Jude McCorry, CEO of the Scottish Business Resilience Centre
Earlier this year the UK government invested nearly £40m to help local authorities boost their cyber resilience as part of the first ever Government Cyber Security Strategy. In doing so, they made their intent for the public sector to strengthen its cyber defences loud and clear.
There is a good reason for this: the National Cyber Security Centre found that 40% of cyber incidents between 2020-21 were aimed at UK public sector organisations.
Public sector organisations and departments play a key role in our society, from allowing people to access their pensions to obtaining support from local government, health services, and social care. As a result, they hold incredibly sensitive and private data which must be protected.
However, research shows there is a gap in knowledge of how to do so: one study found that nearly six in ten public sector organisations don’t have the skilled workers available to manage their cyber security. The same study said only 31% of cyber security professionals in the public sector are confident in their ability to adapt – and therefore manage – new threats.
A similar gap in managing cyber defences exists in the third sector, with 71% of charities believing cyber security is important, yet nearly three in ten don’t have a plan in place if they are attacked.
Closing this gap often requires a level of financial investment. Many public and third sector organisations are understandably hesitant to divert funds from their services; however there are free and low-cost options available. That’s one of the topics to be covered at the upcoming DigitalScotland Conference in Edinburgh on 25th October.
The conference will focus on digital transformation, skills, and data-driven innovation but several sessions will look at how to stretch an organisation’s cyber “legs” and exercise its defences. One of these will be a micro session of Exercise in a Box – a free workshop available to organisations throughout the UK.
The workshop will be practical, giving participants the chance to further their cyber knowledge and identify areas of improvement in their own organisations’ IT defences. As with every ‘Exercise in a Box’ session, it will offer an opportunity to test responses to a cyber-attack in a real-life scenario without putting any data at risk.
It will also consider the role that an individual plays in keeping a system secure, as well as organisational policies, with topics including connecting securely when working remotely; ensuring password security; identifying phishing emails; and responding to a ransomware attack.
Cyber exercising isn’t just important for testing your cyber defences. It creates a culture of learning within the team and provides an opportunity for individuals to understand how they might react during a future incident and clarify actual versus perceived capabilities. It can also show where it might be worth it for an organisation to invest money, such as in training or specific technologies.
Exercise in a Box isn’t the only opportunity for public and third sector professionals in Scotland to test their defences and understand how to protect themselves. For example, The Scottish Council for Voluntary Organisations offers digital check-ups and 1-2-1 support. Workshops like Exercise in a Box allow organisations find out how resilient they are in a safe environment, and if you do suffer or suspect a hack, SBRC’s free Incident Response helpline 0800 167 0623 is there to assist.
The CyberScotland Partnership also recently released an induction guide for employees to better understand the role they play in preventing cyber attacks and help develop a culture of cyber defence within organisations.
A cyber incident can cost an organisation at least £11,000 – and often much more. This is money that most public and third sector organisations don’t have to spare. Rather than risk that money, save it to invest in your organisation’s people and services – the things public and third sector organisations are best known for.