Cyber resilience: private sector action plan 2018-2020

Plan to develop a common, aligned approach to cyber resilience across the private sector in Scotland, so that all sections of society and business benefit from being digitally safe and secure.


2. Key Actions

Introduction

22. This section provides detail on the key actions that the Scottish Government and its partners will take during 2018-20 to help address these issues and ensure greater confidence in standards of cyber resilience in Scotland’s private sector.

23. Delivery of the action plan will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, working as close partners with the NCRLB, the NCSC, the UK Government and key Scottish private sector partners.

24. The Scottish Government is clear that it cannot achieve a strong, cyber resilient private sector in Scotland by taking action on its own. While the Scottish Government will offer targeted funding, support and direction where it is able to do so (as outlined in this action plan), achieving a world leading cyber resilient private sector will also require leadership, commitment and resource from private sector organisations of all sizes in Scotland. As work is taken forward to drive higher levels of cyber resilience in Scotland’s public and third sectors, potential links or opportunities for cross-sectoral knowledge-sharing will also be identified.

25. Action to promote cyber resilience in Scotland’s private sector will of course continue beyond 2018-20. This action plan will be refreshed at the end of this period, to take stock of progress to date and ensure continued progress.

Collaborative working, levers and influence

26. The Scottish Government’s preferred approach to driving up levels of cyber resilience in Scotland’s private sector is one of collaborative working with partners – to that end, this action plan sets out proposals to work in close partnership with the private sector, based on a shared understanding of the importance and benefits of strong cyber resilience across the sector.

27. There are, nevertheless, some areas in which more direct levers of influence may be used to influence private sector partners in different sectors and of different sizes to take action in respect of cyber resilience. These levers sit at different levels (UK, Scottish, local) and with different organisations. The key actions set out in this action plan seek to maximise use of these levers, which include:

  • Legislation and regulation: Cyber security is a reserved issue. As part of the "Defend" strand of the National Cyber Security Strategy, the UK Government is working with international partners to make sure the right regulatory framework is in place in the UK and Europe – one that incentivises better cyber security but avoids unnecessary burdens on business. This work includes implementation of the Security of Network and Information Systems (NIS) Directive into UK law from May 2018, which will place requirements on operators of essential services, including in key areas of the private sector, to improve certain aspects of cyber security. Some areas of the private sector (e.g. finance and civil nuclear) are effectively covered by other regulations. The General Data Protection Regulation (GDPR) will also come into force from May 2018, and will apply to all private sector organisations handling personal data. Both pieces of law will effectively require private sector organisations to ensure they have appropriate cyber security arrangements in place, either to ensure continuity of essential services or to protect personal data. Significant fines will be able to be levied by the Information Commissioner or Competent Authorities in the event of breaches.
  • Existing regulatory and advisory practice (inc. Critical National Infrastructure): Regulators in different sectors already have responsibility for ensuring and advising on the security and resilience of some private sector organisations in Scotland. This is particularly the case for Critical National Infrastructure, where cyber security is an area of increasing focus. The UK’s NCSC is taking forward a significant programme of work to improve levels of cyber resilience in Critical National Infrastructure. The Scottish Government has also made progress in integrating consideration of cyber resilience into already embedded strategies and processes in respect of critical infrastructure, including the 2011 Critical Infrastructure Resilience Strategy and its associated work programme.
  • Supply chain requirements: Whilst large companies account for only a small percentage of total business numbers, they represent a significant share of output, and they operate materiel, service and information supply chains that reach deep into Scottish and wider UK and international economic structures at all levels. SME supply chain scope is often smaller and there may not be as many chain partner relationships to manage, but they often form part of more complex business chain activity. The NCSC notes[14] that cyber criminals can identify the organisation with the weakest cyber security within the supply chain, and use the vulnerabilities present in their systems to gain access to other members of the supply chain, including large corporates.

Large firms are both suppliers and contractors and there is an interdependency between the public and private sectors. The public sector in Scotland is a significant purchaser of private sector goods and services. Similarly, larger Scottish private sector organisations have extensive supply chain arrangements, within and outside Scotland. By placing proportionate requirements on private sector organisations in respect of cyber security, both to ensure their own cyber security and to drive up overall levels of cyber resilience in Scotland, public sector organisations can potentially raise awareness of the importance of cyber resilience and wield significant influence over the uptake of good practice and accreditation, not only in the private sector but also in the third sector. The Public Sector Action Plan on Cyber Resilience[15] sets out a proposal to develop a policy on supply chain cyber security for the public sector, which is expected to align with NCSC guidance on supply chain security (including requirements in respect of Cyber Essentials certification, based on management of risk). This private sector action plan includes proposals on supply chain cyber security at Key Action 6.

  • Financial and other incentives: While the public sector (in common with other sectors) at all levels is currently operating under significant resource constraints, there is the potential for targeted financial and other incentives to be offered to private sector operators (particularly SMEs) to drive a greater focus on cyber resilient behaviour. These could conceivably include, for example, subsidies for organisations achieving or seeking to achieve certain levels of cyber security accreditation, or reductions in insurance premiums.

