Section 1 - the importance of cyber resilience
Cyber resilience is being able to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world.
This section covers:
What is cyber resilience?
Who is the strategy for?
Why do we need a cyber resilience strategy?
What is cyber resilience?
Cyber resilience is being able to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe and get the most from being online.
Who is the strategy for?
Scotland's cyber resilience cannot be achieved by government alone. This strategy is for the Scottish nation - for leaders, educators and policy makers across the private, public and third sectors. It provides direction on how to recognise, manage and respond to the increasing threats we all face online. By doing this, we can safely reap the rich benefits offered by the digital age.
Why do we need a cyber resilience strategy?
Historically we have taken steps to secure our land, sea and airspace. In this modern world, the protection of digital networks such as the internet is becoming just as important. Many countries have put in place cyber security strategies, including UK Cyber Security Strategy. Our strategy aims to build on this solid foundation and move Scotland to a stage where we all routinely recognise and manage cyber risks in the same way as we deal with other day-to-day risks to our health and prosperity.
Therefore, we need a cyber resilience strategy to support the development of a culture of cyber resilience and, at the same time, create the necessary environment to ensure Scotland becomes a leader in meeting the growing demand for cyber skills talent.
- The estimate of Scotland's total sales conducted over computer networks in 2012 was £38bn
- A third of businesses expect internet sales to make up at least 20% or more of their total sales over the next 2-3 years
- 92% of businesses in Scotland have broadband
The digital age is transforming Scotland
The growth of the internet and other digital networks has brought speed, agility, efficiency and access to technologies that have transformed the way we do business, socialise and provide key services.
As individuals we can more easily keep in touch with friends and family and obtain information, products and services from around the world - all thanks to increased access to the internet, facilitated by mobile technology and faster and more widespread broadband.
Enterprises - both the private and third sectors - increasingly use online technology to make connections with clients and customers and to deliver services. They rely more and more on online connectivity and reap the benefits, thanks to growing opportunities to work innovatively with partners across Scotland and around the world. This in turn helps to grow our economy.
Our public services are increasingly being provided online with the aim of improving access for all, reducing costs while enhancing operational performance. An example of an online platform for accessing public services is the Scottish Government's mygov.scot.
In terms of critical infrastructure, in both private and public sectors, Scotland increasingly relies on networked technologies to run the systems that heat our houses, provide fuel for our vehicles and ensure that our water is safe to drink.
Linking key elements of our infrastructure such as energy, telecommunications and transport systems to the internet brings considerable benefits in terms of efficiency and innovative practice.
Also, there is huge potential for Scotland to contribute to meeting the ever-growing global demand for cyber resilience and security professionals, goods and services. Cyber security is a high growth sector. In 2013 the global market was worth $66bn and it is expected to grow to $144.67bn by 2024 (Source: Visiongain, 2014).
The Scottish Government recognises the benefits of advances in technology to our economy and has committed to delivering digital connectivity across the whole of Scotland by 2020. Scotland's Digital Future Strategy outlines the steps required to ensure Scotland is well placed to take full advantage of the economic, social and environmental opportunities offered by the digital age.
The greatest cyber opportunity for Scotland and its people is for us to become one of the most cyber aware nations in the world - skilled and able to make the most of the digital technology as we enter the next wave of digital enablement. The 'Internet of Things' means that more of what we take for granted every day will be connected. From our personal and medical devices, through our domestic appliances and home automation systems, to the smart buildings and cities which form our built environment. This connectivity brings great opportunities, but is not without risks.
Scotland's Digital Economy Digital technologies and capabilities are vital for Scotland's economic growth and to maintaining our international standing. The Scottish Government and its partners in the public and private sector are working hard to deliver key components of a successful digital economy in Scotland.
- accessible and reliable infrastructure so people and enterprises can get online
- improving opportunities for people to develop the skills needed to work in a digital economy
- citizens able to take advantage of the growing range of goods and services available online
Effective cyber resilience is vital if we are to maximise the opportunities for our citizens to benefit from the digital economy
The 'Internet of Things' refers to the way in which any device, which can be turned on and off, is connected to the internet, or to other devices. This includes everything from mobile phones, tablets, coffee makers, fridges, boilers, lamps, headphones, and other wearable devices. This also applies to components of machines, for example a jet engine of an aeroplane or the drill of an oil rig.
