The Scottish government unveiled its cyber resilience strategy in 2015, with the aim of helping Scotland’s people, businesses and public sector improve their ability to use technology securely, and understand and address cyber crime.
The Cyber Essentials scheme
The Scottish government and the UK government (under the UK National Cyber Security Programme) also allocated £3.5 million to support cyber resilience in Scotland in 2018/19.
Part of this investment involves supporting the wider adoption of the Cyber Essentials scheme, with the aim of “at least [doubling] the number of organisations across the public, private and third sectors holding Cyber Essentials or Cyber Essentials Plus certification in Scotland during Financial Year 18-19”.
All Scottish public-sector bodies are expected to achieve certification to the Cyber Essentials scheme by the end of October 2018.
Cyber Essentials was developed by the UK government to provide five cyber security controls that all organisations can implement to achieve a baseline of cyber security:
- Secure configuration
- Boundary firewalls and Internet gateways
- Access control
- Malware protection
- Patch management
There are two levels of certification to the scheme, with which organisations can demonstrate to their clients and stakeholders that they are taking the necessary steps to reduce cyber risks:
- Cyber Essentials
Cyber Essentials certification includes a self-assessment questionnaire (SAQ) and an external vulnerability scan that independently verifies your security status.
- Cyber Essentials Plus
Cyber Essentials Plus certification includes all the assessments for the Cyber Essentials certification but includes an additional internal scan and an on-site assessment.
Mitigating insider threats
The vast majority of malware is spread by drive-by downloads and phishing campaigns, both of which exploit human error.
Although the Cyber Essentials scheme provides a baseline of cyber security, you should remember that no email filtering method is 100% successful, and robust antivirus and anti-malware solutions, regular penetration tests and the timely application of patches can’t protect your systems from compromise caused by the actions of careless employees.
A programme of staff awareness interventions, from regular e-learning courses to awareness posters, is an excellent way of ensuring your employees understand their responsibilities and can act appropriately.
Watch our latest video to see how:
Phishing Staff Awareness Course
Take action against the increasing threat of targeted phishing attacks by educating your employees to be alert, vigilant and secure. This interactive e-learning course helps employees identify and understand phishing scams, explains what would happen should they fall victim and shows them how they can mitigate the threat of an attack.