On the opening of CyberScotland Week, a Cyber Resilient Framework for the country has been launched.
In a foreword, John Swinney, deputy first minister for the Scottish Government writes: “Digital technologies cut across everything we do – as our forthcoming Digital Strategy will demonstrate. The secure and resilient ways we use them cannot be an afterthought. Cyber resilience cannot be viewed simply as an “IT issue”. It is, in fact, the very backbone to every public service, to every business and to every community in Scotland. It is a critical part of our economic and societal recovery and renewal, especially as Scotland embraces new technologies such as Artificial Intelligence, Smart Cities and 5G wireless networks.
“Cyber resilience is key to operational resilience and business continuity, as well as our capacity to grow and flourish as we adapt to the demands of operating online. Our ability to deter, respond to and recover from national cyber attacks is our top priority. We need to plan, exercise and reflect continually and collaboratively, to ensure that Scotland is prepared to withstand cyber threats.”
Chair of the National Cyber Resilience Advisory Board is David Ferbrache. He says that the framework sets out the approach Scotland will take to creating a digitally secure and resilient nation. “A challenge which requires a community effort to raise the awareness of the cyber threat; to help prepare our people, our organisations and our businesses to deal with cyber risks and a growing cyber crime threat.”
He says that cyber resilience should be embedded in digital services, and that cyber incidents require a national response, ‘which can quickly mobilise the support which organisations need to detect, respond and recover from a major cyber attack. The time has passed when individual organisations can regard themselves as medieval castles each defending themselves. We now are all part of an increasingly interconnected digital ecosystem.”
David Ferbrache is among speakers at an event hosted by The Scotsman on Thursday, one of many CyberScotland Week online events, a ‘state of the cyber nation’ panel discussion, after an opening address by Ivan McKee, the Holyrood government’s Minister for Innovation, Trade & Public Finance.
As for who does what, the document says that the UK Government is producing an interim National Cyber Security Strategy in 2021; Scotland’s Framework and the UK Government’s strategy are ‘mutually supportive’. The National Cyber Security Centre (NCSC) provides defence and deterrence against higher-end state threats for the whole of the UK.
As for actual content of the framework, it has a ‘vision’ that ‘Scotland thrives by being a digitally secure and resilient nation’, and four ‘outcomes’:
– People recognise the cyber risks and are well prepared to manage them;
– Businesses and organisations recognise the cyber risks and are well prepared to manage them;
– Digital public services are secure and cyber resilient; and
– National cyber incident response arrangements are effective.
Comment
Steve Hamilton, Area Vice President, Northern Europe at cyber firm Tanium, says: “Cyber Week Scotland provides a great chance to remind organisations, in both the public and private sector, that they need to cover both the technology and human aspects of cybersecurity to develop an adequate level of protection. Although technology alone can provide a certain level of security, research shows that 90pc of cybersecurity breaches are still being caused by human error which usually involves clicking on a malicious link in an email.
“Therefore, organisations must ensure that their employees have an adequate level of knowledge and training on common threats they should expect, especially with such a large amount of staff working remotely as a result of lockdown. At home people can be faced with other distractions that they may not have in an office – causing their guard to drop on IT security. The technology aspect is also crucial. A key aspect of this is IT teams having awareness of what devices are connected to a corporate network. They will need to detect a cyber attack’s entry point and see how much of a system has been affected so that quick action can be taken to fix the issue. This means that even if an initial breach occurs, there’s still a good chance that only minimal damage will be caused.”
