1 / 51

Creating the conditions for a cyber resilient Scotland

Learn about Scotland's strategy to become a global leader in cyber resilience by 2020. Explore actions plans, leadership roles, and the risks faced by third sector organizations, empowering you to protect against cyber threats.

Download Presentation

Creating the conditions for a cyber resilient Scotland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Creating the conditions for a cyber resilient Scotland Dan Waddell Cyber Resilience Engagement and Communications August 2019

  2. Safe, secure and prosperous: Scotland’s cyber resilience strategy Our ambition Scotland can be a world leader in cyber resilience and be a nation that can claim, by 2020, to have achieved the following outcomes: (i) Our people are informed and prepared to make the most of digital technologies safely. (ii) Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them. (iii) We have confidence in, and trust, our digital public services. (iv) We have a growing and renowned cyber resilience research community (v) We have a global reputation for being a secure place to live and learn, and to set up and invest in business. (vi) We have an innovative cyber security, goods and services industry that can help meet global demand.

  3. Setting the scene: Programme for Government • Commitment 2017-18 to develop 5 action plans • Learning and skills (published March 2018) • Public sector cyber resilience (published Nov 2017) • Private sector cyber resilience (published June 2018) • Third sector cyber resilience (published June 2018) • Economic opportunity (published September 2018) • Commitment 2018-19 • Continued investment to support successful delivery

  4. Learning and Skills Action Plan 4 overarching aims (37 key actions) Increase people’s cyber resilience through awareness raising and engagement Explicitly embed cyber resilience throughout our education and lifelong learning system Increase people’s cyber resilience at work Develop the cyber security workforce and profession to ensure that skills supply meets demand and that skilled individuals can find rewarding employment in Scotland

  5. Leadership: Third Sector Cyber Catalysts Our Cyber Catalyst partners

  6. Supporting Scotland • Douglas Armstrong • Head of Third Sector Cyber Resilience Douglas.Armstrong@gov.scot • Dan Waddell • Cyber Resilience Engagement & Communications • Daniel.Waddell@gov.scot • Kirstie Steele • Cyber Resilience Training and Awareness Lead Kirstie.Steele@gov.scot • Cyber Resilience Unit • CyberResilience@gov.scot

  7. Cyber Resilience in the Third Sector Alison Stone, Cyber Resilience Co-Ordinator

  8. Our digital strategy PARTICIPATION Tackle inequality by equipping individuals with basic digital skills INNOVATION Support digital innovation in the third sector to extend the reach and impact of organisations through the use of tech for good EVOLUTION Maximise the impact of the third sector by encouraging digital transformation and evolution

  9. This presentation includes…

  10. The digital landscape

  11. Quick quiz… What is this?

  12. A whole new world… • Digital technologies bring significant opportunities for organisations and the economy, but they also bring with them new threats and vulnerabilities that must be managed. • The National Crime Agency describes cyber crime as a "major and growing threat" to UK organisations (Tier 1).  • Cyber criminals are motivated by financial gain – to steal funds or capitalise indirectly through fraud, extortion and data theft • No organisation is immune and must adopt a "When, not if" mindset 

  13. Strong Cyber Resilience is vital

  14. Strong Cyber Resilience is vital

  15. The risks to Third Sector organisations • The National Cyber Security Centre (NCSC) is the UK's independent authority on cyber security.   • They believe that charities don't see themselves as targets, however, the culture of openness and trust within the sector makes charities vulnerable to some types of cyber crime activities • UK charities hold funds, as well as personal, financial and commercial data that is of interest or of monetary value to cyber criminals 

  16. Third Sector organisations are targeted... • 30 charities interviewed for a recent report had collectively experienced a range of cyber attacks including:  • Viruses • Phishing emails  • Ransomware attacks  • Identity theft  • Website takedowns  • Variations of online financial fraud • These incidents resulted in loss of funds, data & website control

  17. Third Sector organisations are targeted... • Criminals are primarily motivated by financial gain • They may seek to directly steal funds or capitalise indirectly through fraud, extortion or data theft  • Datasets containing personal details & financial information are an attractive target.  • Charities involved in the protection of vulnerable individuals or holding sensitive medical data could be especially susceptible

  18. Third Sector organisations are targeted... • Criminals exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity – using fake websites  • They also react quickly to exploit disasters and global events to steal donations.  Whilst not directly targeting charities, the potential for financial and reputational damage is vast 

  19. Being cyber resilient is: • Taking steps to reduce the risk of cyber breaches • Making sure that if a breach occurs you know how to respond to ensure: • Adequate legal response • Responsible public response • Business continuity

  20. A cyber breach is: • An incident in which data is lost or stolen. Such as: • Financial data (££s from your bank) • Security data (usernames/passwords) • Personal data (emails, address, phone numbers, medical data…) • In some cases, security data or personal data could be more ‘costly’ than financial data • Requirements to report cyber breaches in relation to the loss or theft of data are included in GDPR

  21. Myth vs Reality

  22. What are the main causes of cyber breaches? • Myth: Hackers,Ransomware, Viruses Reality: “48% of business who have experienced a breach said the root cause was a “negligent employee or contractor”. • A cyber breach is not always a cyber-attack.

  23. Who carries out cyber attacks? Myth: • International, state-sponsored hackers • Highly organised criminal gangs using top of the range tech Reality: • Often opportunists, taking advantage of weaknesses, looking for easy £. • Often using easily accessible software, or simply an email.

