Andrew McSherry from Scottish Canals on cyber resilient best practice
Tell us a bit about yourself and your role at Scottish Canals.
I’ve worked in IT for nearly 25 years in a variety of leadership roles in a number of sectors ranging from retail and manufacturing to facility management. I was initially brought into Scottish Canals to reviews its ICT provisioning before being appointed Head of ICT in 2014 to deliver the recommendations made. In April 2015, I introduced a new in-house team to deliver ICT; previously ICT provisioning had been outsourced. Since then we have transformed the way that ICT has been provided as well as delivered a number of key projects.
Tell us a bit about your organisation becoming a Cyber Catalyst as part of the Scottish Government’s Public Sector Action Plan.
Whilst at a recent Digital Leaders programme, one of the guest speakers was Keith McDevitt from the Defence, Security and Cyber Resilience Division. This was soon after the launch of the new Digital Strategy, and he and I got talking offline. Keith explained that Scottish Government were keen to identify organisations that had a forward thinking approach to Information Security that would be willing to share best practice and collaborate with other public sector organisations. I saw this as a great opportunity for Scottish Canals to share more on some of its initiatives with similar organisations.
What’s an ethical hacker? And have you ever used the services of one? A definition I like for an Ethical Hacker is “An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit.” (source TechTarget.com) We have previously used a 3rd party organisation to provide this sort of service, and found it an extremely powerful way of identifying weaknesses and gaining the necessary buy-in and spend commitment to rectify them.
What made you consider Cyber Essentials for Scottish Canals?
We were in the process of refreshing our hardware estate and also wanted to move from Windows 7 to Windows 10. We wanted to have some sort of independent 3rd party assurance that the build was secure and in line with best practice recommendations. We consulted with UK Government via their National Cyber Security Centre to define what the new build would look like. At this same time, we also became aware of the Cyber Essentials initiative. Reading up on it, we saw that there was a Cyber Essentials Plus ‘version’ that included a review of a smartphone build – and given we were in the process of reviewing our smartphone build we decided to aim for this. At the time, we were slightly cautious that no other Scottish-based organisations had achieved this certification (or if they had, they weren’t advertising it). We decided to proceed on with this – given the relatively small costs associated with it and the levels of assurance it would give.
Could you tell us a bit about the process for Cyber Essentials?
First stage is for us to complete some staging documentation that really defines the scope of the exercise. There’s then a number of questions to complete – again presumably to help with the definition of the process and give the assessor some areas to focus on. Second Stage is when the consultant visits site and reviews first hand the builds on the devices. As part of this on site activity, we need to provide the consultant with a base PC & smartphone with the standard build in use across the estate as well as a user ID & password. This activity is conducted in conjunction with reviewing the questions previously completed. During the activity the consultant will use a number of tools to test & assess the validity and legitimacy of the build(s). The consultant then produces a compliance report – summarising the activities of the assessment. The report is compiled in line with the Common Vulnerability Scoring System (CVSS) – this is an open framework for communicating the characteristics and impacts of ICT vulnerabilities. It’s a quantitative model and ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. This sort of report format works really well for us in that it’s effectively a ‘guide’ that not only explains what the problem was, but more importantly what the remediation steps are.
How long was the process from beginning to end?
Approximately two hours to complete the project scoping and questions. One day on site consultancy – involvement will vary depending on levels of questions. Customers do have the option to remediate any issues identified within a limited period of time (to the satisfaction of the consultant) in order to achieve the certification. Time required here will vary depending on the number and level of issues identified.
Was there anything that was particularly difficult to implement?
No. I guess the biggest challenge here is prioritising the resources to deal with any issues that come up.
Was it costly?
In my opinion – no. For the cost of approximately three days of consultancy, we get certification that our processes, external nodes and device builds are in line with good practice standards, and a really useful guide that explains any issues and what steps are needed to fix them.
What’s the top three things Scottish Canals staff do differently after getting CE accreditation?
Scottish Canals has decided to ensure that this exercise is completed annually. With this in mind, we now consider changes more carefully that could impact our security environment in advance of making them. We also make sure that we herald the success of this accreditation with suppliers and partners to encourage them to achieve this.
For any organisation thinking to get Cyber Essentials accredited, what would be your one gold piece of advice?
Just do it! Seriously – it’s the best piece of consultancy you’ll get completed.
And finally, how are you getting ready for the General Data Protection Regulations coming into force next year?
Scottish Canals has started in the last few months to raise awareness of GDPR within the organisation. Activity will be ramping up soon to ensure that we have the right processes and procedures in place to ensure compliance with this important legislation. As we progress on this GDPR journey, we’re starting to realise that many of the processes we have in place that help us comply with The Data Protection Act will stand us in good stead with GDPR. That said, there is always room for improvement – across the entire organisation – and this is something we’re working on.