Associate Feature: Building digital resilience
The pandemic caused a rapid shift in how people work. In March 2020, companies scrambled to make it possible for their workforce to work from home. And of course, with that came challenges. One that was apparent and immediate in 2020 was the implementation of Virtual Private Networks (VPNs), it was obvious that passing data via laptops connected to a home wifi network would be at risk without the use of one.
Most companies were able to react within days of the announcement of the nationwide lockdown. But what has become clear as working from home has remained or evolved into hybrid working is that reaction is not enough, particularly in terms of cyber security.
National Crime Statistics show that cybercrime in Scotland has almost doubled since 2019-20. Amongst the rise in statistics, there have been large public sector bodies like the Scottish Environment Protection Agency (SEPA) falling victim to attacks. In December 2020, it had 4,000 files stolen and experienced significant disruption to its communications. In the following April, it was revealed that SEPA spent £790,000 in response to the major cyber-attack, including almost £500,000 to stabilise the IT platform.
Understanding the threat posed by hackers to these public sector bodies is now crucial, but there are issues they must address if they are to ensure the security of data, such as addressing issues of resource, organisational culture, keeping pace with technology, and ensuring that the workforce is continually trained on cyber-attacks.
Nigel Ironside, head of digital services at Scottish Prison Services (SPS), described how stark the quick transition to digitalisation was for some public sector bodies since the requirement to operate remotely became a necessity. The “complete flip and understanding of society and the political and legal environment to say ‘yes, you can do that’ changed in a snap of a finger,” and that was a particularly large jump, especially for SPS, explained Ironside: “We have leapt from the 19th century into the 21st century probably in the space of about three months.”
We have leapt from the 19th century into the 21st century probably in the space of about three months
Now that people have experienced working remotely for over two years, Ironside argues that we have reached a new stage of how to better prepare the workforce to be proactive against phishing and opportunistic attacks. He said: “Cyber threat usually comes from phishing or opportunist attacks, and when you expand significantly the number of people who are getting access to technologies you exponentially expand the threat profile.
“So, what is your cyber resilience plan to respond to that, and can you think about that while you are doing the design of service moving forward? I think now we can; back then [at the beginning of the pandemic], of course, it was much more about just getting it done.
“Now we are past the immediate response approach, what does the consolidated and future planning look like? That is the space that we are in right now.”
He also pointed to successful collaboration between public sector bodies being crucial to minimise the risk of attack. The SPS is “so interconnected with courts, escorts for the prison and the police service, the Crown Office, and police colleagues, a major attack on the Scottish Prison Service would gum up the justice system very quickly”.
Kostandino Kustas, a Senior Sales Engineer at Sophos, believes that education in the workplace has regressed as people started working from home. He said: “As more and more people work from home they are at risk from the simple phishing attack scenario. Normally you would look around to see if a colleague has got this as well. Even that simple education piece is gone as well, because the physical perimeter that you share the building with staff has disappeared, and that for me and a lot of the customers that I have conversations with, isn’t a technology or a service focus, but it is purely a user education one.
“Being sat in a room on your own, you feel safe and secure, you may use your work laptop to access your private banking so that user education piece has become more and more a topic on people’s minds.”
Chief digital information officer of Police Scotland, Andrew Hendry, said that there was a culture previously that allowed people to pass blame if they experienced a cyber-attack but now when companies are successfully attacked, there is the very real possibility of “reputational damage”, which is now understood and feared amongst the workforce.
He argued: “Previously it was the case that it was someone else’s problem, but now the reputational damage that comes along with cyber threats means that people are a lot more open to understanding it.
“In years gone by you were talking about things like firewalls and tin kit, now you are looking at those powers around resiliency; cyber hygiene, the product supplier dynamic and what is commonly referred to as proper configuration. Having those dynamics in there to better understand that it isn’t just something that you can buy, you have got to live and breathe it.”
Director of digital and information services at the University of Aberdeen, Brian Henderson, believes that the culture of poor cyber security behaviours has raised expectations of how data is stored, and this could be defined as “cyber poverty at an organisational level”.
He said: “I think the raised expectations of our funders, our governing and legal organisations, and citizens about how safely we are keeping their data is almost payback from poor cybersecurity behaviours.
“I have seen that expectation continues to grow, and that is right. I would agree that there has been a change in the business models of cyber security threats. There is a deeper understanding of the value of data. We went from single extortion, to double, to triple. That is all about a business model from hackers or criminal gangs understanding the value of data.
“And there are also the supply chain attacks. For me, those kinds of attacks in our public sector, we struggle to deal with them coherently. We speak about digital poverty; I think there is a danger of cyber poverty at an organisational level, and we must be careful about that because we all have currency within our public sector, for example, the prison service has currency with the police service.
We speak about digital poverty; I think there is a danger of cyber poverty at an organisational level, and we must be careful about that because we all have currency within our public sector, for example, the prison service has currency with the police service
“So, the worry is if you have cyber poverty at an organisational level, that is a risk for everybody.”
This is a clear hunger from the public sector to be more proactive in its defence of cyber-attacks. And the cost to do that is a steep one, according to Ironside. But he has plans to bring down the high costs of contractors by introducing a hybrid model of using in-house cyber experts and contractors.