On this latter point, members of the NCRLB steering group have noted that cyber insurance is an increasingly popular method of transferring risk associated with cyber security. However, the cyber insurance sector is immature. The limitations of cover offered, especially for SMEs, are currently being tested by sizeable cross-industry claims, which may prompt insurers to re-evaluate the scope of policies offered. Discussions with the insurance industry, which include a focus on the comprehensive nature of cover and how implementation of standard security measures (such as Cyber Essentials) should reduce premiums/extend cover, are ongoing.

28. In developing this action plan, the Scottish Government and the NCRLB have sought the views of the UK Government (including the NCSC) and key regulatory bodies. These partners will also play a vital role in the implementation of the plan, and arrangements will be put in place to ensure continued collaboration and coordination as the actions outlined below are taken forward.

Key Action 1

A: Develop a common approach to cyber resilience across the Scottish private sector

Key Action 1

The Scottish Government and the NCRLB will work to ensure that the views of the Scottish private sector, including SMEs, help inform UK-level consideration of whether there is a case for extending regulatory requirements around cyber resilience more widely across parts of the private sector. This will include a particular focus on ensuring input from any sectors that are critical to the functioning and health of the Scottish economy, and key areas of competitive advantage. (Timing: on an ongoing basis.)

29. The legislative and regulatory framework around cyber security in the UK is currently relatively under-developed. The Scottish Government welcomes the introduction of UK-wide legislation to implement the EU NIS Directive from May 2018, which will place requirements on operators of essential services to ensure they have appropriate arrangements in place to withstand, recover and learn from cyber attacks and other disruptive events. The GDPR will also place general requirements on organisations to ensure the security of systems dealing with personal data.

30. The NIS legislation will only cover operators of essential services in a limited number of sectors of the Scottish economy, namely:

  • Electricity (electricity suppliers and generators, Single Electricity Market operators, transmission, distribution)
  • Oil (upstream and downstream oil transmission, oil production, refining and treatment and storage)
  • Gas (consumer supply, transmission, distribution, storage, upstream petroleum pipeline operators, LNG supply/storage, gas processing operations)
  • Transport (air, maritime, rail, road)
  • Water (supply of potable water to households)
  • Health (NHS Boards in Scotland)
  • Digital infrastructure (top level domain name registries, domain name services providers, Internet Exchange Point Operators)
  • Digital service providers (online marketplaces, online search engines, cloud computing services)

Some sectors are exempt from some aspects of the Directive where there are provisions within existing regulations which are, or will be, at least equivalent to those the NIS Directive specifies (e.g. finance and civil nuclear sectors). However, many of the principles and technical guidance that the NCSC has produced to support implementation of the NIS Directive are sector-neutral with wide relevance.

31. The UK Government is expected to undertake a post-implementation review of the NIS Directive in due course, to take stock of its effectiveness and take further decisions on scope.

32. The Scottish Government strongly believes that a partnership approach with industry in Scotland will be key to success in driving higher standards of cyber resilience. The Scottish Government will work with the NCRLB and private sector partners (including the private sector cyber catalysts – see Key Action 5) to ensure that the views of the Scottish private sector are factored into UK Government consideration of whether there is a case for the requirements of the NIS legislation or other regulations to be extended, over time, to other key sectors of the economy. Any such decision should include consideration of the specific resilience requirements, and the relative importance of, key sectors of the Scottish economy, as well as the requirement to avoid placing undue burdens on the SME community. This will help ensure that any decision taken to extend UK-level legislation in the future (e.g. in the event that insufficient progress is being made in specific sectors on an issue that is vital to the overall resilience of the UK) can be rolled out as effectively as possible across Scotland.

In particular, the Scottish Government will support effective consideration of whether there is a case for extending regulatory requirements around cyber resilience to those sectors of the Scottish private sector where Scotland enjoys a comparative advantage that can be maintained and strengthened through active, safe participation in the international digital economy. Key sectors for consideration (which include reserved and devolved sectors) may include:

  • Food and drink (including agriculture and fisheries)
  • Creative industries
  • Sustainable tourism
  • Professional services (including legal services and accountancy)[16]
  • Life sciences
  • Manufacturing/engineering
  • Communications (telecoms, internet and broadcast)[17]
  • Space
  • Chemicals
  • Major retailers

33. This work will be undertaken on an ongoing basis, in line with the timetable set by the UK Government for consideration of potential extension of regulatory requirements around cyber resilience.

Key Action 2

The Scottish Government and the National Cyber Resilience Leaders Board will work with the NCSC and key partners to consider options for developing a Private Sector Cyber Resilience Framework or Pathway. This would aim to provide a simple, structured way for organisations in Scotland – particularly SMEs and those in currently unregulated sectors – to assess the cyber threat to their operations and select an appropriate set of controls or guidance to help them work progressively towards strengthening their cyber resilience.

