the ongoing work of the group. An up-to-date list of third sector cyber catalyst organisations will be placed on the Scottish Government Cyber Resilience website [14] . These organisations will commit at board level to working with the Scottish Government and the NCSC to undertake the following broad initial programme of work:

(i) Strengthening leadership for, and helping drive greater awareness and uptake of good cyber resilient behaviours in, Scottish small and medium sized third sector organisations, including by making use of supply chain levers.

Where appropriate, third sector cyber catalyst organisations will be asked and supported to:

  • Support public messaging around the importance that should be attached to cyber resilience by all parts of the Scottish third sector, including by helping to develop and support a more consistent, joined-up programme of awareness raising activities aimed at small and medium sized third sector organisations and their customer and client community in Scotland (see Key Action 2); and
  • Support work (set out in more detail at Key Action 4) to enhance cross-sectoral understanding and alignment of supply chain policies. A key aim of this work will be to examine whether more consistent "core" cyber resilience requirements can be identified in respect of the small and medium sized third sector organisations and the SME community that form part of influential organisations’ supply chains, thus improving the ability of small and medium sized third sector organisations to anticipate the likely cyber resilience demands that will be placed on them if they wish to win contracts.

(ii) Strengthening coordination and knowledge sharing in respect of cyber resilience across key organisations operating in Scotland.

Where appropriate, third sector cyber catalyst organisations will be asked and supported to share best practice knowledge gained from their own organisational activity on cyber resilience across sectors, with a view to driving greater cross-sectoral alignment and best practice. This will include sharing learning with:

  • one another, including in respect of any challenges or difficulties they have encountered, or any innovative solutions they have identified to overcome barriers and ensure an effective understanding of the cyber threat and implementation of effective cyber resilience measures;
  • other Scottish third, public and private sector organisations – including, where appropriate, small and medium sized third sector organisations and SMEs – in order to help drive best practice in respect of cyber resilience, and develop a more coherent, aligned cross-sectoral approach across Scotland; and
  • the UK NCSC and the UK Government Cabinet Office, to help inform the future development of standards and guidelines and other relevant requirements. Over time, the expectation is that these standards and guidelines will mature and improve to take account of experience in implementing them and technological developments.

Catalysts may be asked to facilitate wider engagement between government and key organisations in their sub-sector in appropriate circumstances.

(iii) Supporting and promoting uptake of key educational initiatives in Scotland, including cyber security apprenticeships.

Where appropriate, third sector cyber catalyst organisations will be asked and supported to:

  • make use of key educational initiatives in Scotland, including cyber security apprenticeships, with a view to ensuring they have the right skills available to them to build organisational cyber resilience, and to support talent development in this area;
  • promote awareness of these initiatives as part of wider work on public messaging; and
  • help inform the development of future initiatives, to ensure they meet the needs of the Scottish third sector.

Further details of relevant initiatives and proposals in this area can be found in the Learning and Skills action plan.

44. A Scottish public sector cyber catalyst group has already been instituted, and it is intended that a similar scheme be established for Scotland’s private sector. The Scottish Government will work to support the sharing of knowledge and learning across all three sectoral cyber catalyst schemes, and to help drive greater alignment across all sectors.

D: Supply chain cyber security – leveraging requirements to improve the cyber resilience of Scotland’s third sector

Key Action 4

The Scottish Government will work with third sector organisations and key partners to clarify the common core cyber resilience requirements that are currently placed on third party suppliers, and their relationship to wider standards and guidance, by spring 2019.

Thereafter, the potential for greater cross-sectoral alignment and cooperation in respect of common core supply chain requirements will be explored, with the goal of promoting greater coherence across Scotland’s public, private and third sectors.

A key aim of this alignment will be to improve the cyber resilience of Scotland’s small and medium sized third sector organisations as part of the supply chain of larger public, private and third sector organisations.

45. Supply chain cyber security is a vital part of organisational cyber resilience. Cyber criminals often attack the organisation with the weakest cyber security within the supply chain, and use the vulnerabilities present in their systems to gain access to other members of the supply chain, including large corporates.

46. Many large corporates in Scotland already require their supply chains – including third sector suppliers – to have appropriate cyber resilience measures in place, and make those requirements public. While the requirements they place on their supply chains are often similar, there is currently no agreed common practice or "core question set" either within or across sub-sectors (with the notable exception of the defence sector, where the Defence Cyber Protection Partnership have worked with industry to develop a Cyber Security Model for procurement [15] . This model is supported by an online tool called Octavian, which includes a short questionnaire to determine the Cyber Risk Profile for a contract or sub-contract).

