The Scottish government has announced an ambitious plan to improve the cybersecurity of the nation’s public sector bodies.
The new document, Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland, describes an action plan for 2017-18.
Drawn up by the government north of the border and the National Cyber Resilience Leaders’ Board, it aims to establish a culture of cyber resilience within the public sector.
“While many Scottish public bodies already have sound standards of cybersecurity in place, our aim is for the Scottish public sector as a whole to become an exemplar in this field over time,” said deputy first minister, John Swinney, in a statement.
“By undertaking the actions set out in this plan, Scottish public bodies will be committing to implementing a common approach to cyber resilience, offering greater assurance to those who make use of our digital public services.”
The plan includes measures designed to improve baseline security such as ensuring public bodies: join up to the NCSC’s Cybersecurity Information Sharing Partnership (CiSP); undergo Cyber Essentials “pre-assessments”; have in place training and awareness raising arrangement; draw up incident response plans; and implement the NCSC’s Active Cyber Defence Programme.
The latter is a list of four measures including implementation of DMARC; scanning of websites via the NCSC-built Web Check tool; DNS blocking using GCHQ and private sector intelligence; and phishing and malware mitigation in collaboration with Netcraft.
The Scottish government action plan also focuses on securing the supply chain, such as recipients of public grants, and will create a Dynamic Purchasing System for Digital Services including cybersecurity — to ensure all public bodies have access to the right expertise.
David Stubley, CEO of Scottish cyber consultancy 7 Elements, told Infosecurity: "The new cyber action plan shows that the Scottish Government takes the digital security of the country seriously and is a great start in making Scotland the safest place to be online."
The plan will be followed by similar reports for the private and third sectors, and has itself been accelerated after the WannaCry attacks of May this year, which affected 11 out of 14 Scottish health boards.