Cyber Week: How government, police and business are working together to protect Scotland
Public and private sector entities support the work of Scottish Business Resilience Centre in protecting organisations across the country from cyberthreats. CEO Jude McCorry tells PublicTechnology about a busy year.
Credit: Adobe Stock
“Over the last year we have seen a huge increase in our cyber work,” says Jude McCorry, chief executive of the Scottish Business Resilience Centre. “I think ransomware has played a role; in the first few months of Covid, people did not have the luxury of going and planning a working from home strategy – they had to do so at the drop of a hat. There was an increase in CEO fraud, phishing emails, and ransomware; people say ‘I have outsourced my IT’ – but you cannot outsource the risk.”
The SBRC cannot take on the burden of that risk – but it can help organisations, particularly small businesses, better understand and mitigate it.
The organisation can trace its roots back to 1996, when it was established as the Scottish Business Crime Centre. Its backers include the Scottish Government, police, and fire and rescue services, as well as national representative bodies of industries including drinks, financial services, and the wider business sector.
The centre’s remit has always been to help businesses address the dangers posed to them by all kinds of bad actors and other external threats. But, in recent times, its focus has naturally tilted towards the challenges presented by the cyber world.
"This is not something that the IT department should face alone. Board training is really important because we want more boards to take the issue much more seriously - to board meeting should take place without discussing cyber issues.”
Jude McCorry, SBRC
McCorry says that “the main role we play is to protect businesses in Scotland” – an objective for which each of organisation’s public- and private-sector stakeholders have tools at their disposal to help achieve.
The value of SBRC comes in both bringing a degree of cohesion to a cyber world where responsibility is “quite splintered”, the CEO says, but also in being able to offer on-the-ground support.
“It is having that local presence and coordination so that people know where they can get the expertise,” she says.
Its operations have three defined strands: community and membership; skills and education; and prevent and protect.
The latter has come to the fore of late, McCorry tells PublicTechnology.
“Since the start of the pandemic… we have seen a huge increase in fraud,” she says. “Working with the Scottish Government, we set up our incident response, and a lot of companies we support are small manufacturing companies – micro-businesses or SMEs; they need that help, they need that first-line triage.”
In those initial, alarming moments after a cyberattack has been detected, organisations can receive several hours of free assistance from a range of cyber services firms vetted and assured by SBRC. The centre also has police officers on secondment on hand to assist.
But prevention is always better than cure, and a key facet of SBRC’s work is its training and education programmes.
Part of the prevent and protect strand of its operations is its promotion of the ‘Exercise in a Box’ initiative developed by the National Cyber Security Centre. The workshop aims to allow organisations to test and assess their cyber resilience via tests and exercises based on real-world cyberthreats.
“We get people in real-life scenarios, and it is not about giving them the answers – it is about getting them to question things,” McCorry says. “They then go back into their organisation and ask those questions.”
The 90-minute programme of work is aimed at non-technical staff – as is SBRC’s own Executive Education offering, part of the organisation’s skills and education work.
The course is intended to raise awareness of cyber issues among executive and non-executive board members, and instil an understanding of how they might be responded to.
“We are communicating that this is not an IT issue, and not something that the IT department should face alone,” McCorry says. “Board training is really important because we want more boards to take the issue much more seriously. No board meeting should take place without discussing cyber issues.”
On that front, McCorry says the “dial has moved significantly” in recent months – particularly among public-sector leaders. But, as is often the case, this has come in light of a major, and highly publicised attack suffered on Christmas Eve by the Scottish Environment Protection Agency.
SBRC was on hand to support the immediate response to that incident with “a good amount of people that were able to down tools over Christmas and help”, McCorry says.
Seven months on, the agency’s recovery from the attack, in which about 4,000 files were stolen, is ongoing.
But the SBRC leader praises the response of SEPA chief executive Terry A’Hearn and the rest of the organisation’s leadership, who have, from the start, been as open as possible about the attack and its fallout.
“That is amazing that a CEO did that – because, if you do not talk about it, you are not going to learn from it,” she says.
Given the chance, in the coming years SBRC would like to play a role in establishing some central means of information sharing that allowed organisations to pool knowledge gained from cyberattacks.
But, as a non-profit organisation reliant – in large part – on continued government support, McCorry says “the challenge around keeping these things going is sustaining the funding – which is year by year”.
“If we had [more certainty], we could strategically plan a bit more,” she adds. “At the moment, we are more reactive – but that is going to be needed for some time.”
If the coming year brings as many challenges for businesses as the last one, that need will only increase.
Online notice reveals controversial trials are to be expanded into a national service – about which government, law enforcement, watchdogs and all the UK’s major ISPs declined to answer questions...
Regulator finds that collection of online images was not fair, transparent or lawful
Consultation launched on code of practice for Apple, Google and others – although adherence would be voluntarily
Consultation launched seeking feedback on risks and mitigations for systems that now underpin a wide range of ‘essential services’