Work is currently under way in the banking sector to explore the potential for greater alignment and cooperation between key organisations in respect of third party supply chain cyber security and assurance.

47. The NIS legislation and associated guidance will formalise requirements in respect of supply chain cyber security for private and public sector organisations who are subject to it – this may help ensure greater consistency in the approach taken across operators of essential services to the cyber security of third sector suppliers.

48. The Public Sector Action Plan commits the Scottish Government to working with key partners to develop a proportionate, risk-based policy in respect of supply chain cyber security, to be applied by public bodies in all relevant procurement processes. The views of Scottish third sector organisations will be sought on a draft policy early in 2018, with a view to implementation as part of the Scottish Public Sector Cyber Resilience Framework. This policy is expected to result in specific, proportionate, risk-based requirements being placed on private and third sector suppliers to the Scottish public sector in respect of cyber resilience.

The Scottish Government will make explicit how the public sector supply chain cyber security policy aligns with NIS requirements.

49. To help: (a) ensure the supply chain cyber security of any third sector organisations that form part of the critical infrastructure of Scotland, and (b) improve the cyber resilience of Scotland’s small and medium sized third sector organisations, the Scottish Government will work with the NCSC and key third sector partners, including third sector cyber catalyst organisations, on the following programme of activity:

  • Seeking views from the third sector to help inform the development of the draft public sector supply chain cyber security policy in 2018, so that it takes account of existing good practice in the third sector.
  • Identifying the current common core supply chain cyber resilience requirements that are placed on small and medium sized third sector suppliers, with a view to improving sectoral guidance for the small and medium sized third sector organisations on what they need to do to strengthen their cyber resilience to position themselves to win contracts. This work should include a focus on progressive management of cyber threats and risks. Initial mapping of some key sector requirements should be undertaken by spring 2019.
  • Building on this analysis, considering the potential for greater cross-sectoral alignment of core supply chain cyber resilience requirements over time. Such alignment should have a particular focus on small and medium sized third (and private) sector suppliers, and be informed by regulatory requirements and existing practice in the public, private and third sectors. It may include a focus on alignment with NCSC-endorsed guidance or schemes (including Cyber Essentials, the 10 Steps to Cyber Security, NCSC Supply Chain Guidance) and other widely recognised standards (e.g. ISO and IASME), and help inform the development of the proposed Third Sector Cyber Resilience Framework/Pathway (see Key Action 1).
  • Building on any such alignment work, exploring the potential for cross-sectoral pooling or accessing of information to support supply chain security across Scotland’s third sector. This may include ways of accessing consistent information on which small and medium sized third sector supply chain organisations have been assessed as capable of managing different levels of cyber risk in line with a Third Sector Cyber Resilience Framework/Pathway. This work will aim to reduce the burdens placed on both purchasers and suppliers in managing cyber risk in the supply chain.

50. While there will inevitably be a requirement for individual large third (and private) sector organisations to include "bespoke" conditions around cyber security for specific contracts, identifying common core requirements should help provide a common starting point for consideration of the requirements that key third and private sector organisations (including the cyber catalyst organisations) will generally expect to see
in place in their supply chains to manage the cyber risk in specific circumstances.

51. It is expected that this work will result in greater consistency in the incentives and requirements placed on Scotland’s small and medium sized third sector organisations that form part of the public, private and third sector supply chain (or that wish to do so). That greater consistency of messaging, centred around a widely disseminated Third Sector Cyber Resilience Framework/Pathway, should help drive greater awareness in small and medium sized third sector organisations of what good practice in respect of cyber risk/threat management looks like. Annex C gives a visual representation of what this might look like.

52. Third sector organisations that make use of Cyber Essentials in their supply chain, either now or as a result of the alignment work described above, will also be encouraged to promote the use of a voucher scheme to support small and medium sized third sector organisations in their supply chains to achieve accreditation to Cyber Essentials or Cyber Essentials Plus level (see Key Action 5).

53. Of course, not all small and medium sized third sector organisations in Scotland form part of the supply chain of the public sector and larger private and third sector organisations. Wider awareness raising work will be required to ensure greater uptake of good cyber resilient behaviour. This is covered in Key Action 2.

E: Strengthening incentives to improve Cyber Resilience in Scotland’s third sector

Key Action 5

The Scottish Government and the National Cyber Resilience Leaders Board will work with the UK Government and key third sector stakeholders to consider how best to strengthen incentives to support the uptake of cyber security standards/accreditation, and the adoption of good cyber resilience practice more generally.

This will include the continuation of a modified voucher scheme to support the achievement of Cyber Essentials or Cyber Essentials Plus certification by Scottish small and medium sized third sector organisations. We aim to at least double the number of public, private and third sector organisations holding Cyber Essentials or Cyber Essentials Plus certification in total in Scotland during Financial Year 18-19.