As part of this work, consideration will be given to making clear how such a framework or pathway could align with the core common supply chain cyber security requirements of public and larger private and third sector organisations. This should help drive greater consistency in the demands placed on SMEs in supply chains.

Private sector organisations in Scotland – particularly SMEs and those in currently unregulated sectors – will then be encouraged, incentivised and supported to work towards implementing the most appropriate cyber resilience approach, based on the cyber threat to their operations. (Timing: by spring 2019, and thereafter on an ongoing basis dependent on confirmation of viability)

34. There exists a wide range of standards, guidance and accreditation schemes within the UK and internationally that can help provide assurance to private sector organisations and their customers with regard to managing the cyber threat. However, Scotland and the wider UK currently lack a clear, graduated hierarchy of such measures that can assist private sector organisations (particularly smaller or micro businesses) to identify the most appropriate outcomes, standards or accreditations to work towards in order to manage progressively higher levels of cyber threat, and to offer a way of benchmarking themselves against other private sector organisations.

35. Key private sector partners have indicated their support for the development of an easily recognisable Private Sector Cyber Resilience Framework or Pathway, with the aim of increasing awareness of the core common cyber resilience measures (via guidance, standards or accreditation schemes) that they should be considering implementing dependent on the cyber threat to their operations.

36. Feedback from private sector stakeholders has identified that any such Framework or Pathway must be informed by:

  • Existing standards or guidance, particularly those endorsed by the National Cyber Security Centre such as Cyber Essentials, the 10 Steps to Cyber Security and NIS Technical Guidance. Unless particular gaps are identified in the landscape, there is no appetite to create fresh standards for the private sector – rather, the aim is to help make sense of existing ones;
  • Existing and planned practice in respect of supply chain cyber security amongst larger public, private and third sector organisations – as set out later in this action plan, a key goal should be to promote greater awareness and alignment across different sectors in respect of the core common cyber security requirements they place on SME suppliers, and to enhance understanding amongst SMEs of those core requirements (see Key Action 6); and
  • The views of the Scottish SME community on the types of guidance or support that are most likely to help them begin and sustain their journey towards greater cyber resilience.

37. In undertaking this work, the Scottish Government, the NCRLB, the NCSC and key private sector partners (including the private sector cyber catalysts) will work together to:

  • develop a stronger understanding of the core cyber resilience requirements that are currently encompassed by NCSC schemes and guidance, other common standards and key supply chain policies as they apply to the Scottish private sector (particularly SMEs), and how these relate to progressively higher levels of cyber threat;
  • consider the development of strengthened guidance on the basis of this work where necessary, including in respect of public and private sector organisations’ supply chain requirements (see Key Action 6), and the dissemination of such guidance appropriately via key partners, with a view to driving greater consistency in the messages going to private sector organisations (especially SMEs); and
  • building on this work, consider options for the development of a Private Sector Cyber Resilience Framework or Pathway, with a particular focus on supporting SMEs and organisations in currently unregulated sectors to assess the cyber threat to their operations and select an appropriate set of core controls (via guidance, standards or accreditation schemes) to improve their cyber resilience.

38. In view of the fact that many strategic companies operating in Scotland will already be working to a range of UK and international regulatory requirements, it is expected that any such Framework or Pathway is most likely to be of use for smaller organisations (especially SMEs) in terms of assessing their own organisational cyber resilience. However, larger organisations in key sectors of the Scottish economy that are not currently subject to cyber security regulation may also find such a tool useful in identifying the levels of cyber resilience they should be aiming for in their organisations and networks based on the cyber threat to their operations. Such a framework, if appropriately aligned with common core supply chain requirements, could also drive benefits for larger companies seeking to manage supply chain cyber threats.

39. A broad initial concept for the development of a Private Sector Cyber Resilience Framework or Pathway is at Annex B. The potential for a pilot of this approach (or similar) is currently under discussion with the National Cyber Security Centre, the Federation of Small Businesses and other key partners.

One potentially key factor in securing greater awareness and take-up of any such Framework or Pathway will be an understanding of how supply chain cyber security policies in the public, private and third sectors broadly align with its contents. Key Action 6 in this action plan and Annex C set out how a clear understanding of the alignment of these policies could help ensure the success of any Framework or Pathway.

Developments in this area at the UK level, including in respect of NIS/NCSC guidance around supply chain cyber security, will be influential. The EU is also considering the development of a framework to govern European cybersecurity certification schemes, allowing schemes to be established and recognised across the EU in order to address market fragmentation. The current EU proposal outlines the minimum content of what would be required under such schemes. Ensuring alignment with this EU-level framework will be key.

40. The Scottish Public Sector Action Plan[18] sets out a commitment to develop a Scottish Public Sector Cyber Resilience Framework. Alignment between this and any Private Sector Cyber Risk Management Framework or Pathway will be carefully considered once both have been finalised.

