Safe, Secure & Resilient in 2017 - Scottish Business Resilience Centre

How to keep your business

Safe, Secure & Resilient in 2017 10

4

BREXIT: INFORMING SCOTTISH BUSINESS, BEFORE & BEYOND

BEST BAR NONE SCOTLAND NATIONAL AWARDS 2016-17

@SBRC_Scotland

@ [email protected]

in

Scottish Business Resilience Centre

14

SCOTTISH CYBER AWARDS 2016

15

SECURING SENSITIVE BUSINESS DATA www.sbrcentre.co.uk Issue 7 | 2017

2017 Forward Focus from CEO May we start this New Year with a genuine wish for you of success, safety, health and fulfillment. 2017 seems already to have hit the ground running at amazing speed and no signs of a slow down at all. @MandyHL_SBRC

We look forward to working closely with you in the next year and to supporting and representing your interests wherever we can – and we hugely value your support. The year has a number of events already planned, it’s astonishing to think that Best Bar None National Awards will be on us before we know it in March and interestingly, and this is a mark of the strength of BBN, we are struggling now to find venues big enough to take 450 guests. Also already underway, is the second Scottish Cyber Awards planning and news on this will come out later towards the summer. There is also activity planned for a retail event, a Cyber conference and a whole host of outreach, surgeries and partner roadshows – so if you need us or we can help, please do shout.

BECOME A MEMBER

One of our big events coming up is having the pleasure of inputting to the international Freight and Logistics event on Brexit coming to Scotland and we will have more news on this shortly. At Board level, our plans take us further in strengthening and developing all of the services we offer on Cyber and in particular we will be taking forward the debate on a proposed Cyber Hub for Scotland, encouraging Scottish business to help keep young Cyber skills here in Scotland, exploring the concept of a SOC for small business and launching with Police Scotland our trusted partners scheme. Our other big developing area is the roll out of our free online self-assessment tool '10 steps to Business Resilience' – this new and really easily accessible product will help business to

Understanding, supporting and acting as an advocate for our members is at the heart of what we do. We strive to exceed the expectations of our members, through the unique level of advice, support and expertise available through the Centre.

articulate its risk, gain clarity on where there may be opportunities to address vulnerability and equally importantly, where to go for help. We are very excited about these opportunities. As our services evolve, so the SBRC team has changes too and we pay particular tribute to three valued members of the team who have moved on to new roles, Matt, Breige and Varrie. Each of these colleagues and friends has played an integral part in our development as an organisation and every individual has contributed to our growth and range of skills. We owe each of them a debt of thanks for their contribution. We look forward to hearing of their future successes and wish them all the best for the new roles. Arriving, we will have details shortly of new office administrative support who will follow Tina Jackson into her role as Office Manager and we also welcome Chris Lewis our latest secondment from Police Scotland who is developing our retail and tourism links and support services. Also now in place is Graham Bye, whose role is to develop Cyber Essentials Standards in business across Scotland and also to expand the trusted information sharing platform SciNet. You are all extremely welcome. We hope that you enjoy this full and diverse edition and we thank you for your support. Mandy

What our members say

Please find some testimonials from our current members, on the value of being a member of the Scottish Business Resilience Centre.

Working in partnership with the Scottish Business Resilience Centre has helped to strengthen the relationship our members have with the Scottish Government and

Working in partnership with, and on behalf of our members, we are uniquely placed to provide a range of business security services and advice, and also act as an advocate and independent voice for our members. At the SBRC our unique connection to a wide range of expert bodies, including Police Scotland, the Scottish Fire and Rescue Service and the Scottish Government, enables us not only to keep abreast of current and emerging threats, but to use our knowledge and contacts for the benefit of our members.

A warm welcome to new SBRC members • Alexander Sloan • Encompass IT • Glasgow Credit Union

Enjoy the benefits of SBRC membership: A dedicated resilience manger to provide business resilience advice, guidance and support Gain access to SBRC’s wealth of experience and network of experts Network and profile your organisation with opportunities to knowledge share with industry experts at key events Opportunities to promote your own business objectives through the SBRC newsletter, website and twitter channels Invitation to attend our annual Parliamentary Reception In addition, we can provide any training and accreditations that are of benefit to you

And thank you to our renewing members: • AXA • Fairways • Royal Sun Alliance

2 | Scot t is h Business Res i l i e nc e C e ntre | I s s ue 4

Police Scotland and tackle forecourt crime more effectively. Kevin Eastwood, British Oil Security Syndicate

The ongoing support, review of physical and data security and professional advice we have received from SBRC has enabled us to better understand our risks, strengthen our defences and has greatly improved our resilience against current and future threats. Carolann Smillie, Lanarkshire Credit Union

Keeping your business Safe, Secure & Resilient

Did you know that nearly one in five businesses suffer a major disruption? With no resilience plan in place you have less of a chance of maintaining continuous business operations. By planning now, you can proactively ensure your resilience against unexpected, disruptive events that are likely to have a negative impact. The ‘10 Steps to Business Resilience’ selfassessment tool developed by the Scottish Business Resilience Centre is intended for businesses to proactively ensure their resilience. This online tool includes a series of questions that are designed to prompt internal thought about risk and risk appetite. It is quick and easy to complete and will provide you with an automated resilience report detailing the level of operational risk within your business, and suggestions for mitigation of identified risks.

The assessment covers the following topics: Keeping the show on the road Information Management Cyber Security Protecting Valuables Looking after Staff and Customers Selecting and Keeping Staff Supplier Management/Procurement Fraud Prevention Protecting the Brand Understanding and Managing Risk

“The amount of business resilience advice out there can be overwhelming. This unique online tool includes a series of questions that are designed to prompt internal thought about risk and risk appetite, and provides you with an automated resilience report detailing the level of operational risk and suggestions for mitigation. It is quick and convenient to complete, and I would encourage business owners to use '10 Steps' – it could well highlight weaknesses that save them from a future crisis.”

