Public Procurement and Property
Improving procurement cyber security
It’s Cyber Scotland Week and we are promoting the Scottish Cyber Assessment Services (SCAS).
Digital technology has transformed the way we do things – we can shop, work and communicate across the world from the comfort of our own homes. Our digital systems hold vast amounts of information and this leaves us vulnerable to criminals looking to gain advantage by exploiting this technology. Cyber crime is one of the biggest criminal threats to the UK economy – losses are estimated at billions of pounds each year. Scottish public sector organisations are attractive targets for cyber criminals due to the amount of data they hold. The impact of cyber-attacks, both reputational and financial, can be significant.
Public sector organisations are making it more difficult to attack them directly thanks to the good cyber security baseline established under the Scottish Government’s Public Sector Action Plan on Cyber Resilience. Cyber criminals are often motivated by money, which means they usually attack the easy targets. However, cyber criminals are finding other ways in, this could be exploiting staff, for example by tricking them to click on links (phishing emails) or through weakness in the supply chain.
Cyber criminals are focusing more and more on seeking out suppliers who don’t have the same level of cyber security in place to protect themselves – getting into their systems as a virtual backdoor into larger organisations. Protecting against this vulnerability is a top priority for the Scottish Government. It has led towards the development of the Scottish Cyber Assessment Service and the Supplier Cyber Security Guidance Note. This embeds cyber security into the public sector supply chain and protect against cyber attacks.
SCAS is an online tool that provides a way for public sector organisations to assess cyber risk at the start of the procurement process. It seeks to ensure that the public sector obtains consistent and proportionate cyber security assurances from potential suppliers. SCAS requires suppliers to complete a questionnaire detailing their current level of cyber security, with detailed questions aligned with authoritative guidance from the National Cyber Security Centre.
The risk level of a contract is based on the level of system access and information sharing with the supplier. Questions asked of the supplier are linked to cyber security advice and standards:
• Very Low – NCSC Small Business/Charity Guides
• Low – additional controls under NCSC Cyber Essentials/Plus
• Moderate – additional controls under the NCSC 10 Steps to Cyber Security
• High – additional controls under the NCSC NIS Technical Guidance and aligned with ISO27001.
• Special “triggers” are also present for question sets around personal data, cloud services, payment card data and product security.
The risk level will determine how many questions are required to be answered. The lower the risk the fewer the questions, the higher the risk the more questions required. If a supplier does not have the cyber security requirements in place, the buyer may opt to accept a Cyber Implementation Plan outlining how the supplier would meet the required cyber security requirements by a specified date/contract phase.
This tool provides Scotland’s public sector with a way to ensure a consistent and proportionate assurance of suppliers’ cyber security based on UK cyber security standards. Suppliers benefit from being able to reuse answers for different public sector contracts and having a free means to test current own cyber security.
The tool has been launched as a beta tool, with the next generation planned for summer 2020 taking on feedback from the beta phase.