  24. Who are the targets? Myth: • Hackers focus on big business and high-profile companies with lots of money or data Reality: Everyone… • Whoever takes the bait • Vulnerable: individuals and businesses

  25. What are the types of threats? • Accidental loss of data • Insider treats • Disgruntled employee? • Opportunity? • Making a statement – whistleblowing? • Moving to a competitor? • Incentivised? • Social engineering • Phishing • Spear-phishing • Whaling • Viruses • Malware • Spyware • Ransomware • DDoS • BYOD • Policies • Security software

  26. Taking it seriously • Assume that you will have an attack or a breach • You may already have… • People are testing “doors” looking for ones which are weak, vulnerable, or left unlocked • Have you checked if your doors are locked? • Is this part of your risk register?

  27. How do I protect my organisation from risks? Alison Stone, Cyber Resilience Co-Ordinator

  28. This presentation includes... • 5 actions to take now • How to access support, guidance and resources • Consider Cyber Essentials and Cyber Essentials Plus

  29. Backing up your data... • Identify what data you need to back up  • Keep your backup separate from your computer  • Consider the cloud  • Review the NCSC cloud security guide  • Make backing up part of your everyday business

  30. Protecting your charity from malware  • Install (and turn on) antivirus software  • Prevent trustees, volunteers or staff from downloading dodgy apps  • Keep all your IT equipment and software up to date • Control how UBS drives can be used • Switch on your firewall 

  31. Keep your smartphones and tablets safe • Switch on password protection  • Make sure lost or stolen devices can be tracked, locked or wiped • Keep your device up to date • Keep your apps up to date  • Don't connect to unknown Wi-Fi Hotspots

  32. Using passwords to protect your data • Make sure you switch on password protection  • Use two-factor authentication for "important" accounts  • Avoid using predictable passwords • How to cope with 'password overload' • Change all default passwords

  33. Avoiding phishing attacks • Configure accounts to reduce the impact of successful attacks  • Think about how you operate  • Check for the obvious signs of phishing  • Report all attacks  • Check your digital footprint 

  34. Learning Link Scotla 4th September 2018

  35. What was the most important thing you learned about Cyber Resilience at the training? • Password strength • Controlling access • Two level password • Consider using Passphrases rather than Passwords • The need to be proactive and keep all of our devices updated • It is everyone’s responsibility in the organisation!

  36. Case Study 1 Lead Scotland, is a voluntary organisation set up to empower disabled young people and adults and carers across Scotland to access learning opportunities. 21 members of staff attended Cyber Resilience awareness training in April 2018. Here are some of the actions Lead then took as an organisation:

  37. Case Study 1: Lead Scotland • Took time to step back and consider how to become more Cyber Resilient • Revised their annual digital plan with some new actions • Decided to decommission the organisation’s server and moved completely to The Cloud. • Implemented several practical changes to using PCs and mobile devices. • Met as a team 5 months later to keep Cyber Resilience high on the organisations agenda. • Created cyber resilience/GDPR case studies to encourage deeper thinking around Lead specific scenarios.

  38. Case Study 1 Emma Whitelock, CEO of Lead said: “It’s been useful for me to consider that we will only ever be as cyber resilient as the people who work and volunteer for us are. If the goal of becoming cyber resilient feels like a giant, scary learning curve, find a starting point and ensure your team are all taking steps towards that goal so that you build your confidence and knowledge together”.

  39. Case Study 2 Trust Your Breath Trust You Breath is a small charity dedicated to helping people relearn their correct natural breathing pattern. It has no paid members of staff and is entirely run by voluntary Trustees. 2 volunteers attended Cyber Resilience awareness training in February 2018. Here are some of the elements they found most useful:

  40. Case Study 2 Trust Your Breath • Committing to updating software regularly • Two stage password authentication if using a range of mobile devices such as tablets, mobile phones and lap tops. • Email security tips, how to spot if an email is genuine • Staying safe in public buildings WiFi by using a secure hot spot • If someone leaves your organisation change password immediately to remove their access.

  41. Case Study 2 Trust Your Breath Trustee Heather Menteith said: “Don’t take things at face value, take time to think through for a few minutes before giving away any of your personal and organisational details. For example ask yourself is your internet connection could possibly be at risk”.

  42. Learning Link Scotland Contact: Shirley Howitt, Development Officer: showitt@learninglinkscotland.org.uk Telephone: 0141 3535649 Robertson House, 152 Bath Street, Glasgow

  43. https://prezi.com/p/4gk55alaro3k/cyber-landscape/

  44. What should you do now? Consider Cyber Essentials or Cyber Essentials Plus Accreditation

  45. What is Cyber Essentials? 

  46. Funding help is available • The currently open Voucher Scheme gives you opportunity to receive up to £1000 towards achieving Cyber Essentials  • This can be used towards the costs of preparatory support to get up to the standard needed to achieve Cyber Essentials accreditation  • The cost associated with the accreditation itself is covered  • It does not cover the cost of buying physical IT equipment  • It is a simple process in partnership with your IT service provider

  47. What?... Free money??! 

  48. How to apply for a Cyber Grant  • Check that you are eligible:  • Third Sector organisation with an income less than £4m • You don’t already have Cyber Essentials  • Talk to your IT provider to check what work is involved, likely costs and their availability • Complete the online application form found on the SCVO website  • Apply by 30th August 2019  • We will let you know the outcome soon afterwards  • Grant is payable in 2 phases

  49. How to meet the grant conditions  • Complete Cyber Essentials accreditation (must be done by March 31st 2020)  • Tell us your Cyber Essentials Certificate Number  • We will pay the final instalment of your grant

More Related