Benefits to your Business: The process is quick and user friendly

The areas of resilience covered are managed by experts

The risks covered are aligned to the insurance industry

Business owners never have to leave their place of work to complete the process meaning no disruption

The process and management are approved by the Scottish Government, Police Scotland and the Scottish Fire and Rescue Service

Automated reports mean that there are no delays in receiving results

Danny Quinn, Managing Director, DATAVITA

To find out more or to start your assessment, please visit www.10steps.co.uk

S c o t t i s h Bu s i n e s s R e s i l i e n c e C e n t r e | I ssue 7 | 3

Linda leads the line!! Linda Paterson, TSB’s Area Risk Manager in Aberdeen was recently recognised by the bank for her work in raising awareness of financial harm perpetrated on some of the most vulnerable people in our communities. Linda undertakes a huge workload to make sure that TSB customers are as safe as they can be and that the bank is partnered with a wide range of public sector organisations. Linda has engaged extensively with partner agencies from both public and private sectors through the Angus financial harm sub group of the Adult Protection Committee. This has enabled her to understand the various roles, responsibilities and objectives of organisations that TSB can work with to protect customers from financial harm. Her tireless commitment to ensuring that TSB staff are aware of financial harm risks to customers and her work with other banks and the SBRC has resulted in senior management within the bank rightly recognising her efforts and commitment. Linda has often provided advice, guidance and support to branch staff who have had concerns of customers being victims of financial harm. In this way she has enabled the bank to safeguard customer finances and activate community support for vulnerable people.

The excellence award was supported by the following comments from her senior management; Linda has taken the role of Fraud SME for the Scottish Team with great enthusiasm. She has established a network of contacts across the major banks in Scotland and is heavily involved with the local council (Financial Harm Sub Committee) and the Scottish Business Resilience Centre Banking Support Group looking at how we protect the vulnerable in our communities. She has ran road shows in branches in Angus primarily designed to educate and support our more elderly and vulnerable customers against ‘social engineering’.

Partners in the branches are aware of fraud issues due to Linda increasing the profile and encouraging partners to get involved in their local community. Linda has also recently had a ‘Fraud’ spot on local radio within Angus which was well received and looks like it may become a regular feature. Linda goes the extra mile here, is outward looking whilst at the same time ensuring that our customers receive the best possible advice. In particular there have been some terrific fraud spots in Angus; no doubt this has been down to Linda’s proactive approach. The road shows were two hour slots earlier in 2016 where Linda, along with Police, Local Authority Adult Protection or Trading Standards Officers attended the TSB branches to speak to customers in banking halls about Fraud and Scams, issuing leaflets and providing guidance. Further similar exercises are planned for 2017. Linda has also accompanied TSB branch managers to deliver awareness presentations to local voluntary groups.

The SBRC warmly congratulates linda for this richly deserved award and also TSB for providing her with the time and facility to support vulnerable customers!!

Brexit:

Informing Scottish Business, Before and Beyond

Distribution Industry Partnership Scotland (DIPS) & Secure Transport, Annual Conference

We are delighted to bring to you this topical conference that will take place on Wednesday 19th April 2017 at Hampden Park, National Football Stadium, Glasgow. Since the result of the Referendum, the UK has been dealing with the challenges of leaving the EU and the changes that this may bring to the business environment in the future. This conference is aimed at any company or industry sector that imports or exports goods to and from the UK or who obtains raw materials from abroad and faces the uncertainty of how their business

relations will differ at the conclusions of the negotiations. Article 50 will have been triggered, according to PM Teresa May, by the conference date, and this will be one of the first opportunities to consider, with some clarity, what contingencies will need to be considered during the negotiation phase and what the market place is going to look like at their conclusion. Confirmed speakers include Yousef Hamza MSP, Minister for Transport, and Neil Amner, President of Glasgow Chamber of Commerce and Chair of the Scottish Chamber of Commerce Economic Advisory Group.

If you would like to attend or exhibit at the event, please contact Stewart Hurry, DIPS Project Manager or Claire Melville, Events Manger on 01786 447441 or [email protected]


Did you make a New Year’s resolution this year? Have you ever asked yourself why people do this? The tradition evolved out of our desire to use the New Year as a springboard to break bad habits and develop positive new routines that will help us improve our lives in the coming year. So, with this in mind, and to help you get off to a great start in 2017 and become even more impactful and impressive, I decided to share my Top five Presentation Skills. Of course, as with

all things, most of this is common sense - it only becomes useful when you have memorised it and put it into practise until it is second nature. Before we start, the most important thing to

remember and keep on telling yourself is that your audience is there for a reason and the reason is you. They came because they want to listen to you and learn from you.

Now those tips: 1 What's your message? Unless your point is crystal clear and super simple, your audience just won’t remember it. So decide well in advance the one single thing you would like your audience to take away. And. Keep. It. Short. And. Snappy. 2 Tell them what you'll tell them. Tell them. Then tell them what you told them. Focus on the most important information you want them to hear and summarise it at regular stages of your presentation. 3 How will you get them involved? If you build interaction into your presentation, you will get more buy-in to your ideas. Break the ice. Tell a story. Include a video. Ask questions, or use a prop. Get your audience to participate and you are halfway there.

4 Do you get nervous? This is just adrenalin at play and even the best presenters fall flat without that magic ingredient. So work with it. Let that little voice inside your head keep reminding you that you're excited and motivated to make this a great presentation. Then get hold of the other voice – the one that tries to tell you you’re going to fail – and send it packing! 5 Practice some quick, calming, deep breathing techniques before you start. Sit with your eyes closed. Think of a memory of when you were relaxed and calm. Focus on how you felt. What do you see? What do you hear? What do you feel? Really engage with that calm feeling. And hang on to it. When you need a check in to keep you calm, recall that lovely relaxing picture.

The brain is an amazing muscle. But to keep it fit you need to train it, just like any other muscle. For more information email me at [email protected] or follow my Facebook page (Kingscavil Consulting Ltd). Kingscavil Consulting Ltd (KCL) is a small, but perfectly formed, training and coaching consultancy founded by business coach, trainer, motivator and mentor, Andonella Thomson. Fully accredited and with almost 30 years' experience, Andonella works with corporate and private clients from diverse walks of life, yet with one thing in common. They all require a nudge to help them go beyond their comfort zone.

 [email protected]  07803 083279.


New CounterTerrorism Partnership for a

Safer Scotland The tragic events in Berlin just prior to Christmas 2016 are a further reminder of the threat to our safety and security posed by terrorism. The attack on the Christmas Market was not sophisticated but had a very significant and wide reaching impact.

The threat to the UK from international terrorism remains unchanged at SEVERE, as it has been since August 2014, meaning an attack is highly likely and the message to the public and the business community continues to encourage everyone to be alert but not alarmed.

