Public organisations are a rich treasure trove of personal data that criminals could use to commit identity theft, financial fraud, and more.

According to National Cyber Security Centre (NCSC) figures, nearly 40% of cyber incidents they investigated are attacks on the public sector. Clearly, no organisation handling sensitive public information can afford to be complacent.

It’s not enough for only a few to be responsible for the IT security of an organisation – every employee must be cyber-aware. I would encourage everyone to start 2023 in the right direction and put cyber security at the very top of their priority list.

As the saying goes, the best offence is a good defence. Being proactive (and, indeed, reading articles like this one) is the best first step to reduce the chance of an attack breaking through your security and, if it does, limit the fallout.

And so, for any organisation that may be uncertain about where to begin, here are four basic steps to take to ensure your cyber security measures can withstand any attack.

1. Prepare a plan

Your IT team will likely know all about building technical defences, but cyber security must also be viewed from an operational perspective. Creating an incident response plan should be your starting point for this.

It doesn’t need to be complex. A basic incident response plan lays out the actions and roles everyone will play in getting the organisation operational following a security breach. At its core, it should have information on how to keep staff and stakeholders updated and contact details for service users and partners.

You should also include details of organisations that can support you and those you will need to report to, including the Information Commissioner’s Office.

Keep the Scottish Business Resilience Centre’s Incident Response helpline number in there, too: 0800 1670 623. It’s a free resource for anyone worried they’ve been attacked or are at risk of being so.

2. Test and educate

Once you’ve developed your incident response plan, don’t leave it in a cupboard or saved in a folder somewhere on your system – put it to the test right away. Conducting regular training scenarios will ensure everyone knows what to do and help check how people react in an attack.

It’s also worth testing scenarios that involve a total loss of IT access. While less common, they happen occasionally – and it’s a great reminder that paper copies of anything vital (like your incident response plan) should be made available just in case.

If you’re at all uncertain about your organisation’s response, there are plenty of free resources to improve it, such as the Scottish Business Resilience Centre’s Exercise in a Box workshops or the NCSC’s online cyber training course.

The CyberScotland website also offers a guide to cyber security that can be shared with staff to ensure they know the role they can play in your organisation’s security.

3. Consider this an investment  

Public sector organisations need to strictly account for their spending – but an investment in cyber security should be a priority as it could help reduce costs in the long run. Remember the recent cyber attack on the Irish Health Service Executive, the cost of which has hit close to €80 million and is continuing to rise?

The free resources above can help, though there is also paid support.

But investment in cyber doesn’t have to be entirely financial; you can also invest your time. There are plenty of events geared towards public sector organisations, such as Futurescot’s Public Sector Cyber Security Conference on 27 February, which kicks off this year’s CyberScotland Week – more information and the link to register is available on the Futurescot website here.

4. Go beyond the basics

The above are the starting points for ensuring your organisation has robust cyber security measures in place. There are further steps you can take, such as employing a ‘zero trust’ approach – in other words, assuming everything is a threat unless proven otherwise.

Cybercriminals are savvier than ever and constantly updating their methods to find a point of entry.

Keeping on top of your own defences, and making your employees part of that, is the best way to start the year and move towards a more resilient and hopefully bullet-proof public sector.