54. Third sector partners have put forward arguments that incentives will be key to promoting the adoption of cyber security standards/accreditation and the adoption of good cyber resilience practice more generally.

55. The Scottish Government is particularly keen to support small and medium sized third sector organisations, who will often be starting from a relatively low base of knowledge or experience, to begin their journey towards greater cyber resilience. One way of doing so is to support uptake of Cyber Essentials/Plus certification. The Cyber Essentials scheme offers a mechanism, endorsed by the National Cyber Security Centre, for organisations to demonstrate to customers, investors, insurers and others that they have in place critical technical controls that protect against the most common internet-borne cyber attacks.

56. The Scottish Council of Voluntary Organisations ( SCVO) supported a small pilot grants programme in October 2017. The programme provided funding of between £500 to £1500 for small and medium sized charities to achieve Cyber Essentials accreditation. An SCVO evaluation report to identify the barriers and enablers to achievement of Cyber Essentials certification in the third sector will be produced by May 2018. This will help to inform options for future initiatives to support achievement of Cyber Essentials or Cyber Essentials Plus certification by Scottish third sector organisations.

57. The Digital Scotland Business Excellence Partnership supported a voucher scheme that ran from summer 2016 until end 2017 to help Scottish SMEs achieve Cyber Essentials or Cyber Essentials Plus certification. The scheme provided funding to SMEs to allow them to secure the services of an industry expert to advise them on how to approach securing Cyber Essentials certification. The voucher was of the value of up
to £1.5k per company. An evaluation of this scheme found that it had a positive effect on take-up and achievement of Cyber Essentials amongst SMEs.

58. The Scottish Government will build on the lessons of these two schemes by funding a modified voucher scheme to support Scottish small and medium sized third sector organisations (and private sector organisations) to achieve Cyber Essentials or Cyber Essentials Plus. This scheme is expected to be operational from autumn 2018. We aim to at least double the number of public, private and third sector organisations holding Cyber Essentials or Cyber Essentials Plus certification in total in Scotland during Financial Year 18-19.

59. Third sector organisations will be encouraged to publicise this scheme to their supply chain companies and customers/clients, in order to drive greater take up of Cyber Essentials and Cyber Essentials Plus. The scheme will also be publicised through key partners (including Third Sector Cyber Catalyst organisations) as part of the awareness raising activities set out under Key Action 2.

60. Beyond this, the Scottish Government, the NCRLB, the UK Government and key partners will work together to explore what additional incentives are already in place or could be developed further to promote good practice in the Scottish third sector in respect of cyber resilience. High level proposals on additional incentive schemes will be considered by the NCRLB by spring 2019, with decisions on subsequent action taken thereafter.

F: Benchmarking, Monitoring and Evaluation

Key Action 6

Key action 6: The Scottish Government will work with the NCRLB and key partners to develop appropriate benchmarking, monitoring and evaluation arrangements, for implementation by spring 2019.

61. In order to understand what progress is being made towards the vision of Scotland as a world leading nation in cyber resilience, it will be important to have in place arrangements to achieve a regularly refreshed picture of the extent of good cyber resilience practice in Scotland’s third sector. The benefits of this are expected to include:

  • The provision of greater assurance to members of the public with regard to the cyber resilience of Scotland’s third sector as a whole and the cyber resilience of specific sub-sectors.
  • The provision of useful benchmarking information for third sector organisations, to assist them in making judgements around what level of standards/accreditation they should be aiming to achieve in light of sectoral benchmarks.
  • The provision of greater assurance to Government, Parliament and Regulatory Bodies with regard to levels of cyber resilience across key areas of Scotland’s third sector.

62. To help achieve this, the Scottish Government will work with the NCRLB, the NCSC, Regulatory Bodies, key third sector partners and organisations providing accreditation, to develop appropriate benchmarking, monitoring and evaluation arrangements by spring 2019. Key measures that form part of these arrangements may include:

  • Working with the NCSC to monitor and report on the number of third sector organisations achieving Cyber Essentials and Cyber Essentials Plus;
  • Working with accreditation bodies and external audit companies to understand levels of take-up of private certification schemes in Scotland, where possible;
  • Working with key partners to monitor and report on the uptake of free, reputable cyber security tools amongst Scotland’s third sector (e.g. the Global Cyber Alliance’s DMARC and Protected DNS services);
  • Working with the NCSC to monitor and report on membership of the SciNet grouping on the CiSP; and
  • Inclusion of appropriate questions focused on cyber resilience in Scottish-based surveys (e.g. the Scottish Crime and Justice Survey).

Contact