Under the banner 'Working Together More Effectively - A Security Industry Perspective’ the purpose of the day was to develop existing relationships between the host organisations and the private security industry and to identify innovative new ways of working together in the future.

In response to the continued threat, and to coincide with the Counter Terrorism Awareness Week, a new integrated counterterrorism initiative was commenced at the Scottish Police College on 5th December 2016. The event was intended to be the start of a longer programme of activity to bring together key representatives from the private and public sector to create an even stronger partnership to make Scotland safer from the terrorist threat.

The programme included a series of presentations by the SIA, Scottish Government and Police Scotland covering the current threat assessment, the strategic

The workshop was hosted jointly by the Scottish Business Resilience Centre (SBRC), the Security Industry Authority (SIA) and Police Scotland. The event was attended by over 50 key representatives from Scotland’s security industry as well as sports stadiums, universities, large retail centres and the night time economy sector.


approach to countering terrorism through CONTEST and CT products such as Project Argus and Project Griffin which are delivered by SBRC and Police Scotland. The core workshop element, facilitated by the SBRC, led the audience through three fundamental questions relating to current success, barriers and future opportunities. The lively discussion that ensued generated a large volume of information which will form the basis for the next steps in the initiative.

Commenting on a hugely successful event, Ronnie Megaughin, Deputy Chief Executive of SBRC said: “The SBRC exists to support businesses in Scotland in their efforts to trade and prosper securely. We are mindful of the role that businesses play in ensuring the safety of their employees, customers and the wider communities in which they operate from the threat of terrorism. This event focused on how that could be achieved through stronger collaboration with public sector partners and the security industry. I believe this initiative has moved us forward in understanding both the opportunities and obstacles. We are fully committed to continuing this programme of work, which will ultimately contribute to keeping people safe”.

Helping Protect Scottish Business against the Influence of Serious Organised Crime

What is Project JACKAL? In 2014 Police Scotland launched Project Jackal to improve the capture of financial and business intelligence, particularly in relation to Serious Organised Crime Groups. The mission was to improve understanding of the way Serious Organised Crime interacts with business, in particular to identify: KEY CAPABILITIES KEY ENABLERS KEY VULNERABILITIES in order that, together with our partners, we ensure Scotland is a hostile business environment for Serious Organised Crime.

Protect against the influence of Serious Organised Crime A key element of this initiative is to help Scottish Business protect itself from the harmful effects of becoming involved with Serious Organised Crime or businesses which are financed with the assistance of Serious Organised Crime, whether wittingly or unwittingly. Asking yourself the following three simple questions may help you consider whether a new business partner, customer or supplier offers a relationship really worth having. Is this deal too good to be true? If you can’t understand how the deal works for the other person, maybe you should ask yourself why they are doing it. Why is the money coming from or going to a different place? Are you being paid with funds that belong to the party you are dealing with? This is a common symptom of what is known as Trade Based Money Laundering, and you may end up unwittingly involved in a money laundering enquiry.

Does this company really have any substance? Companies connected to Serious Organised Crime have a habit of becoming unexpectedly insolvent. In addition to normal credit checks, here are a couple of additional ways to get the right feel that a prospective new relationship is all it seems to be: Open Source Footprint – Do they have a presence online? If not, how do they reach their customers? Does the website enable you to contact real people or does it ask you to submit an email? A professional website that offers tangible means of assessing business substance is a good basis for determining that the business you are dealing with is genuine. Also: consider doing a Google search on the principals – you

IF IN DOUBT, CHECK THEM OUT

never know what you might find. Companies House Information – This is a free and definitive source of valuable information about companies and their directors. It can be obtained at www.companieshouse.gov.uk. Core questions get answered here, such as: Has this company filed accounts? What do the accounts tell you about profitability and financial substance? Do the directors have a record of being involved with companies that have been liquidated or struck off? Corporate delinquency is a common symptom of businesses and individuals who are connected to Serious Organised Crime. At the very least, this information you can get from this free source gives you an insight into the type of person or company you are really dealing with. Make it your habit to use it – it could save you a lot of grief. Getting involved in business relationships with companies or individuals connected with Serious Organised Crime can bring with it a lot of trouble you didn’t bargain for, including: Financial loss Involvement in police investigation Loss of reputation Psychological and/or physical threat or harm

The best protection against these kinds of threats is undoubtedly to take steps to avoid getting involved with SOCG connected businesses before they arise. Serious Organised Crime distorts markets and inhibits fair commerce. By protecting yourself you protect the health of Scottish business and the Scottish economy. If you are suspicious of a business please contact Police Scotland by calling 101 or via the website http://www.scotland.police.uk/contact-us/contact-us-form

 www.hmsecurityservices.co.uk


Cyber Security Solutions On October 6th, Quorum Legal and Quorum Cyber attended the Law Society of Scotland’s “Technology and Cybercrime Conference” in Glasgow. The aim of the conference was to educate the audience on optimising technology and raising awareness of cybercrime risks. The conference covered a number of different technological problems and warned of the many different issues and problems that everyone needs to watch out for but the technological challenges are changing on an almost weekly basis. This got us thinking about how IT strategies and services come into play.

and forcing all firms to check how their suppliers are managing data.

Every organisation is struggling with how to deal with these evolving threats to their business and the data that they hold. Current data protection regulations pose enough of a challenge for most law firms so the advent of GDPR and the size of any potential fine for a breach radically changes the approach that all firms need to be taking in storing and handling sensitive data. B2B demands are also changing

So where does this lead and how do you get there?

The challenge that this will pose every firm is significant at a time when everyone is already struggling with increased competition, decreasing margins and client demands for access to information 24x7 on their mobile phone.

It really starts with business strategy and risk. Where is your business heading and what are your clients demanding? What are the risks associated with this strategy and is a change of strategy required to reduce the risk of either data loss or a more traditional PI claim? This should then help

As a true end-to-end managed service supplier, Quorum Legal can produce a technical roadmap and align this as far as is practical to your business aims. We will deliver this with minimal disruption and can smooth your business and IT transformation with our business change management expertise. Quorum Cyber is a dedicated Cyber Security company, offering end-to-end Cyber Security. The combined power of the two firms enables us to confidently undertake and underwrite IT and Security transformation programmes, as well as help businesses reduce the burden of IT and Security resources either by our managed services offerings or by providing vetted and trusted resources.


identify where you want to take your firm. You then need an IT strategy and road map that will help you get to where your business strategy is taking you. In Quorum’s experience, the following issues are common in small IT teams: Increasing complexity of IT environments. Risks of key man dependencies. Insufficient breadth and depth of skills. Staff motivation and retention. Support coverage – monitoring, maintenance and response. Being able to flex resourcing as business requirements change.

