Scottish Business Resilience Centre Director reports for duty
“I'll hazard I can do more damage on my laptop sitting in my pyjamas before my first cup of Earl Grey than you can do in a year in the field.” As far as most memorable movie quotes go, it’s doubtful this one – from a bespectacled Q in the 2012 Bond film Skyfall – would feature.
However, for Mandy Haeburn-Little, director of the Scottish Business Resilience Centre (SBRC), it has a resonance that shouldn’t be disregarded. “I love that,” she says, reciting the quote back. “And he’s right.”
It’s a somewhat scary prospect, albeit one that the centre – a business resilience delivery arm for the Scottish Government, Police Scotland and Scottish Fire and Rescue – is all too aware of. Unfortunately, that message isn’t necessarily making it through to the small and medium-sized enterprise (SME) market they seek to work with, acknowledges their director.
It has been announced in recent weeks that, as part of the Royal Academy of Engineering’s industrial secondment scheme, a Glasgow University academic will work with the SBRC to better understand the security needs of SMEs. “We’re interviewing effectively for a year to understand why small businesses are not listening to cyber messaging,” she says. “Until we understand that, we’re not going to be able to really penetrate.”
Still, the work SBRC had been able to do with the SME market has attracted interest from outside of Scotland. Haeburn-Little spent seven months down south helping set up the London Digital Security Centre, an independent body launched in May that mirrors what SBRC does by bringing police, government and the private sector together. “It showed Scotland as a shop window,” she adds. “We were treated with enormous respect in London and they were really keen to learn from what we’ve done.”
North of the border, a first ‘cyber secure’ geographical area is now being piloted in an unspecified location. SBRC and partners will focus their attention on pre-school, schools, business, housing and social services in a single location to see what works. Ministers, meanwhile, intend to publish a cyber resilience strategy for Scotland next month after a three-month consultation launched in the summer.
“Without pre-empting the launch of that, I think you’ll see a call for much greater leadership, for there to be sectoral leads to look at these things, so understanding why small business isn’t working will help us in terms of the strategy going forward,” says Haeburn-Little, who chaired one of the work streams.
“I think partly also it's to do with language, so if we just speak in technical cyber [terms] nobody gets it. Actually, it’s much more important just to talk about straightforward business process.”
Whilst Haeburn-Little, who worked on the Edinburgh trams project before arriving at SBRC four years ago, acknowledges “we could all do with much more”, resources is not the sole factor. “I would like to see the whole cyber resilience piece number two in everybody’s risk register in business, no matter what size you are,” she says.
“If you have a meeting once a month, perhaps within your organisation, put cyber security or cyber resilience as number two: What are you doing about? Have you done what you need to do this month? That would pay enormous dividends.”
The centre is currently working with five universities across Scotland in an effort to maximise what their director describes as “jaw-dropping skills”. “Abertay teach pure ethical hacking to a standard I haven’t seen anywhere else yet,” she adds.
Four of the Dundee university’s students are working with them to provide services to small firms, such as tracing their corporate footprint online as well as testing the judgment of staff, otherwise known as social engineering.
“There is nowhere yet the hackers [working with us] have not got into,” says Haeburn-Little with a clear sense of pride, an outcome that is perhaps both impressive and concerning in equal measure.
Keeping those skills in Scotland presents its own challenge, with those the SBRC director works with frequently “poached” by companies south of the border. “We need to find enough work to keep them here, as simple as that,” she adds. “And enough support for them to set up their own companies when that time comes.”
Work is also underway with students at Glasgow Caledonian University around the design of a business app that would combine, among other things, updates on latest trends as well as tips and advice.
“Much more importantly perhaps, it will give you information on how to report cyber crime to Police Scotland,” explains Haeburn-Little. “For the first time Police Scotland will get a sense of the number of people who are interested in learning more about their own protection. That’s a really big step.”
Initial design work for Android is complete. Other smartphones are now being scoped out with a view to rollout next year. “We’re very concerned about the teenage market – the protection of young people in Scotland – so a big part of it will be advice on cyber bullying, what is trolling, what is stalking and what you should do if you think you’re a victim of it,” she adds.
A separate project is likely to touch on similar concerns. SBRC has developed close relations with the Norwegian Centre for Information Security, which operates deleteme.no, a national helpline and website for people of all ages who experience privacy violations online. Advice and guidance is offered to those who find the likes of private photos published without permission, including how they can go about seeking the removal of such images.
Whilst this includes youngsters who have fallen victim to what is commonly known as ‘revenge porn’, men aged over 50 using dating websites, for instance, have also found themselves compromised. “They’ve gifted us the delete.me model and I am really keen to see it here, as are some others,” says Haeburn-Little.
“It’s had a lot of interest from police, from government, from partners. We’re past the initial discussions but I just need to think whether that sits with us, or actually is that better perhaps with an associated charity or with somebody who is already working in that area. It’s just where it should go really [that needs decided].”
With a government strategy to be published imminently, Haeburn-Little believes that protection of the vulnerable will be among the core concerns going forward. “People in Scotland are really concerned about the vulnerable in our society, so that might be somebody’s grandmother, it might be somebody who just doesn't get technical, it might be somebody who doesn’t have the skills or can’t have the skills, it might be somebody who doesn’t physically have access to these things, and children of course," she says.
“There is no doubt that some of the attacks that we’ve seen in terms of sexploitation online, these things are being run by serious organised criminal gangs. This isn’t a naïve world that we live in and so I think it's hugely heartening the interest in protecting the vulnerable and that’s kept coming back. Protecting the vulnerable will be a big thing.”
Holyrood Newsletters
Holyrood provides comprehensive coverage of Scottish politics, offering award-winning reporting and analysis: Subscribe