41. The NCRLB emphasises that accreditation, while a helpful way of assessing and demonstrating good practice, does not offer a "silver bullet" to improving cyber security. Guidance will ensure that private sector organisations and their customers are aware that, ultimately, good cyber resilience is a cultural issue. Organisations should take care not to reduce cyber resilience to a "tick box" exercise.

Key Action 3

The Scottish Government will work with the NCRLB and private sector organisations to explore the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector (and public and third sectors).

This will include consideration of initiatives to improve cooperation and collaboration between key sectors of the Scottish economy that rely on one another for continued effective operation, with a view to strengthening the overall cyber resilience of Scotland.

42. It is vitally important that individual private sector organisations take appropriate action to ensure their own cyber resilience, including the presence of appropriate business continuity plans.

43. However, there are strong interdependencies between different organisations in Scotland’s private sector (and public and third sectors). Companies and organisations that form part of the critical infrastructure of Scotland may rely on one another to be able to continue to operate effectively. This means that if one sector of the Scottish economy experiences a significant cyber incident, other sectors may be adversely affected also. Some private sector partners have argued that there is a need for a more integrated, joined-up, national level approach to the cyber resilience of the Scottish private sector (appropriately aligned with arrangements at the UK level), to ensure the continued functioning of the Scottish economy in the event of a major cyber incident. This might, for example, involve shared resilience arrangements across strategic companies in the Scottish private sector, supported by national level activity.

44. The Scottish Government will work with the NCRLB, the private sector cyber catalysts (see Key Action 5), the NCSC and UK Government partners to explore the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector (and public and third sectors). This work may include:

  • Improving understanding of the cyber-specific interdependencies between strategic companies in Scotland and other parts of the private, third and public sectors, through a process of mapping key relationships and potential points of failure, with a specific focus on identifying ways of strengthening the overall cyber resilience of Scotland at a systemic level;
  • Exploring ways of driving greater threat-intelligence sharing across different sectors, including through active membership of the Cybersecurity Information Sharing Partnership (CiSP); and
  • Exploring the potential to strengthen cross-sector incident response capability and protocols when critical infrastructure in Scotland is at risk. These should ensure the appropriate involvement of the UK Government and NCSC, regulators, Police Scotland and Scottish Government Resilience (SGOR) arrangements.

45. This work will have a specific focus on key sectors of the Scottish private sector that are critical to the successful functioning of our economy.

46. The aim of this work will be to help shape recommendations to the Scottish and UK Governments as to the potential for future action by government and industry acting in partnership.

47. In the event that requirements for technical innovation are identified as a result of this work, and these requirements would align with the goals of public sector innovation funding schemes (e.g. benefit to the wider security and resilience of Scotland as a whole), consideration will be given to the potential for use of the Can Do Innovation Challenge Fund[19] to support the development of innovative solutions in this area. In the event that specialist academic expertise is required to explore specific issues raised by this area of work, consideration will be given to applying for funding for a collaborative industry/academia project or fellowship placement under the SICSA Cyber Nexus Programme.[20]

B. Strengthening awareness-raising and systems of advice and support

Key Action 4

The Scottish Government will work with the National Cyber Resilience Leaders Board, the NCSC and key private sector partners to strengthen the promotion of good cyber resilience practice at all levels in the private sector.

This work will include the strengthening of systems of advice and support for the private sector in Scotland, and communications activity aimed at raising awareness of the importance of cyber resilience and effective ways of achieving it. An initial "target landscape" for advice and support will be identified with the goal of achieving this by spring 2019, and thereafter improved on an ongoing basis.

48. It is vital that organisations across the Scottish private sector are aware of the importance of the cyber threat, know where to go to find trusted advice and support, and can take action to enhance their own cyber resilience.

49. The NCRLB have identified that there is a need to "declutter" and simplify the landscape in Scotland with respect to advice and support on cyber resilience for private sector organisations. Businesses of all sizes in Scotland should be able to discover the best official sources of advice and support in respect of cyber resilience, and be provided with high quality, consistent and easy-to-understand messages and advice products to support this. They should also understand where to go to find high quality, independent private sector expertise on cyber security.

50. To help achieve this, the Scottish Government and the NCRLB will work with key public and private sector partners to:

  • finalise analysis on the cyber resilience advice and support landscape in Scotland, to identify the key strengths and weaknesses in current arrangements;
  • develop and implement proposals to promote easier access to trusted sources of advice and support on cyber security for the private sector, with a focus on "decluttering" and simplifying the landscape. An initial "target landscape" for advice and support will be identified with the goal of achieving this by spring 2019, and thereafter improved on an ongoing basis; and
  • build on this work to ensure businesses are provided with high quality, consistent, and easy-to-understand messages and advice products through key partners to help raise awareness and support organisations’ progress in respect of cyber resilience. These communications and awareness raising activities will be delivered through a range of key partners where possible. These may include:
    • Business representative organisations and the Scottish Business Resilience Centre;
    • The Scottish Government, local authorities and other government bodies or agencies, including Skills Development Scotland, Business Gateway and Companies House;
    • Regulatory bodies;
    • Legal, accountancy and banking partners;
    • Private sector cyber catalyst organisations (see Key Action 5).
    • Specific industry bodies.