Cyber Security starts in the datacentre

With the news full of high profile cyber security breaches over the last couple of years, understandably most people, when they think of securing their business against such an attack, think of the electronic security measures they can take. By “electronic security” I mean everything from firewalls, intrusion detection/ prevention software through to advanced next generation threat detection services. However, many organisations often overlook the physical security around their datacentre (where all those critical assets and data reside) and the people that have or can gain access to it. It is often the simplest of security breaches that cause the most damage and rarely get publicised as they can cause more damage (actual and reputational) to the organisation. Imagine having to explain to your customers that someone just walked into your datacentre and took their data or wilfully caused an outage to your IT systems. This happens more than you would think. It is not a surprise to me when I meet organisations who invest in electronic security measures but continue to store their data in a self-built server room in their own office with little physical security

or monitoring. At best, they will have a single factor lock on the door and perhaps a basic CCTV set-up. Who checks who has access? How do they prevent tailgating of unauthorised people? What about security on the racks? Just because someone has access to the server room, doesn’t mean they should have access to every rack. What if someone forced entry out of hours? Who watches your IT staff? A good security model is based on people, process and technology and the physical security of the datacentre should be equally as important as the electronic security of the data. There are lots of arguments to move away from owning and operating an in-house datacentre/server room and use a colocation datacentre. Reduced cost, better service and of course better physical security being amongst them. I’m sure many of you will be thinking the obvious argument against this – “If I move my equipment

into a shared data hall in a co-location datacentre then surely that is a risk as other organisations have access to the same area”. You would be forgiven for thinking this if you haven’t visited a facility such as the Fortis Datacentre, operated by DataVita, just outside Glasgow. At DataVita we operate a layered security model that starts with our staff, who are all security cleared to the government standard and undergo regular security awareness training on our policies and procedures, including training against “social engineering” attacks. Our facility is staffed with a dedicated 24x7 security team that monitor all our ten layers of physical security. Our customers are alerted to any security incidents (of which we have had none to date) and have access to an audit trail the covers every aspect of access and activity from entering our outer car park right through to an alert that is generated every time one of their racks is opened. This in turn can be correlated to HD CCTV footage front/back of the rack.

If you would like to understand how you can improve your datacentre security then contact DataVita on [email protected].


NATIONAL AWARDS 2016-17 Best Bar None Scotland are delighted to announce details of our National Awards which will be held on 30th March 2017 at the Hilton, 1 William Street, Glasgow. Applications are now open across Scotland for the following categories.

HEADLINE SPONSOR Our Best Newcomer Award will be sponsored by BEN – The Benevolent Society for Scotland’s Licensed Trade, who support persons who have come upon hard times “caring for the people of our trade” is key to engaging with the younger generation who work in the industry and we are delighted that BEN are supporting our National Awards. SGL Securigroup are also working with the Awards Team and will be sponsoring one of our Awards.

Mainstream Categories

Best Pub (Category 1) Best Independent Pub (Category 2) Best Bar (Category 3) Best Independent Bar (Category 4) Best Hotel Bar (Category 5) Best Nightclub (Category 6) Best Specialist Entertainment Venue (Category 7)

Unique Categories Heart of the Community (Category 8) Best Newcomer (Category 9) Innovation in Social Responsibility (Category 10)

Sponsored by

Sponsorship Opportunity Is your company involved with the licensed trade industry or would like to be? By sponsoring an award you can play a featured role in what is sure to be one of the biggest nights in Scotland’s Licensed Trade calendar. Sponsor an award category Company logo to feature on all materials Company brand and logo in social media activities in advance and post event Company branding on the AV screens on the night

10 seats at the awards dinner including a 3 course dinner and allocation of wine Logo displayed on the evening PowerPoint Opportunity to represent and present your award Access to post event photographs Mention in all post event literature Networking at the event with circa 450 licensed trade representatives

If you would like further information, please contact Arlene Campbell, National Best Bar None Lead, Scottish Business Resilience Centre at  [email protected] or Event Coordinator Claire Melville  [email protected]  01786 447 441

Further information on Best Bar None Scotland can be found on the Best Bar None Scotland website www.bbnscotland.co.uk 10 | Sc ot t i sh Business Re s i l i e nc e C e ntre | I s s ue 7

Exciting New Partnership Announced with Best Bar None and Drinkaware

Best Bar None Scotland and Drinkaware working together to promote social and responsible drinking. Best Bar None Scotland (BBN) continues to promote social and responsible drinking in Scotland by partnering with Drinkaware, an independent charity working to reduce alcohol misuse and harm in the UK. BBN supports Scotland’s licensed premises in developing their standards and innovative practices and includes other partners, Diageo, Molson Coors, Heineken, Tennents, Maxxium UK, Chivas Brothers, Police Scotland, the Scottish Fire & Rescue Service, the Scottish Licensed Trade Association and the Scottish Government.

Finally a round up of our Local Awards over the last 2 months – check out the BBN Scotland website for details of all our winners around Scotland. www.bbnscotland.co.uk/ awards/local-awards/

Edinburgh – 17th November 2016

All of these will work with Drinkaware on a range of new initiatives across the country. The first partnership project sees Drinkaware Crews in Glasgow with BBN venues, SWG3, The Garage and The Cathouse launching prior to the festive period and the “Crews” will be present on an ongoing basis, to support customer safety in the venues into 2017. The trained Crew staff are there to help vulnerable people who have drunk too much, lost their friends and provide first aid if required. Alongside this, Drinkaware will sponsor the ‘Innovation in Social Responsibility’ award at

