Scotland politics

Government outlines cyber security action plan

Cyber attack Image copyright Reuters

The Scottish government has outlined its action plan to protect public organisations from cyber attacks.

The strategy was fast-tracked after a global cyber attack in May in which 11 Scottish health boards were targeted.

Public bodies have been told to improve their defences against online attacks which "will continue to increase".

The Public Sector Action Plan on Cyber Resilience outlines how local authorities, government departments and NHS boards can be more secure online.

Deputy First Minister John Swinney said the plan "will encourage all public bodies, large or small, to achieve common standards of cyber resilience".

He added: "I want our public sector to lead by example on strengthening cyber security, to help ensure Scotland is ready to deal with all emerging threats."

Image copyright Symantec/Handout
Image caption The WannaCry attack infected computers in 99 countries, with the NHS in England and Scotland among the worst hit

Ministers will write to the chief executives of all Scottish public bodies asking them to ensure they have firewalls, up-to-date security and processes for responding to future attacks.

£200,000 will be made available for organisations to assess their cyber security and identify where improvements could be made.

Companies in public service supply chains will also be expected to demonstrate how they have protected themselves against hacking.

Colin Slater, head of cyber security at PwC in Scotland said he was "extremely heartened by the tone of the plan".

He added: "I love the fact that it's moving the dial to where we should be going.

"To date we've been reacting to cyber security using frameworks that are almost 30 years old. That's not representative of the risk we're dealing with these days."

On the WannaCry attack in May, which affected about 1% of NHS computers in Scotland, he said: "We now don't need to pretend that something could happen. It did happen.

"During that attack NHS trusts couldn't take appointments, they couldn't do imaging, they couldn't prescribe drugs, couldn't admit patients. The ultimate consequence is that you can't deliver your public service.

"Cyber criminals are brilliantly tooled up, they're very dogged, they're very very clever and they're very fast and agile."

'Better protected'

Dr Keith Nicholson, joint chair of the National Cyber Resilience leaders' board's public sector steering group, said by following the plan "Scotland's public sector will be better protected against cyber attacks to the benefit of both the organisation and the citizens of Scotland".

The strategy includes a "Public Sector Cyber Catalyst Scheme" which commits public sector leaders to being "exemplars" in online security.

Assistant Chief Constable Steve Johnson from Police Scotland said: "We are delighted to be participating in the Public Sector Cyber Catalyst scheme.

"In doing so, we are committing to sharing knowledge and learning with the wider public sector as we work towards higher standards of cyber resilience over time.

"Cyber resilience is vital to public trust in our digital public services, and addressing the cyber threat is one of our organisation's key priorities."

More on this story