With new opportunities come new risks
Our increasing use of, and dependence on, the internet bring new risks. Just as we have seen the benefits of digital technology enabling and promoting legitimate economic activity, we are now experiencing cyber crime at an unprecedented rate. Every day we hear of new online vulnerabilities, attacks and incidents affecting parts of Scottish society - from individuals through to large organisations. Cyber crime is also under-reported. As a result, the scale of the problem is difficult to grasp, and at the moment we do not have a full understanding of the complex risks that cyber crime presents to Scotland.
There is no one type of cyber crime or criminal. Illegal users of the internet include:
- script-kiddies  , testing their skills against the security of systems
- criminals committing traditional crimes, but online, either as individuals or organised crime gangs
- politically-motivated hackers
- government or commercially-sponsored spies
Cyber crime can include:
- identity theft and fraud
- sexual exploitation
- the theft of intellectual property
- attacks against essential services or critical infrastructure
This strategy complements a number of strategies that seek to prevent and combat crime in Scotland. See the links to these strategies.
An ever-increasing global threat
There is currently a lack of data that calculates the economic cost of cyber crime in Scotland as most cyber crime goes unreported. This is most likely due to victims not being fully aware of the cyber crime itself or organisations' fear of reputational damage.
At a global level, The Center for Strategic and International Studies (CSIS) report on the Global Cost of Cybercrime estimates:
- the likely annual cost to the global economy from cybercrime is more than $445 billion
- cyber crime is equal to between 15% and 20% of the value created by the internet
What are the impacts of cyber attacks?
The internet and mobile technologies are now central to Scotland's economy and wellbeing. Risks exist at every level of our daily lives. The consequences of a cyber attack can vary from a minor inconvenience to a major disruption. The cost of cybercrime will continue to increase as more business functions move online and as more companies and consumers around the world connect to the internet.
For our economy
A major challenge for Scotland is the increasing number of online incidents that are causing harm to our economy. From intellectual property theft by competitors, to the destruction of corporate and national assets, the threats are outpacing our defensive efforts.
For individuals and families
Online crime has a clear impact on the lives of families in Scotland. A recent Mori survey of 1,000 adults in Scotland showed that 1 in 10 had experienced unauthorised use of their personal data, a similar number had been exposed to upsetting or illegal images and 7% had experienced abusive or threatening behaviour online. As our use of online technology continues to grow, we are at an increasing risk of becoming victims of criminal or unscrupulous behaviour online. We can fall foul of fraud or extortion, disclosure of personal information, identity theft or being subject to forms of abuse including stalking, bullying and exploitation. These attacks may not be targeted at specific individuals, but can be indiscriminate mass campaigns often impacting hundreds or even thousands of people.
For businesses and organisations
Organisations of all sizes rely on crucial information assets, such as databases of client details or intellectual property, that are of value to competitors and cyber criminals. Cyber criminals often operate through stealth with some organisations seldom noticing cyber attacks until the effects of the attack start to impact. Businesses may be reluctant to share news or information about their attack for fear of a loss of reputation. Criminals focus on the easiest targets which means small and medium-sized enterprises ( SMEs) can be particularly vulnerable. The direct and indirect costs of cleaning up from a cyber attack can be high and are often unplanned for. In many cases these costs may not be covered by conventional insurance policies.
Key statistics from the BIS Information Security Breaches Survey 2015 show that:
- 50% of the worst breaches were caused by inadvertent human error - up from 31% in 2014
- 74% of small businesses had a security breach - up from 60% in 2014
- For SMEs, the most severe breaches can cost as much as £310,800 - up from £115,000 in 2014
- 90% of large organisations had a security breach - up from 81% in 2014
For public services
Our public services are reliant on digital systems. Digital networks make it possible to provide innovative and integrated public services that deliver to those in most need and promote growth. It crucial that cyber risk is planned and budgeted for when providing these services. In turn, this will help to keep citizens' confident in using digital public services.
For our national security and international reputation
This strategy will contribute to protecting Scotland from infrastructure attacks, hostile reconnaissance and thefts of intellectual property. This will ensure Scotland's reputation as a safe place to live, work, invest and trade.
Increasing our cyber resilience
Individuals and families will be
- more aware of how to protect themselves from online crime
- better able to protect their personal data
- less likely to suffer financial loss as the result of a cyber attack
- more confident online users
Businesses and organisations will have
- online services that are more reliable
- protected intellectual property
- increased productivity
- stronger reputations
Digital public services will be
- effective in their systems and response arrangements
- more efficient in the delivery of key services
- better placed to provide continuous services
- trusted by the public with regard to data protection
Scotland's reputation will be
- enhanced and recognised as a safe, secure and resilient country in which to live and do business