Glasgow – 10th November 2016

Falkirk – 8th January 2017

the upcoming Best Bar None Scotland National awards on the 30th of March 2017 in Glasgow. This award will be given to a venue which has demonstrated a unique way of promoting social and responsible behaviour within their premises in support of the Public Health Licensing Objective. Commenting on the newly formed partnership, Drinkaware’s Chief Executive, Elaine Hindal said: “Working together with Best Bar None Scotland has allowed us to offer a comprehensive support package around responsible drinking in the night time economy. We are sponsoring the innovation in social responsibility award for Best Bar None Scotland which we hope will encourage the best ideas and interventions to be recognised. “This follows our recent partnership with Best Bar None Glasgow to bring our Drinkaware Crew scheme to three venues in the city and I’m very grateful for their support in helping make this happen. “The trained Drinkaware Crew can bring a new dynamic to venues, which means people in vulnerable situations have someone who is there to spend as much time as is needed, to make sure they are looked after and that they can either enjoy the rest of their night or get home safely.” Mandy Haeburn-Little, Chair of Best Bar None Scotland commented: “Best Bar None Scotland is delighted to announce this important partnership with Drinkaware as it will help to further promote responsible behaviour in venues in Scotland. We’re looking forward to working closely with the Team at Drinkaware and developing the Crew Scheme into other areas in Scotland and through future initiatives. We see this as yet another positive step in supporting a safe night out across the country.”

Aberdeen – 8th November 2016

Inverness – 9th January 2017

Airdrie & Coatbridge – 11th January 2017

S c o t t i s h Bu s i n e s s Re s i l i e n c e C e n t r e | I ssue 7 | 11

Cyber Security Challenges for SMEs We believe it is too simplistic to create boundaries between large enterprises and SMEs in todays interconnected world, as a weak link to the chain leads to exploitation of the whole. In this article we investigate the importance of SMEs and the challenges that may be encountered in implementing Cyber Security.

Introduction and Background The innovative products and services produced by Scotland’s private sector over the years are renowned. As a result, the development of the Scottish private sector is important, but more important is the Cyber Security Business Resilience of “Small Medium Enterprises (SME)” that make up a larger proportion of the private sector and contributes significantly to the economy as shown by the below statistics from Scottish Government - www.gov.scot

2014 2015

Agrculture, Forestry and Fishing Mining and Quarrying; Utilities Manufacturing Construction

Industry Sector

Motor trade incl. vehicle repairs Wholesale trade Retail trade incl. fuel sales Transportation and storage Accomodation and food service activities Information and communication Financial and insurance activities Real estate activities

Professional, scientific and technical activities Administrative and support service activities Education Human health and social work activities Arts, entertainment and recreation Other service activities 0

10,000

20,000

30,000

40,000

50,000

Enterprises Chart 1: Estimated number of private sector enterprises operating in Scotland, by industry sector, 2014 and 2015

12 | Sc ot t i sh Business Re s i l i e nc e C e ntre | I s s ue 7

60,000

As at March 2015, there were an estimated 361,345 private sector enterprises operating in Scotland. Almost all of these enterprises (98.3%) were small (0 to 49 employees); 3,870 (1.1%) were medium-sized (50 to 249 employees) and 2,295 (0.6%) were large (250 or more employees). As at March 2015, there were 359,050 Small and Medium-sized Enterprises (SMEs) operating in Scotland, providing an estimated 1.2 million jobs. SMEs accounted for 99.4% of all private sector enterprises, accounting for 55.6% of private sector employment and 39.4% of private sector turnover.

Challenges faced by SMEs SMEs encounter the same level of Cyber Security threat as large companies and thus they should take the deployment of security controls as serious. As new technology platforms are introduced such as cloud based platforms-for file sharing, financial transactions and billing and mobile platform- for transaction payment; the interconnectivity between SMEs and large companies is greyed. This interconnectivity, may lead to a hacker utilising an SMEs as a stepping stone to compromise a large company via these platforms. SMEs are more likely to accept the policy of BRING YOUR OWN DEVICE (BYOD), the risk introduced by this policy is that SMEs have little control or visibility over these devices and there is no assurance that employees are as security- conscious or responsible as SMEs operating the corporate network. This encourages hackers to target SMEs

employees rather than to compromise the SMEs itself due to vulnerabilities introduced by BYOD. SMEs inability to carry out adequate risk assessment to protect their assets is a course for concern, as the benefit of downloading free open source applications from the internet by employees to increase productivity should not come at a cost of having a highly secure network that is well-fortified against malicious attacks as well as security breaches brought about by employee misuse or error. The risk is that SMEs may not have appropriate usage policies to guide employee and the skill set to manage these applications securely.

64 of the 300 allocated grants have been applied for. We believe the following are needed to boost SMEs Cyber Security: -

provided for SMEs to acquire these skill sets. We recommend a SMEs accessible web portal that includes - best practice documentation on policies and system configuration, secure and possibly free technical security controls and a detailed frequently asked questions menu.

Possible Support for SMEs Regulatory Compliance To ensure compliance reaches the grassroots, SMEs meeting Basic Cyber Security before winning any public tender must be enforced and larger companies must be obligated to provide evidence of basic cyber security assurance of their supplier chain before being awarded a public contract.

A good method of adopting Basic Cyber Security is to implement Cyber Essentials Scheme. Cyber Essentials focuses on two certification levels Cyber Essentials Basic certification, achieved through self-assessment, Cyber Essentials Plus gained through onsite vulnerability assessment via authorised company like NetHost Legislation

Government Support The Scottish Enterprise invested in the Cyber Essentials by providing grants of £5000 to SMEs toward their certification. However, our freedom of information request revealed in August 2016 that only

1- Awareness A Scottish Wide Cyber Security campaign should be launched to breach the gap between the government initiatives and the knowledge of this initiatives by SMEs. This campaign should be via several channels- TV, radio, training, seminars, workshops, competitions and others. To attract maximum participation, the campaign should be held at several locations in Scotland, in collaboration with different industrial associations, institutions, Universities and other unions. 2- Virtual Cyber Security Officer As few SMEs employ dedicated information security personnel and lack the skill set to ensure the safeguard of assets, it is important that alternate means are

3- Security incident notification portal To better understand security trends within the SMEs community, build resilience, draft appropriate polices, design effective technical controls and simply be ahead of the curve, we need to gather data on the threat, impacts of these threats and how the SMEs community are addressing these threats. To do this effectively, we need to gather, record and perform trend analysis; but importantly encourage SMEs to provide security incident data to appropriate agents.