He explained: “Let me put this in perspective; in our business, which is managing prisoners, our case management system is a 25-year-old forms-based platform, sitting on old infrastructure, that quite frankly if I had the opportunity to, I would shoot it today and start again.
“Talking about digital naivety, when the board says that we need a new case management system, and we have identified this probably for the last 10 or 20 years, nobody has done anything about it. If we want to do this, the only way that we can do that these days is with an agile format. That requires a set of skills that we have not had before.
“We have got to be in a hybrid model, where you can buy the expertise in on that journey, but also start on building what your capabilities look like. It is a real challenge, I spend, no word of a lie, about £1m a year on contractor fees. I have two cyber resilience experts now, but I can only afford them until March. I am spending £200,000 on two bodies. I have just recruited two cyber apprentices, at the opposite end of the scale, putting them to college and growing them through our business to say that is the future of how we have got to going forward.”
Often public sector bodies are losing out when it comes to the resource market, Andrew Hendry explained: “I do feel sometimes that we are fighting a losing battle when it comes to this resourcing challenge, because others can always just up their offer, and are we ultimately just making the market more expensive? I think what has been outlined here are ways of tackling it differently.
“In the public sector, we need to try to maximise the selling point to people, show them what you get working in the public sector, what you get beyond, particularly financial aspects of it, there is a level of exposure and experience. There is something in looking back and seeing what you have achieved for your fellow citizen.”
NHS Scotland is looking to build its talent pool to eventually use across all health boards in Scotland by developing their skills in Abertay University’s cyberQuarter. Barnett said: “We are being proactive around how we build a talent pipeline for NHS Scotland. I think that will then lead to an approach whereby, no matter which health board you are sitting in, if you need a cyber resource, rather than the first thing you do is go and speak to a recruiter or an agency to get a short-term contractor in, the first thing you will do is get in touch with the Cyber Centre of Excellence and you will talk about your requirements and hopefully they will have someone that they can allocate out to your health board.
“All of these require involvement from HR, and they require backing from a central perspective, but I think strategically that is the right direction to go in...”
But as technology rapidly advances, the public sector will struggle to keep up. Barnett believes that technology partners must be brought along the way to help bolster their cyber resilience, he said: “We cannot do this alone; we need to have good quality technology partners to be able to deliver anything like a cyber security capability. And if you want to be truly proactive you need to work with organisations that have a wide customer base, and a global reach, who understand the threat landscape, and who are developing products to mitigate those threats and stop them from becoming risk issues within your organisation.
“I think that the hybrid approach is the only way forward for the public sector.”
Henderson commended the Scottish Government for driving change in cyber resilience, he said: “I can’t let this conversation execute without giving a nod to the Scottish Government and the Cyber Resilience Unit. The Public Sector Action Plan, the Refresh CRF has set a context in Scotland post-2017 that has been excellent. It has driven change, and it has been crucial.
“I think that we are being more proactive in the sector, in Scotland particularly. I do not see the level of collaboration, the level of imaginative thinking, anywhere else.”
KEY PLAYERS AT THE ROUNDTABLE:
(Chair) Gemma Milne, Writer & Researcher
A writer and researcher focused on science and technology. She is author of Smoke & Mirrors: How Hype Obscures the Future and How to See Past It, and is currently a PhD researcher in science and technology studies at UCL. She writes for outlets such as The Guardian, WIRED, and others, and is co-host of the Radical Science podcast.
Kostandino Kustas, Senior Sales Engineer, Sophos
Senior infrastructure engineer turned Sophos security consultant. With nearly 20 years of experience in a variety of technical IT and security roles, and with a passion for anything tech-related. For nearly four years at Sophos, Kosta has worked closely alongside organisations of all sizes to help ensure the right cybersecurity solutions and services are in place.
Scott Barnett, Head of Information Security & Governance, NHS NSS
Scott is an experienced information and cyber security leader. He is currently part of digital and security within NSS, where the ICS Team provide cyber security services, security architecture and consultancy, change engagement, cyber threat intelligence and response and cyber investigations and risk mitigation. They are also building and delivering the NHS Scotland Cyber Centre of Excellence, a unique, sector specific centre designed to help secure our health service against a growing cyber threat.
Brian Henderson, Director of Digital and Information Services, University of Aberdeen
Having worked in senior management roles in higher education for 25 years, Brian is currently director of digital and information services at the University of Aberdeen. This role has leadership responsibility for information technology, libraries, museums and special collections, as well as information security and information governance.
Andrew Hendry, Chief Digital Information Officer, Police Scotland
Forming part of the Police Scotland executive command and leadership team, Andrew oversees a wide portfolio which consists of the following business areas: change and transformation; digital division; service design and innovation. He is also the senior responsible officer for DDICT, modernised contact and engagement, digital evidence sharing capability, digitally enabled policing, body worn video, mobile working, and unified communications and contact platform.
Nigel Ironside, Head of Digital Services, Scottish Prison Service
Nigel has a Masters in criminology from the University of Cambridge. His objectives are to implement digital transformation across the SPS to upskill frontline staff and include those in custody to embrace digital inclusion, develop a new case management platform to support the custodial journey, and develop data strategy – AI, automation and analytics.
To find out how Sophos can help with these challenges visit sophos.com/mdr.
This article is sponsored by Sophos.
Holyrood Newsletters
Holyrood provides comprehensive coverage of Scottish politics, offering award-winning reporting and analysis: Subscribe