Awareness raising activities will have a particular focus on:

  • Increasing understanding of the cyber threat, its importance to businesses of all sizes, and the business arguments for adopting good practice (including the introduction of the GDPR and the NIS Directive). The SBRC will undertake work with key partners to review the not for profit advice it provides to small and micro businesses in Scotland, to ensure it aligns with NCSC best practice.
  • Raising awareness of the proposed Private Sector Cyber Resilience Framework or Pathway (if developed successfully – see Key Action 2), and the commercial benefits of managing the cyber threat more effectively (including meeting the requirements of Scottish public sector procurement policies and those of private and third sector cyber catalysts).
  • Providing/signposting best practice guidance on how to build cyber resilience effectively into workplace learning, and opportunities to benefit from educational initiatives/apprenticeships and retraining and upskilling programmes, in line with the Learning and Skills action plan.
  • Publicising widely any incentives that exist or that have been developed (see Key Action 7) to support the achievement of standards/accreditation schemes.
  • Promoting and encouraging uptake of free, reputable services aimed at strengthening cyber security in the private sector.[21]
  • Promoting and encouraging active[22] membership of the Cybersecurity Information Sharing Partnership (CiSP) by eligible organisations, including any sectoral communities of trust within CiSP.
  • Promoting and encouraging SMEs to access key NCSC resources available from the NCSC website, including Cyber Alerts, Advisory and Guidance reports, incident management guidance.
  • Encouraging the private sector to notify the NCSC and Police Scotland of cyber incidents in line with official guidance on reporting cyber incidents.
  • Promoting and encouraging uptake of the Cross Sector Security Communications Network (CSSC) managed by Police Scotland team within SBRC, to enable rapid alerts on key cyber security issues and to provide education and advice to business.

51. The role of the NCSC as a trusted source of advice is expected to be central to this work. Account will also be taken of the Scottish Government’s ongoing Enterprise and Skills review.

C. Strengthening partnership working, leadership and knowledge sharing in Scotland’s private sector

Key Action 5

The Scottish Government will work in partnership with the NCSC, UK Government and key Scottish private sector organisations to help catalyse better cyber resilience practice across Scotland’s private sector.

From summer 2018, a cross-sectoral group of private sector cyber catalyst organisations will work with the Scottish Government and the NCSC to develop and implement practical solutions to key challenges on an ongoing basis, with an initial focus on:

  • strengthening leadership for, and helping drive greater awareness and uptake of good cyber resilient behaviours in, the Scottish SME community, including through the use of supply chain measures;
  • strengthening coordination and knowledge sharing in respect of cyber resilience across key private sector companies operating in Scotland;
  • supporting and promoting uptake of key educational initiatives in Scotland, including cyber security apprenticeships; and
  • helping shape recommendations in respect of the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector (and public and third sectors).

52. Discussions with key Scottish private sector organisations have made clear that they fully understand the leadership role they can play in respect of cyber resilience in their sector. If we are to succeed in our shared goal of raising standards of cyber resilience across the whole of the Scottish private sector, it will be vital that influential Scottish private sector organisations commit to wielding their influence to encourage others to adopt good cyber resilience practice.

53. Many key private sector organisations in Scotland are already working collaboratively within their own more specific sectors, and with regulatory bodies, to improve cyber resilience. This is particularly so in respect of key areas of Critical National Infrastructure in the private sector. Valuable work is being done by the NCSC and other lead departments in the UK Government to ensure companies across the UK are implementing best practice. This is complemented by the Scottish Government’s programme of work on Critical Infrastructure, including the Stakeholder Impact Assessment process, under which Scottish Government officials meet with companies that are part of Scotland’s critical infrastructure and support them to explore their own resilience (including cyber resilience) and preparedness.

This work will be bolstered by the introduction of NIS legislation from May 2018, which should help drive greater uniformity across the sectors to which it applies. Competent Authorities will be charged with ensuring compliance with the legislation, and will be working closely with individual companies to assist them in assessing levels of cyber resilience and taking action to improve areas of weakness.

54. There remains a clear need:

  • to continue the support offered by the Scottish Government and other partners to NCSC/CPNI/the UK Government sectoral work on the cyber resilience of critical infrastructure in Scotland;
  • to extend the focus of work on cyber resilience beyond these sectors;
  • to ensure greater cross-sectoral cooperation, in both regulated and un-regulated sectors; and
  • to catalyse good cyber resilience practice across the whole of the Scottish private sector.

