A Consultation on the development of a Cyber Resilience Strategy for Scotland

Council HQ
London Road
Kilmarnock

The principles support vision of shared responsibility, from national leadership through to shared responsibility and the principle of all users of technology working together to improve on a safer on-line environment.

It is important that “education” remains at the forefront of these principles: leaders; managers; educators; students; our young people; and citizens who use and engage with technology must be fully aware of the risks - and their responsibilities – when connected to the cyber world.

Without education and understanding of the risks in a personal and business environment, it may be difficult for the strategy to succeed.

I would agree with the vision however it could be seen as very business-orientated and therefore may not resonate with citizens, their personal use of the internet, and the responsibility they have to use the internet safely and securely whilst protecting their own data from being compromised.

The strategic outcomes address the use of on-line technologies in both a personal and business environment; the strategic outcomes should be delivered through a comprehensive education programme.

The objectives stated are adequate however I would question the view that “none of these objectives is more important than the other” – the second objective is key … raising awareness and communication, being more aware of the potential risks and becoming more cyber aware, will be delivered through an effective education programme.

Raising awareness of cybercrime should ultimately support a reduction in such instances occurring and therefore will be become less of a burden to business; public bodies would also benefit through a reduction in fines for data breaches.

The strategy should be developed to raise awareness of cyber security and best practice methodologies. The strategy should not be overly prescriptive or designed as a “one solution to fit all”; high level controls can either compel organisations to spend large amounts of money unnecessarily (particularly in the current financial climate) or to undertake technical works that have a detrimental effect on service delivery.

Public bodies are already very aware of the need for information and data security, and are compelled to protect personal sensitive data to meet the obligations of the Data Protection Act. The notion that the Scottish Government will “hold public bodies to account” (particularly without legislation) could be seen as another level of bureaucracy that adds very little to the need for cyber resilience.

The Scottish Government can have a very important role in terms of raising the profile of, and leading the promotion on, the need for enhanced cyber resilience across on-line services; however it should do this as a practitioner where cyber resilience is demonstrated as being core to the evolution of on-line service delivery, and as a facilitator to ensure best practice methodologies are available to all public bodies.

Educating businesses and citizens on the need for cyber safety is absolutely key, therefore any, every, and all methods to support cyber awareness should be encouraged across organisations and within citizens’ personal environment.

Most businesses will be aware of where to obtain information and support in relation to cyber security and perhaps therefore there is a great need to make information more generally available for the wider community; citizens need to be more aware of their personal risks and responsibilities to protect themselves from, for example, fraud or identity theft.

Our young learners are already an on-line population, using the internet to communicate with friends and family, for research as part of their studies, and to participate in gaming sessions. Educating our young learners in how to use an on-line environment safely and securely is key, and ultimately will lead to a population who are more digitally connected to meet the need for technical expertise in to the future.

Whilst it is important to quantify the cost of cybercrime, the focus should equally be on increasing education awareness and the need for cyber resilience; through time this should reduce cost associated with cybercrime – both directly as a result of criminality, and indirectly as a result of fines imposed on public bodies by the Information Commissioners Office in relation to data breaches.

Education is key to raising the profile of cyber awareness. It is important that citizens and businesses are encouraged to maximise the benefits of technology and on-line services, therefore the strategy should be implemented with a measured, balanced, and common sense approach, where it is considered an enabler to better safety and security rather than a barrier to the digital agenda.

Action plans and milestones need to be measured and realistic, otherwise they will be ineffectual and public bodies may not be keen to support a national implementation. It is important to remember that technology changes are rapid and therefore a positive outcome of annual evaluation should be to ensure learning and effective good practice is shared.