About the author Dr Abiola Abimbola, PhD has been in the information security industry for over 15 years and worked in telecom, financial, and educational sector amongst others. Currently part of NetHost Legislation security team in Aberdeen, Scotland. Email: [email protected] S c o t t i s h Bu s i n e s s Re s i l i e n c e C e n t r e | I ssue 7 | 13

2016 saw the launch of the Scottish Cyber Awards and what a spectacular first year it was. The enthusiasm and appetite for the awards was evident from the very beginning with sponsorship being highly sought after and selling out within a few days. This theme continued and tickets for the awards never made it to general sale.

AWARD WINNERS I would like to take this opportunity to thank our headline Sponsor PwC, award supporter Scottish Enterprise and all our award sponsors; RBS, SOPHOS, Matrix Risk Control, SQA, Everbridge, KPMG, Scot Tech Engagement, 7Elements and Fujitsu who seen the vision and benefits of the Scottish Cyber Awards and without them this event would not have been possible. The number and quality of awards entries were outstanding for the first year and all applicants should be incredibly proud of what they have achieved and we would encourage them all to consider entering again this year and spreading the word to likeminded colleagues and businesses. The Awards came to a spectacular close on Wednesday 16th November 2016 at the Waldorf Astoria in Edinburgh.

The sell-out event was hosted by Brian Higgins from (ISC)2 and were delighted to have Cabinet Secretary Derek Mackay in attendance who provided the ministerial address. A huge congratulations to all our deserved winners and it was a delight to see the sheer joy on their faces as they won. The excitement from everyone created a real buzz on the night. The Cyber Awards has now been firmly cemented into the annual cyber calendar which also includes conferences, awareness presentations and the Christmas lectures. Planning has started in earnest for the 2017 awards so watch this space for sponsorship opportunities and entry deadlines. This year is sure to be bigger and better and we can’t wait.

Best Cyber Start Up 2016

Net-Defence Ltd Award sponsored by RBS Best New Cyber Talent 2016

Harry McLaren Award sponsored by Sophos Cyber SME Defender of the Year 2016

7 Elements Ltd

Award sponsored by Matrix Risk Control (UK) Ltd

International Contribution to Cyber Security 2016 ZoneFox Award sponsored by Everbridge Outstanding Woman in Cyber 2016

Dr Natalie Coull

Award sponsored by Fujitsu

Cyber Resilient Community Impact Award 2016

Glasgow Caledonian University Award sponsored by KPMG Leading Light Innovation Award 2016

Law Society of Scotland Award sponsored by 7 Elements Ltd Cyber Evangelist of the Year 2016

Bill Buchanan

Award sponsored by Scot-Tech Engagement Cyber Security Teacher of the Year 2016

Scott Hunter

Award sponsored by SQA Collaboration with Police Scotland 2016

vSoc/DFETEdinburgh Napier University Cyber Security Challenge UK Scottish High School Winners 2016 Kyle Academy

Cyber Security Challenge UK Scottish University Winners 2016

University of Edinburgh Champion of Champions


ZoneFox

Award sponsored by PwC

Securing sensitive business data One of the most significant areas of any business is the security and integrity of business data, and how you protect your company data.

Keith Griffiths, Encompass IT If your data has been damaged, stolen or encrypted with ransomware then businesses can close their doors and call it a day. You might think this is harsh but it’s a reality that affects UK businesses every year. Malware and Cyber Attacks are on the increase and we all need to play our part in protecting and securing company data. The UK government have been working hard to deliver a robust system which enables business owners to think more about data security and to take more of a hands-on approach to hardening their internal systems by using a program called Cyber Essentials (Department for Business, 2015). This is a strategy designed to look at a business’s internal security infrastructure, it works by mapping out a business’s internal network and identifies vulnerabilities. This test classifies weaknesses within a company’s security IT infrastructure and offers a simple system of pass or fail. There is a limited number of companies in the UK that can offer this type of service to businesses. Just by tightening up your internal security systems you can prevent a data breach or Malware attack on your business. One secure way to protect your business data is to have an up-to-date data backup and an archived backup in case your backups become infected. When backing up and securing data it’s essential to go through a series of processes to make sure you’re backing your data up correctly and testing the integrity of your data. This solution is not focused just on large companies; we all need to play our part. Small business owners and mediumsized business owners need to look at

securing their data from the ground up. I can’t stress enough about the importance of data security, and it all starts with identifying vulnerabilities within your internal IT infrastructure. Once you have identified a security vulnerability you can take action and further harden your internal system. It only takes a moment to infect a system and it can take hours, days or weeks to rebuild your system. Just ask yourself… what impact would this have on your business if your system went down for 1 hour, a full day or a week?

Should we be concerned about company data?

It’s a matter of perspective, understanding and taking responsibility when it comes to company data. With the best will in the world, people become complacent with systems and don’t check and cross check work they do. This can create a very serious vulnerability within a company, and that’s why it’s important to take the lead at times and look for vulnerabilities within a business network as this can prevent a headache further down the line.

So what’s the solution?

There are many processes we could look at in relation to internal network security protection, and each system is unique to each company. However, we should always have a base system to work towards. We have put together a basic 6-point checklist, why a six-point checklist? See below.

6-point checklist

1 Create a backup plan and map all folders and drives you want to backup.

2 Get an idea of your folder sizes you want to backup.

3 Work out whether you are going to use an onsite or offsite backup solution. Or both. 4 Create a scheduled backup of your data. 5 Reinstate your data frequently, as this helps make sure your data is consistent. 6 Create archived backup in case you need to revert back to an earlier time. After you have gone through this checklist, enforce this process as company policy with your Team Leaders, and Managers. This backup solution should be given to your in-house IT staff, get them to create a robust backup system and check their work daily or weekly. This process will help to save jobs, company data and gives you piece of mind knowing your data is safe and more secure than it was yesterday. Data security is not a perfect science, we use data security and data security checks only to enforce the stability of company data and network resources. The loss of data can be detrimental to any company as the backlash can result in a loss of jobs.

References Department for Business, E. &. (2015, February 3). Cyber essentials scheme. Retrieved from https:// www.google.co.uk/#q=uk+goverment+cyber+ess entials

Creating a guided list enables you to work through a basic process which can be modified and tailored to your securing your business data right away and it’s a good place to start, consider the following:


It all BEGINS and ENDS with Encryption No matter what malicious activity you are trying to defend against, without a robust GDPR-compliant Data Protection Policy, encrypting all data by default, you will inevitably fall victim to data breach. As a result of the planned browser deprecation of unencrypted web pages involved in collecting personal data from the 31st of January (marking pages as NOT SECURE), every organisation should be tackling their data encryption state first before buying the next Turbo-charged firewall or Cyber Intelligence software breakthrough. It is all about getting the foundations right.