55. To help achieve this, from summer 2018 the Scottish Government will begin work in partnership with the NCSC, UK Government and a cross-sectoral working group of private sector "cyber catalyst" organisations to develop and support implementation of practical solutions to key cyber resilience challenges in the Scottish private sector on an ongoing basis.

The Scottish Government will play a leading role in supporting and driving forward the work of the group, and identifying avenues for delivery.

Membership of this working group will be refreshed on a regular basis, in line with the key areas of focus that are identified through the ongoing work of the group. An up-to-date list of private sector cyber catalyst organisations will be placed on the Scottish Government Cyber Resilience website. These organisations will commit at board level to working with the Scottish Government and the NCSC to undertake the following broad initial programme of work:

(i) Strengthening leadership for, and helping drive greater awareness and uptake of good cyber resilient behaviours in, the Scottish SME community, including by making use of supply chain levers.

Where appropriate, private sector cyber catalyst organisations will be asked and supported to:

  • Promote public messaging around the importance that should be attached to cyber resilience by all parts of the Scottish private sector, including by helping to develop and support a more consistent, joined-up programme of awareness raising activities aimed at the SME and third sector customer and client community in Scotland (see Key Action 4); and
  • Support work (set out in more detail at Key Action 6) to enhance cross-sectoral understanding and alignment of supply chain policies. A key aim of this work will be to examine whether more consistent "core" cyber resilience requirements can be identified in respect of the Scottish SME and third sector community that form part of influential organisations’ supply chains, thus improving the ability of SMEs to anticipate the likely cyber resilience demands that will be placed on them if they wish to win contracts.

(ii) Strengthening coordination and knowledge sharing in respect of cyber resilience across key organisations operating in Scotland.

Where appropriate, private sector cyber catalyst organisations will be asked and supported to share best practice knowledge gained from their own organisational activity on cyber resilience (including in respect of implementation of the NIS legislation or other regulations) across sectors, with a view to driving greater cross-sectoral alignment and best practice. This will include sharing learning with:

  • one another, including in respect of any challenges or difficulties they have encountered, or any innovative solutions they have identified to overcome barriers and ensure an effective understanding of the cyber threat and implementation of effective cyber resilience measures;
  • other Scottish private, public and third sector organisations – including, where appropriate, SMEs and charities – in order to help drive best practice in respect of cyber resilience, and develop a more coherent, aligned cross-sectoral approach across Scotland; and
  • the NCSC and the UK Government Cabinet Office, as well as NIS competent authorities, to help inform the future development of the NIS standards and guidelines and other relevant requirements. Over time, the expectation is that these standards and guidelines will mature and improve to take account of experience in implementing them and technological developments.

Catalysts may be asked to facilitate wider engagement, beyond the membership of the working group, between government and key organisations in their sub-sector in Scotland in appropriate circumstances.

(iii) Supporting and promoting uptake of key educational initiatives in Scotland, including cyber security apprenticeships.

Where appropriate, private sector cyber catalyst organisations will be asked and supported to:

  • make use of key educational initiatives in Scotland, including cyber security apprenticeships and Cyber First work placements, with a view to ensuring they have the right skills available to them to build organisational cyber resilience, and to support talent development in this area;
  • promote awareness of these initiatives as part of wider work on public messaging; and
  • help inform the development of future initiatives, to ensure they meet the needs of the Scottish private sector.

Further details of relevant initiatives and proposals in this area can be found in the Learning and Skills action plan.

(iv) Helping shape recommendations in respect of the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector (and public and third sectors).

Where appropriate, private sector cyber catalyst organisations will be asked and supported to contribute to work under Key Action 3 of this action plan, which aims to explore the potential for a more joined up, integrated, national-level approach to cyber resilience across the Scottish private sector (and public and third sectors).

56. A Scottish public sector cyber catalyst group has already been instituted, and it is intended that a similar group be established for Scotland’s third sector. The Scottish Government will work to support the sharing of knowledge and learning across all 3 sectoral cyber catalyst groups, and to help drive greater alignment across all sectors.

57. The Scottish Government’s existing work to support the overall resilience of critical infrastructure, including the Stakeholder Impact Assessment process, is being strengthened to take account of the NIS Directive. It is expected that through this, and similar activities, Private Sector Cyber Catalyst organisations that form part of the critical infrastructure of Scotland and the UK overall should experience greater consistency in respect of the audit/regulatory questions asked of them by the UK and Scottish Governments, regulators and competent authorities.

D. Supply chain cyber security – leveraging requirements to improve the cyber resilience of Scotland’s SME community

Key Action 6

The Scottish Government will work with private sector organisations and key partners to clarify the common core cyber resilience requirements that are currently placed on third party suppliers, and their relationship to wider standards and guidance, by spring 2019.

Thereafter, the potential for greater cross-sectoral alignment and cooperation in respect of common core supply chain requirements will be explored, with the goal of promoting greater coherence across Scotland’s public, private and third sectors.

A key aim of this alignment will be to improve the cyber resilience of Scotland’s SME community as part of the supply chain of larger private sector organisations.

