Scottish Government public sector cyber resilience action plan aims to address lack of guidance on cyber security

Written by Jenni Davidson on 8 November 2017 in News

The Scottish Government has published an action plan for public sector cyber resilience in the wake of high profile attacks

Cyber security - Image credit: Holyrood

A new action plan aimed at protecting Scotland’s public bodies from cyber attacks has been published by the Scottish Government.

The new public sector cyber resilience action plan will require public bodies to put in place common cyber security measures across their organisations.

The tightening up of cyber security comes in the wake of the WannaCry ransomware attacks across the world, which affected a number of NHS boards across Scotland.

The Scottish Parliament was also recently the target of an unsuccessful ‘brute force’ cyber attack that attempted to break through passwords.


The action plan highlights a lack of monitoring and reporting in place currently to check that public bodies have the necessary procedures in place.

It says: “There is currently a lack of guidance making clear the minimum standards of cyber resilience that all Scottish public bodies should strive for.

“Nor is there any well-defined monitoring and reporting framework to allow Scottish ministers, the NCRLB [National Cyber Resilience Leaders’ Board] and the Scottish Parliament to secure a clear picture of cyber resilience across the Scottish public sector.

“Unless we address this, measuring progress and providing assurance to citizens and businesses will be challenging, with the potential for knock-on consequences for our public services and our digital economy.”

While the plan’s focus is on public bodies, the Scottish Government has said it will work with other parts of the public sector, such as colleges and universities and councils, wherever possible.

This plan, which lists 11 action points, aims to ensure that public bodies acts as leaders in promoting higher standards of cyber resilience across Scotland.

The actions, most of which are required to be in place by June 2018, include developing a “common, effective, risk-based approach” to cyber resilience across the public sector.

This will be set out in a cyber resilience framework, which will be developed by the Scottish Government in partnership with the NCRLB, the National Cyber Security Centre (NCSC), Scottish public sector cyber catalysts and others.

A new public sector cyber catalyst scheme will see a number of bodies commit to becoming exemplars for cyber resilience, helping identify common issues and solutions, and sharing knowledge with the wider public sector.

All public bodies will be required to have minimum cyber risk governance arrangements by the end of June 2018.

By the same date, public bodies that manage their own networks must become active members of the NCSC’s Cybersecurity Information Sharing Partnership (CiSP) to promote the sharing of information about cyber threats.

Funding will be made available for public bodies to undergo Cyber Essentials “pre-assessments”, by the end of March 2018.

The plan will also have an impact on purchasing of goods and services, with the Scottish Government planning to consult on a “proportionate” policy on supply chain cyber security – aligned to GDPR – in early 2018 and recipients of public grant funding also needing to have appropriate cyber security arrangements in place.

Delivery of the action plan will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, working in partnership with the NCRLB and Scottish public bodies.

The plan was launched today at CBI Scotland’s annual cyber security conference.

Commenting on the action plan, Deputy First Minister John Swinney said: “I want Scotland to be a world-leading nation in cyber-resilience by 2020.

“The Scottish Government recently committed to developing a range of action plans to help meet this ambition, including in the key areas of learning and skills, economic opportunity, and public, private and third sector cyber resilience.

“Today marks the first of those plans being published.

“Our public sector action plan will encourage all public bodies, large or small, to achieve common standards of cyber-resilience.

“I want our public sector to lead by example on strengthening cyber-security, to help ensure Scotland is ready to deal with all emerging threats.”

Dr Keith Nicholson, joint chair of the NCRLB Public Sector Steering Group, said that one of the strengths of the Scottish public sector was its willingness to work together and share good practice and the Public Sector Action Plan on Cyber Resilience was “the embodiment of that spirit”.

Further actions plans for the private and third sectors will also be developed in partnership with those sectors.



Related Articles

Securing the digital world: cyber security and GDPR
22 June 2017

A series of cyber attacks has grabbed the headlines – what is being done to protect our data and our safety?

Mhairi Black urges Boris Johnson and Jeremy Hunt to resolve ‘daylight robbery’ of unclaimed pensions
8 July 2019

Research by the Association of British Insurers and Pensions Policy Institute suggested there could be nearly £20bn of unclaimed pensions in the UK

Nicola Sturgeon opens new £8.9m centre for lightweight manufacturing technology
26 June 2019

Lightweight Manufacturing Centre, operated by the University of Strathclyde, will develop lighter, more efficient components for high-value industries, including automotive and aerospace

Related Sponsored Articles

Associate feature: 5 ways IoT is transforming the public sector
5 February 2018

Vodafone explores some of the ways IoT is significantly improving public sector service delivery

Balancing security and digital transformation
24 October 2018

With the annual worldwide cost of cybercrime set to double from $3tn in 2015 to $6tn by 2021, BT offers advice on how chief information security officers can better...

Associate feature: Who keeps your organisation secure?
19 February 2018

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.

Share this page