Regardless of how many layers of traffic filters and blockers you have in place, it only takes one successful attack to bring an organisation to its knees – often in the full glare of bad publicity.

Start with the basics: Ask yourself why Cyber Criminals use Crypto Keys to inject Ransomware and you have the real reason why you should encrypt all data. Unencrypted data is the target, and when they lock yours up because you forgot to encrypt it, they’ve hit the bullseye and you are trapped.

The deadline for GDPR compliance in May 2018 is coming fast, and failure to comply will leave organisations liable for fines of €20m (£17.5m) OR 4% of their annual global revenue – WHICHEVER IS THE GREATER. It’s time to start encrypting everything.

There are no limitations now to deploying ALWAYS-ON encryption. Crypto technology costs, network overheads, and crypto management costs are no longer barriers to protecting and identifying every asset on your network. You even have the ability to inspect crypto traffic now, so there is literally no excuse, and that is why DATA ENCRYPTION has to be the first line of defence against Cyber Attack for any organisation.

It is essential to every good data encryption deployment that it includes the ability to have every user, device and service authenticated as Trusted. Until now PKI has been the only reliable, proven and robust answer to what often wrongly seen as a complex, mammoth and costly endeavour. Advances in Blockchain technology however, may provide the long-term answer to securing heterogeneous digital ecosystems via an encrypted Chain of Trust.


1 Commission a Crypto Audit across your enterprise network https://goo.gl/lqNs3n

2 Deploy SSL Encryption on all unencrypted connections/end points.

3 Prioritise the encryption of all data at rest. 4 Manage and Monitor all Crypto deployments via a Crypto Monitoring service. 5 Strategize for the next 5-years and consider Blockchain as a credible solution to staying a step ahead of the Cyber Criminals. Fund these actions at a fraction of the cost of recovering from a breach and paying fines. Start with a FREE AUDIT https://goo.gl/lqNs3n

The Russell Group has invested over £40,000 in the past three years by placing forward-facing cameras in each of its 200+ road vehicles, helping to identify the causes of accidents and improve driver performance. To highlight the company’s belief in the system, it by-passed a trial phase and completed the full roll-out in one go, including training drivers to use the Smartwitness SVC100 vehicle journey recorders. The 170-degree forward-facing cameras are mounted at the top of the windscreen, where they don’t affect driver visibility, and Group Safety Manager Jim McCubbin says the take-up from the employees has been fantastic. “We thought there may have been some hesitation from drivers, but as soon as we explained the purpose of the cameras towards safety, and that they only filmed the road, not the drivers, everyone was on board,” said Jim. “The cameras have proved invaluable to our company as they are able to show the circumstances in the event of an accident which has had a huge impact so far. The number of claims has significantly reduced and we’ve been able to use the data to defend claims of wrong-doing, as well as help drivers to improve their performance.” Footage can be paired with GPS and

telemetry data to identify the causes of, for example, hard braking or aggressive cornering. “We can also review the footage to see the cause of accidents,” he said. “We can take the information and use it as a training tool. Our drivers appreciate this, rather than just classroom theory, as it’s what they have really experienced on the roads.” “The safety of our drivers is hugely important to the Russell Group and is at the core of what we do. We want to do everything we can for the safety of the public and our drivers, and this investment

is already paying dividends.” Carntyne Transport, part of the Russell Group, has just invested in KP1S, the latest version of the Smart Witness camera, for its new fleet. This version has even more capability by using 3G video transmission to provide instant notifications and videos of incidents in less than one minute. The Russell Group are continually looking at the most up-to-date ways to provide safety for Britain’s roads and due to the fast pace of technology in this industry there are always new measures to look out for.

About the Russell Group Russell Group is a leading transport and logistics provider committed to delivering high value solutions across the UK and Europe. Consisting of John G Russell (Transport) and Carntyne Transport, the Group offers a complete range of warehousing and distribution services by road, rail and sea. With strategically located depots offering nationwide coverage, Russell Group has the resources and knowledge to work in partnership with its customers to proactively manage the supply chain, enabling customers to focus on their core activities.

www.johngrussell.co.uk


New Year, New Plan!

New Year, new plan, they say. What’s your new plan? Considering a branding refresh or new website? Then you might want to take a good look at the name you use on-line. When considering the domain name you use, apart from the traditional .com, .org or country codes like .uk, a whole raft of new Top-Level Domains (gTLDs) are now available you might want to consider. There are new gTLDs for locations like .paris or .berlin, activities like .photography and .accountant and yet more which are just fun, such as .ninja and .xyz. There’s even a .pizza! So popular are these new names becoming that while .com sales are slowing, the new ones are really flying with nearly 28 million registered already. Here in Scotland we now have our own .scot gTLD, designed for Scottish companies and organisations and allow the worldwide family of Scots to highlight their connection to Scotland’s culture, people, business and produce. The domain has been incredibly popular - you can find .scot websites currently operating in 43 countries around the globe, it’s now one of the most successful community gTLDs in the world. One of the big advantages of new gTLDs, such as .scot is that it’s much easier to get the name you want, all the better for showing off your products or services. Why settle for some obscure, long-winded domain name when you can get a short snappy one which your customers will more easily remember? If you redirect your old domain to your new one (hopefully .scot!) your Google ranking is even maintained. A true

Update on Operation Scandium – Scrap the Cash Campaign December 2016 saw the implementation of Phase 2 of ‘Operation Scandium’ funded ‘Scrap the Cash’ CRIMESTOPPERS Campaign, highlighting the changes to the legislation governing the Scrap Metal Industry.

win-win. But the real bonus with new gTLDs is security and resilience to cybercrime. For instance, if you take payments on-line then you may be worried about socalled ‘man in the middle’ attacks where criminals break into the transaction chain between you and your customers to do their evil deeds. Here .scot, like all new gTLDs offers a feature called DNSSEC which effectively deters such attacks. Great for you and your customers alike. At .scot we take security and resilience even further. For instance all the domain data which we are obliged to maintain is held in the UK rather than the US and therefore subject to much more rigorous UK and EU data protection regulations and we use EU-based servers where operation is governed by their stricter privacy policies. We also employ ‘Anycast’ technology, one of the most powerful solutions

against crippling Denial Of Service attacks. Our policies even allow us to work with you against cybersquatters, one of the most annoying problems on the Internet. Preventive measures are better than any cure but bad things do happen from time to time, so we continuously monitor all .scot domains for signs of malicious activity and should we spot anything of concern we let you know straight away, helping you take steps to maintain your reputation - and your customers.