58. Supply chain cyber security is a vital part of organisational cyber resilience. Cyber criminals often attack the organisation with the weakest cyber security within the supply chain, and use the vulnerabilities present in their systems to gain access to other members of the supply chain, including large corporates.

59. Many large corporates in Scotland already require their supply chains to have appropriate cyber resilience measures in place, and make those requirements public. While the requirements they place on their supply chains are often similar, there is currently no agreed common practice or "core question set" either within or across sub-sectors (with the notable exception of the defence sector, where the Defence Cyber Protection Partnership have worked with industry to develop a Cyber Security Model for procurement[23]. This model is supported by an online tool called Octavian, which includes a short questionnaire to determine the Cyber Risk Profile for a contract or sub-contract).

Work is currently under way in the banking sector to explore the potential for greater alignment and cooperation between key organisations in respect of third party supply chain cyber security and assurance.

60. The NIS legislation and associated guidance will formalise requirements in respect of supply chain cyber security for private sector organisations who are subject to it – this may help ensure greater consistency in the approach taken across operators of essential services.

61. The Public Sector Action Plan commits the Scottish Government to working with key partners to develop a proportionate, risk-based policy in respect of supply chain cyber security, to be applied by public bodies in all relevant procurement processes. The views of Scottish business organisations have been sought on a draft policy early in 2018, with a view to implementation as part of the Scottish Public Sector Cyber Resilience Framework. This policy is expected to result in specific, proportionate, risk-based requirements being placed on private and third sector suppliers to the Scottish public sector in respect of cyber resilience.

The Scottish Government will make explicit how the public sector supply chain cyber security policy aligns with GDPR and NIS requirements.

62. To help: (a) ensure the SME supply chain cyber security of private sector organisations that form part of the critical infrastructure of Scotland, and (b) improve the cyber resilience of Scotland’s SME community, the Scottish Government will work with the NCSC and key private sector partners, including private sector cyber catalyst organisations, on the following programme of activity:

  • Seeking views from the private sector to help inform the development of the draft public sector supply chain cyber security policy in early 2018, so that it takes account of existing good practice in the private sector;
  • Identifying the current common core supply chain cyber resilience requirements that are placed on SME suppliers in key sectors of the Scottish economy, with a view to improving sectoral guidance for the SME community on what they need to do to strengthen their cyber resilience to position themselves to win contracts. This work should include a focus on progressive management of cyber threats and risks. Initial mapping of some key sector requirements should be undertaken by spring 2019.
  • Building on this analysis, considering the potential for greater cross-sectoral alignment of core supply chain cyber resilience requirements over time. Such alignment should have a particular focus on SME (and third sector) suppliers, and be informed by regulatory requirements (e.g. in respect of the finance sector or the NIS Directive) and existing good practice in the public, private and third sectors. It may include a focus on alignment with NCSC-endorsed guidance or schemes (including Cyber Essentials, the 10 Steps to Cyber Security, NCSC Supply Chain Guidance) and other widely recognised standards (e.g. ISO and IASME), and help inform the development of the proposed Private Sector Cyber Resilience Framework or Pathway (see Key Action 2); and
  • Building on any such alignment work, exploring the potential for cross-sectoral pooling or accessing of information to support supply chain security across Scotland’s strategic companies. This may include ways of accessing consistent information on which SME supply chain organisations have been assessed as capable of managing different levels of cyber risk in line with a Private Sector Cyber Resilience Framework or Pathway. This work will aim to reduce the burdens placed on both purchasers and suppliers in managing cyber risk in the supply chain.

63. While there will inevitably be a requirement for individual private sector organisations to include "bespoke" conditions around cyber security for specific contracts, identifying common core requirements should help provide a common starting point for consideration of the requirements that key private sector organisations (including the cyber catalyst organisations) will generally expect to see in place in their supply chains to manage the cyber risk in specific circumstances.

64. It is expected that this work will result in greater consistency in the incentives and requirements placed on Scotland’s SMEs that form part of the public, private and third sector supply chain (or that wish to do so). That greater consistency of messaging, centred around a widely disseminated Private Sector Cyber Resilience Framework or Pathway, should help drive greater awareness in the SME community of what good practice in respect of cyber risk management looks like. Annex C gives a visual representation of what this might look like.

65. Private sector organisations that make use of Cyber Essentials in their supply chain, either now or as a result of the alignment work described above, will also be encouraged to promote the use of a voucher scheme to support SMEs in their supply chains to achieve accreditation to Cyber Essentials or Cyber Essentials Plus level (see Key Action 7).

66. Of course, not all SMEs in Scotland form part of the supply chain of the public sector and larger private and third sector organisations. Wider awareness raising work will be required to ensure greater uptake of good cyber resilient behaviour. This is covered in Key Action 4.

