A New Cyber Resilience Strategy for Scotland’s Public Sector
The new public sector cyber resilience strategy will set a baseline of defence and response for all of Scotland’s public bodies, and potentially encourage the private sector to follow suit.
A new action plan for protecting Scotland’s public services against cyber-crime has been unveiled by the Scottish Government. The Public Sector Action Plan on Cyber Resilience, the strategy aims to encourage all public bodies to implement the same cyber-security standards.
These defences include active threat intelligence sharing, cyber-incident response protocols and third-party assurance that the necessary protections against the most common forms of attack are in place.
Mr Swinney said: “The Scottish Government recently committed to developing a range of action plans to help meet this ambition, including in the key areas of learning and skills, economic opportunity, and public, private and third sector cyber resilience.
“Today marks the first of those plans being published. Our public sector action plan will encourage all public bodies, large or small, to achieve common standards of cyber resilience. I want our public sector to lead by example on strengthening cyber security, to help ensure Scotland is ready to deal with all emerging threats.”
Mr Swinney outlined the government’s hope the improvements will encourage the private sector to adopt similar defence measures: “We will also be working with those who provide key services in the private and third sectors to encourage them to make sure they are cyber resilient.”
The Scottish Government will implement the new public sector cyber resilience strategy under the NCSC’s Active Cyber Defence (ACD) Programme, by the end of June 2018. The ACD scheme focuses on the implementation of infrastructure security, while causing as little disruption as possible.
Some of the measures included in the ACD programme include:
DMARC anti-spoofing to protect emails from phishing, and protected DNS, which uses information from GCHQ to block access from malicious addresses.
As well as from setting a baseline of defence measures, the Scottish Government will also seek assurance from public bodies that they have appropriate staff training and disciplinary processes in place, when it comes to cyber resilience. Individual organisations will decide how to implement their training schemes, but the report warns that supervisors will assume responsibility for training their staff.
A growing need for cyber resilience
The announcement of the Action Plan comes amid news that Scottish Government bodies were responsible for four major cyber-security incidents in the past year. According to The Times, all of these incidents were caused by human error, and exposed the personal details of members of the public.
Hugh Aitken, CBI Director of Scotland, said: “Now more than ever cyber security has to be an important priority for Scottish businesses and public bodies.
“The Public Sector Action Plan on Cyber Resilience marks an important step on the journey to making Scotland a more cyber secure country. Ensuring all public bodies have a baseline standard for cyber resilience could be the difference between repelling an attack, or having to deal with a raft of legal and reputational consequences.”
Mr Aitken added that boosting cyber resilience could even boost the economy: “Cyber security is a rapid growth sector and, with significant expertise in software development, tech innovation and fintech, Scotland is ideally placed to take advantage and become a global leader in the field.”
Delivery of the public sector cyber resilience strategy will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, in partnership with the National Cyber Resilience Leaders’ Board (NCRLB) and Scotland’s public bodies.