So if you fancy a domain name that is easy to remember, easy to find and provides state of the art security and resilience, consider .scot! Visit our website at dot.scot for more information or catch us on Facebook, Instagram or Twitter.

The campaign involved billboards located on main arterial roads close to Scrap yards with the ‘Scrap the Cash’ logo on them for a period of two weeks. In conjunction with this the Scottish Business Resilience Centre (SBRC), British Transport Police (BTP), the Scottish Environment Protection Agency (SEPA) and various other partner agencies participated in Police Scotland’s lead days of action targeting the illegal transport of metal on our roads. Jim Scott Metal Theft Lead at the SBRC said “These partnership days of action are an excellent way of not only detecting persons and vehicles involved in Meatal Theft but also highlighting to individuals who may not be entirely sure what is required by law under the new legislation”. Phase 3 of the CRIMESTOPPERS Campaign will commence in March 2017. Since the changes to the legislation took effect, there was an initial significant

decrease in metal related incidents. (approx. 52%) as a result of partnership working and a large reduction in the price of materials such as copper and lead. Through November, December and into January 2017 there has been a sizable increase in the cost of copper (approx. £4,000 per ton as of 09 Jan) and lead (approx. £1,300 per ton as of 09 Jan) unfortunately this has in turn shown a slight increase in metal related incidents, which include £20,000 worth of catalytic converters stolen from one yard, and several large lead thefts from buildings including one school. It is anticipated that these prices may rise even more over the coming months so we ask all our partners and readers to be as vigilant as possible. The SBRC will continue to work with our key partners to highlight hotspot areas and assist in deterring this type of criminality.

The Metal Theft web site is now fully up and running and I would ask anyone with any questions relating to metal theft to have a look at the website, which can be found at www.sbrcentre.co.uk or contact Jim Scott at the SBRC on 01786 447441.


The Scottish Grocers’ Federation (SGF) is delighted to announce a major retail crime seminar, which offers superb exhibition opportunities. The SGF plans to have 200+ delegates in attendance on the day. CONFERENCE THEME AND AIMS The Scottish Grocers’ Federation – the national trade association for the convenience store industry in Scotland – is holding its annual Retail Crime Seminar on 15th February 2017 at the Police Scotland College, Tulliallan Castle, Kincardine in Fife. The day starts at 10am with the exhibition and the seminar itself will run from 1pm, followed by breakout sessions between 2pm and 4pm.

The purpose of this seminar is to launch the findings of the 2017 retail crime survey conducted by the Scottish Grocers’ Federation.

presentations from Key speakers, complimentary lunch/refreshments and FREE ACCESS TO BEAKOUT SESSIONS

The competitively priced exhibitor package is available for £295 + VAT:

Opportunity to provide promotional materials for delegates at exhibitor stand.

Exhibit within the main Assembly Hall for the duration of the seminar, company logo and contact details in the event programme and on the SGF App, Two delegate places including access to

Places are limited book now by emailing: [email protected] Or call 0131 343 3300

Cyber Security Made Simple

ONLINE FOOTPRINT ASSESSMENT

SUPPLY CHAIN RESILIENCE EXERCISE

SOCIAL ENGINEERING RESILIENCE EXERCISE

SOCIAL MEDIA RESILIENCE EXERCISE

CYBER SECURITY ASSESSMENT

CYBER CONTINUITY RESILIENCE EXERCISE

NETWORK INCIDENT HANDLING

WEB APPLICATION TESTING

We provide a comprehensive range of cyber security services for businesses visit www.sbrcentre.co.uk for more information S c o t t i s h Bu s i n e s s Re s i l i e n c e C e n t r e | I ssue 7 | 19

How Safe is your Business? The objective of the Scottish Business Resilience Centre is to create a secure Scotland for business to flourish in, regardless of size or sector. That’s why we are hitting the road again, offering FREE business resilience advice and guidance, required to stay safe, secure and resilient to the SME business sector throughout Scotland with a series of outreach events. We know that your time is a valuable resource, that’s why our outreach programme of events will be delivered at your place of work, or a location of your choice - you don’t need to spend any time travelling to attend. It doesn’t matter if your business is in Edinburgh or Orkney, as long as it is in Scotland, and you can provide the venue, we are happy to come to you to deliver training on any of the topics below:

Cyber Crime Awareness This presentation will explain the real risk all businesses face from cyber crime and the simple steps that businesses can take to minimise this risk.

10 Steps to a Safe, Secure and Resilient Business.

Highlights key areas for businesses to proactively check their systems, procedures and premises for resilience against unexpected and disruptive events.

Also provides an introduction to our new online ’10 steps’ self-assessment tool.

Project Griffin 2 Project Griffin 2 is the national counter terrorism awareness initiative produced by the National Counter Terrorism Security Office to protect UK cities and communities from the threat of terrorism. There are a number of different modules in Griffin 2, and depending on the nature of your business or on the composition of the audience, these modules can be tailored to suit your business requirements.

Insider Threat Employees, either intentionally or unintentionally, can be the biggest risk to your business. This presentation will provide guidance on how businesses can minimise the risk posed internally by rogue employees and the importance of key processes around the recruiting, retaining and dismissal of staff.

Lone Working and Personal Safety

This presentation will focus on advice for front line staff who work alone (how to stay safe, de-escalation strategies etc.) but can also be tailored to provide advice to employers ( addressing duty of care, the need for clear policies and practice etc.).

Drugs Awareness This event can be delivered on 2 levels with advice for front line staff that may come into contact with illegal drugs or may be vulnerable to substance abuse and advice for employers on the obligations placed on them in terms of their duty of care, policies and prescription drugs.

Incident Management This workshop will focus on how your company can respond to major incidents or events effectively and ensure that you return to business as usual as quickly as possible. Again this can be tailored to suit both employees and employers.

These events will be delivered until March 2017. If you would like to know more or to book, then please contact [email protected] or call 01786 447 441