E. Strengthening incentives to improve cyber resilience in Scotland’s private sector

Key Action 7

The Scottish Government and the National Cyber Resilience Leaders Board will work with the UK Government and key private sector stakeholders to consider how best to strengthen incentives to support the uptake of cyber security standards/accreditation, and the adoption of good cyber resilience practice more generally.

This will include the continuation of a modified voucher scheme to support the achievement of Cyber Essentials or Cyber Essentials Plus certification by Scottish SMEs. We aim to at least double the number of public, private and third sector organisations holding Cyber Essentials or Cyber Essentials Plus certification in total in Scotland during Financial Year 18-19.

67. Private sector partners have put forward arguments that incentives will be key to promoting the adoption of cyber security standards/accreditation and the adoption of good cyber resilience practice more generally.

68. The Scottish Government is particularly keen to support SMEs and microbusinesses, who will often be starting from a relatively low base of knowledge or experience, to begin their journey towards greater cyber resilience. One way of doing so is to support uptake of Cyber Essentials/Plus certification. The Cyber Essentials scheme offers a mechanism, endorsed by the National Cyber Security Centre, for organisations to demonstrate to customers, investors, insurers and others that they have in place critical technical controls that protect against the most common internet-borne cyber attacks.

69. The Digital Scotland Business Excellence Partnership supported a voucher scheme that ran from summer 2016 until end 2017 to help Scottish SMEs achieve Cyber Essentials or Cyber Essentials Plus certification. The scheme provided funding to SMEs to allow them to secure the services of an industry expert to advise them on how to approach securing Cyber Essentials certification. The voucher was of the value of up to £1,500 per company. An evaluation of this scheme found that it had a positive effect on take-up and achievement of Cyber Essentials amongst SMEs.

70. The Scottish Government will build on the success of this scheme by funding a modified voucher scheme to support Scottish SMEs (and third sector organisations) to achieve Cyber Essentials or Cyber Essentials Plus. This scheme is expected to be operational from autumn 2018. We aim to at least double the number of public, private and third sector organisations holding Cyber Essentials or Cyber Essentials Plus certification in total in Scotland during Financial Year 18-19.

71. Private sector organisations will be encouraged to publicise this scheme to their supply chain companies and customers/clients, in order to drive greater take up of Cyber Essentials and Cyber Essentials Plus. The scheme will also be publicised through key partners (including business representative organisations) as part of the awareness raising activities set out under Key Action 4.

72. Beyond this, the Scottish Government, the NCRLB, the UK Government and key partners will work together to explore what additional incentives are already in place or could be developed further to promote good practice in the Scottish private sector in respect of cyber resilience. Areas for consideration will include work with the insurance industry around cyber insurance incentives. High level proposals on additional incentive schemes will be considered by the NCRLB by spring 2019, with decisions on subsequent action taken thereafter.

F. Benchmarking, Monitoring and evaluation

Key Action 8

The Scottish Government will work with the NCRLB and key partners to develop appropriate benchmarking, monitoring and evaluation arrangements, for implementation by spring 2019.

73. In order to understand what progress is being made towards the vision of Scotland as a world leading nation in cyber resilience, it will be important to have in place arrangements to achieve a regularly refreshed picture of the extent of good cyber resilience practice in Scotland’s private sector. The benefits of this are expected to include:

  • The provision of greater assurance to members of the public with regard to the cyber resilience of Scotland’s private sector as a whole and the cyber resilience of specific sub-sectors.
  • The provision of greater assurance to investors with regard to the cyber resilience of Scotland’s private sector, thus contributing to the attractiveness of Scotland as a destination for inward investment.
  • The provision of useful benchmarking information for private sector organisations, to assist them in making judgements around what level of standards/accreditation they should be aiming to achieve in light of industry benchmarks.
  • The provision of greater assurance to Government, Parliament and Regulatory Bodies with regard to levels of cyber resilience across key areas of Scotland’s private sector.

74. To help achieve this, the Scottish Government will work with the NCRLB, the NCSC, Competent Authorities/Regulatory Bodies and key partners to develop appropriate benchmarking, monitoring and evaluation arrangements by spring 2019. Key measures that may form part of these arrangements include:

  • Working with Competent Authorities to monitor the extent to which key Scottish private sector companies are complying with the requirements of the NIS security principles (e.g. by making use of appropriate aggregated and anonymised information, broken down by sector);
  • Working with the NCSC to monitor and report on the number of businesses achieving Cyber Essentials and Cyber Essentials Plus;
  • Working with accreditation bodies and external audit companies to understand levels of take-up of private certification schemes and "attestation" in Scotland, where possible;
  • Working with key partners to monitor and report on the uptake of free, reputable cyber security tools amongst Scotland’s private sector (e.g. the Global Cyber Alliance’s DMARC and Protected DNS services);
  • Working with the NCSC to monitor and report on membership of the SciNet grouping on the CiSP; and
  • Inclusion of appropriate questions focused on cyber resilience in Scottish-based surveys (e.g. the Scottish Crime and Justice Survey).

Contact

Back to top