How Scottish businesses can prepare for a cyber incident

Cyber security breaches are frequently listed by business as one of the biggest threats they face, so companies of all sizes must have measures in place to protect themselves and their employees against a range of risks.

Pic creit: shutterstock
Pic creit: shutterstock

The onset of Covid-19 might not have led to an increase in cyber crime, but fraudsters have developed new ways to trick people. Phishing scams, for example, now frequently play on people's insecurity around the pandemic.

Experts warn that cyber criminals are dangerous and inventive and it is therefore important to look for new ways for them to be stopped.

One such measure is Exercise in a Box, a free online tool developed by the National Cyber Security Centre (NCSC), to help businesses find out how resilient they are to attacks and enable them to practise their response in a safe environment.

The Scottish Business Resilience Centre (SBRC) won the tender from the Scottish Government to deliver free Exercise in a Box sessions to organisations.

The nine-month programme is being run by SBRC's cyber team, supported by Police Scotland and other stakeholders, with organisations participating through a blended model of tabletop meetings and online sessions.

The programme is primarily aimed at small and medium sized enterprises (SMEs), charities, local government and emergency services.

Declan Doyle, head of ethical hacking at SBRC, says: “Exercise in a box is really about going back to basics, with pen and paper involved. It walks participants through a cyber incident scenario and looks at how they deal with it.”

He adds that SBRC had Ciaran Martin, the first CEO of NCSC who stepped down from his role this year, on a webinar. Martin said that large organisations often run unrealistic cyber incident scenarios, whereas they would be better to focus on situations that could actually arise.

“The scenarios in Exercise in a Box are very realistic,” says Doyle. “For example, one of the talking points covers an organisation taking a call from an employer who has fallen for a phishing email.

We talk through what everyone should do in such a situation. This would include checking whether there is remote access to people's emails, or if a communications strategy in place if the organisation was hit with a ransomware attack.”

SBRC ran Exercise in a Box internally to test it out and CEO Jude McCorry said she learned valuable lessons.

McCorry says: “My perception, that is probably shared by many others, is that dealing with cyber crime is something for technical people within the organisation. I realised it is for everyone – cyber could be called a team sport.”

She says that Martin made the valid point of saying there should never be a blame game if a cyber crime incident occurs. Instead, people should feel able to alert colleagues and managers to the issue and discuss it openly to resolve the situation as quickly as possible.

“This is the type of conversation that people across an organisation need to be involved in,” explains McCorry. “We're not asking people to fully grasp the technical aspects of cyber crime.

Exercise in a Box helps everyone understand the basics. It's designed to make people think about what they would do if a breach occurs. A CEO's job is to know what is happening and how to keep the business going.”

The next stage for Exercise in a Box is to continue to encourage people to take part, with a target of attracting 250 organisations within nine months.

Doyle says: “We want every organisation, regardless of how big or small they are, or what sector they are in, to use this valuable tool created by NCSC. It is an exercise that can be done over lunchtime and is really beneficial. We inform people of the sorts of questions they should be asking themselves about cyber security. We're not about trying to sell services; it's about helping the community.”

The Exercise in a Box sessions are free and are being targeted at organisations in different parts of Scotland.

For more information, visit the website.