Strategic Framework for a Cyber Resilient Scotland - End Year Review 2023-24

A review of strategic activities undertaken in 2023-2024 to improve Scotland's cyber resilience.


Public Sector Action Plan and Achievements

The Public Sector Action Plan (2023-25) has 7 key objectives. These are that public sector organisations:

  • embed cyber resilience into their governance, policies, and processes.
  • improve their understanding of cyber risks
  • advance their cyber assurance by embedding cyber security standards and regulations and actively managing compliance
  • improve their staff’s cyber resilient behaviours
  • increase opportunities for professional development of their IT and cyber security staff
  • are prepared for, and can effectively respond to and recover from, cyber incidents; and that
  • the Scottish Government ensures national cyber incident response arrangements are effective.

Key achievements in 2023/24 include:

  • Public Sector Cyber Security Assurance Survey - The 2023 annual Public Sector Cyber Security Assurance Survey results show that 93% of public sector organisations in Scotland have cyber awareness staff training in place, 91% have robust governance in place and 86% have well developed cyber incident response plans.
  • Public Sector Board Training - During 2023/24, the Scottish Government provided 25 facilitated public sector board training sessions to 263 board members from 93 organisations aimed at raising awareness and supporting board members to provide constructive challenge to their organisations on cyber issues.
  • Supply Chain Assurance - Public sector supply chain cyber assurance guidance published in December 2023 ensures that the public sector have examples of good practice to guide their supply chain cyber assurance processes when procuring goods and services with a digital element.
  • The Public Sector Cyber Upskilling Fund was distributed to 52 organisations from November 2023 to March 2024. Managed by ScotlandIS, the fund trained 201 individuals in certified cyber security courses across 27 Local Authorities, 14 Health boards, Scottish Fire and Rescue services, Police Scotland, and Scottish Ambulance services, SEPA, Scottish Water and 5 charities.
  • Exercise in a Box - We funded the Cyber and Fraud Centre to deliver exercising to public sector bodies using NCSC’s Exercise in a Box tool to improve cyber incident response planning. Nearly 800 workers from across 119 public and third sector organisations took part in 37 Exercise in a Box sessions.
  • Public Sector Cyber Resilience Network Webinars are held regularly to bring together contacts from across the sector to share and discuss intelligence, good practice, and common challenges. The most recent session at the end of February 2024 saw almost 300 representatives from the sector taking part in a webinar on lessons learned from the SEPA and Comhairle nan Eilean Siar cyber attacks.

Case Study – CyberScotland Week 2024

CyberScotland Week is the flagship week that brings people and organisations across Scotland together to raise cyber security awareness.

CyberScotland Week 2024 took place between 26 February and 3 March, with over 164 in-person, virtual and hybrid events across the country, aiming to improve cyber resilience knowledge and behaviours, and promote skills development and careers in cyber security. Events included:

  • FutureScot’s Cyber Security 2024 Conference with over 330 in attendance and speakers from as far afield as the USA
  • A first of its kind 24-hour cyber marathon with varied events to help boost the attendees’ cyber awareness and resilience
  • The CGI Cyber Escape which tasked teams to work together to ‘escape’ the room. This event allowed attendees to strengthen their team’s communication and cyber resilience in a fun way
  • Cyber Quiz Showdown that let parents/carers team up to go head-to-head with the younger generation, to see who would come out on top and be titled ‘Cyber Champion’
  • Police Scotland Cyber Security Awareness Conference, reaching businesses and organisations from the public and private sectors
  • Focused cyber security sessions providing outreach to a diverse range of communities across Scotland.

Case Study – Empowering Women in Cyber – Leading Change in Public Sector

We funded Empowering You to develop a virtual leadership programme in response to the challenges faced by a significant number of women working in cyber security in accessing in-person leadership development opportunities due to a variety of barriers including: geographical location, care commitments, mobility issues or other health related considerations.

Between November 2023 and March 2024, the virtual “Women in Cyber” leadership programme brought together 18 female InfoSec/Cyber Security professionals from across the Scottish public sector. Incorporating virtual group workshops and one-to-one coaching, the programme culminated in an in-person graduation event in Edinburgh. 89% of participants successfully completed the full programme. 92% of respondents to the post programme survey reported that their participation led to a “significant improvement” to their confidence and ability to lead.

Scottish Cyber Coordination Centre (SC3)

In response to the escalating cyber threat, Scottish Ministers announced the establishment of the Scottish Cyber Coordination Centre (SC3).

SC3’s purpose is to:

  • Coordinate the management and response to significant cyber security incidents impacting Scotland.
  • Be the focal point in Scotland for analysis, assessment, and dissemination of authoritative threat intelligence.
  • Lead on the development and roll out of good practice for exercising, particularly across our public sector.
  • Engender a culture of continuous improvement by adopting lessons learned, actions from incidents and audits.
  • Support communications and engagement across public bodies, private and third sectors.

SC3 has five areas of focus: ‘Incident Coordination’, ‘Vulnerability Management’, ‘Cyber Exercising’, ‘Threat Intelligence’, and ‘Standards and Insights’.

Key achievements in 2023/24 include:

  • National coordination of response to two Scottish Public Sector Cyber Incidents - (Comhairle nan Eilean Siar and NHS Dumfries and Galloway). In both instances, SC3 hosted multi agency cyber incident response procedures to support the victim organisations. When ‘lessons learned’ reporting has been reviewed this will be shared for the wider benefit of others.
  • Cyber Exercising - Building on SG funded NCSC Exercise in a Box training, SC3 are developing the Scottish Public Sector Cyber Incident Exercise Cadre to boost cyber exercising of public organisations. A two-day cyber exercising coordinators’ training course in 2024 was delivered to the first 13 staff of a group of 35 who have agreed to become part of the Cadre. The majority are from resilience and business continuity roles, and already have experience of exercising outside the cyber security area.
  • HEFESTIS Pathway - HEFESTIS (Higher and Further Education Shared Technology and Information Services) Pathway is a shared CISO (information security) service that enables cyber maturity assessment and benchmarking.
  • In January 2024, a project was initiated to test if the HEFESTIS Pathway concept could be applicable to the wider public sector with a view to becoming a self-sustaining subscription model. This includes access to a secure technical infrastructure which provides access to Pathway toolsets and the Public Sector Cyber Resilience Framework (PSCRF) based guidance, other support services and risk management tools. This is currently being assessed and a report is due in March 2025.
  • Threat bulletins and Vulnerability Reports - Since 2023, SC3 have produced and shared a daily threat bulletin and a weekly vulnerability report. 156 public sector organisations are currently receiving these reports. A monthly ransomware report has also been issued since July 2024.
  • MISP (Malware Information Sharing Platform) - SC3 continues to develop a community for sharing automated actionable threat intelligence among the public sector. This includes increasing the number of organisations that are active members of the Cyber Scotland Shield MISP instance. The number of users has increased from 43 to 102 over the past year.

Case Study – Exercise Celtic Broch

Building on SG funded NCSC Exercise in a Box facilitated training, SC3 are building up the Scottish Public Sector Cyber Incident Exercise Cadre to improve cyber exercising of public organisations.

In April 2024, members of the Scottish Public Sector Cyber Incident Exercise Cadre developed and delivered Exercise Celtic Broch - an exercise to test the operational and strategic response to a significant cyber attack impacting on service delivery on the three councils within Forth Valley area - Falkirk, Stirling and Clackmannanshire. This exercise allowed the local authorities to test their own processes, identify improvements, and highlight common issues across the authorities and explore mutual aid options.

Contact

Email: CyberResilience@gov.scot

Back to top