BUSINESS
Resilience sbrcentre.co.uk
Winter 2020
EMILY BEENEY
CYBER AWARDS CHAMPION Encouraging young people into a career in technology P18
WSS NUE SINE
B IENCE RESIL E GUID
P46
P22
Putting ‘safe’ into place
How you can make your business and community safer and more resilient
P29
Securing your supply chain
The increasing demands, impacts and pressure of BREXIT on your supply chain
P46
Daring to be digital
Embracing the changes from the developments of technology
PU
YB
YB
ER
ES
T
O
C
A
B
D
YB
LL
A
O
LI
AT I
G
R
IN
G
H
T
IN ER O N E ER VA E D N W OV B SE AT N LI U IT G C C C IO H AT VO U R E L N P IS IO O IT AW TE T L Y N O I C A T P F E B R TH RO ES EA D S C C G E T H O R ER C YE TL A O U M A A U ST O M N R TS F E O D TH M AW TA ER N E B B D YE ES ES AR IN IN T D TE A T G C R N W R Y EW A B O B C ER M ES TI O C A U O B Y T N TS R N B IN /E ER CY TA E A B X K N ER CY PE T H TA D B LE IN R ER R ST IE O G N A N U T C R C YB GH TE U ER P TE A M
C
C
B
C
LE
SCOTTISH
CYBER
AWA R D S 2 0 1 9
2 Resilience / Issue 1
SEE THE WINNERS
www.scottishcyberawards.co.uk
Welcome
Welcome WELCOME TO THE FIRST EDITION OF BUSINESS RESILIENCE MAGAZINE! e’re delighted to bring you features, top
W tips and best practice from across the
business sector on all things resilience. Business Resilience Magazine is brought to you by the Scottish Business Resilience Centre (SBRC), we are a non-profit organisation which exists to support and help protect Scotland’s business community, a responsibility which becomes ever challenging due to advances in both online and physical threats. ‘Resilience’ has certainly become a bit of a buzzword in recent times, its core definition being, ‘the capacity to recover quickly from difficulties’. I’m sure we all like to think of ourselves as people who are adept at overcoming challenges, after all, we all face them every week of our working lives. However, have you ever stopped to think how your organisation would cope if you were maliciously targeted? We are forever being fed alarming statistics
Resilience has certainly become a bit of a buzzword in recent times, its core definition being, ‘the capacity to recover quickly from difficulties’. about the number of SMEs who are succumbing to cyber-attacks, threatening their livelihood to the point there is just no coming back. Even those with the best intentions can struggle when disaster hits. At SBRC we believe the key is to be prepared for all eventualities – and that’s exactly what we want to inspire you to do over the next pages. At a time of political uncertainty, it’s vital business owners and organisations go above and beyond to safeguard their assets to ensure a prosperous future economy. In our first edition,
The Scottish Business Resilience Centre is excited to be collaborating with Highlands and Islands Enterprise (HIE) to deliver cyber resilience workshops in the Highlands and Islands over the next few months. Businesses of all sizes can access up-to-date and practical information
our main theme is putting ‘safe’ into place - this includes data storage, property risk and securing your supply chain among many other topics. We do hope you enjoy reading the articles and a special thanks to all our guest contributors for this edition. If you have an idea for a related topic and would like to submit it for consideration or become a guest writer, please email enquires@sbrcentre.co.uk
Nicola Hamilton Editor, Business Resilience Magazine
and advice on how to improve their digital resilience through a series of workshops to be delivered right across the region by the SBRC in conjunction with local partners. If you’d like to find out more, visit www.sbrcentre.co.uk/events
sbrcentre.co.uk 3
Welcome
Hot desking now available SBRC is thrilled to team up with ScotlandIS and Police Scotland, with the support of Scottish Enterprise, to offer open hot-desking facilities at our new home in the Oracle Campus, Linlithgow. We extend an invitation to all our partners and members to book a free hot desk within our offices, where you can take advantage of amazing facilities and enjoy our new shared community space and convenient central location. Facilities include spacious desks, free Wi-Fi, meeting room access, ample free parking and access to excellent canteen facilities. Our new hot-desking facilities come at a time of growth for SBRC, following our recent relocation from Stirling to Linlithgow which has enabled the creation of a new hub to expand and develop business resilience in all its forms.
Introducing our new Membership Engagement Manager
If you would like to book a hot desk within our office, please contact: enquiries@sbrcentre.co.uk
We recently welcomed Kirsty Murray to our fantastic team as our new Membership Engagement Manager. Kirsty looks forward to working closely with our dynamic membership base to ensure they are making the most of their SBRC experience. As part of her role, Kirsty is excited to further develop our membership offering, helping our business community take the best steps towards championing business resilience.
THE SCOTTISH BUSINESS RESILIENCE CENTRE IS ONCE AGAIN HOSTING OUR EXTREME WEATHER BUSINESS RESILIENCE WORKSHOP ON 22 JANUARY 2020. The workshop, which is completely free to attend, highlights essential guidance for businesses operating through extreme winter weather. We also have guest speakers from Transport Scotland, ScotRail, Scottish 4x4 Resource Committee and Police Scotland.
TO REGISTER YOUR PLACE, VISIT WWW.SBRCENTRE.CO.UK/EVENTS
4 Business Resilience / Winter 2020
SCOTTISH
CYBER
AWA R DS 2 0 2 0
Become a sponsor for the Scottish Cyber Awards 2020
The 2019 Scottish Cyber Awards was one of the biggest and best yet. The hugely successful event, hosted by the Scottish Business Resilience Centre (SBRC), regularly attracts more than 350 sector leaders across business, law-enforcement and academia and is a fantastic opportunity to showcase some of the innovative achievements of the country’s best cyber talent. If you would like the chance to be part of The Scottish Cyber Awards 2020, please contact SBRC for information on sponsorship packages available. Read about this year’s awards on P16-17.
If you would like any further information on the Scottish Cyber Awards please do get in touch with Claire Melville on claire.melville@sbrcentre.co.uk or visit www.scottishcyberawards.co.uk
sbrcentre.co.uk 5
Contents
Putting ‘Safe’ into place - Building Resilient Business 22
Business Resilience / Winter 2020
In this issue of Business Resilience Magazine, we’re looking at building resilient business and how you can put ‘safe’ into place in all aspects of your business.
14 Protect your retail business from crime
The Scottish Business Resilience Centre works closely with retail businesses to help them keep their operations secure. SBRC have provided a list of examples of the types of crimes to look out for and how to combat them.
24 Letting property for short term stays
Do you have paying guests?
you prepared to ACT? 26 Are Serious Organised Crime and
ATM Fraud 15 Avoiding SBRC has published a handy guide to
Counter Terrorism Lead, David MacCrimmon urges Scottish businesses and individuals to remain vigilant as the UK threat level is reduced to substantial.
show shoppers the four tell-tale signs that an ATM may have been affected
8 Bitcoin is a merchant’s dream come true This currency promises to deliver big benefits over traditional currency.
Cyber Awards 2019 16 Scottish Safer Business, Stronger Scotland is
28
backed by Police Scotland and Scottish Fire & Rescue Service and aims to create a strong economic base for Scotland.
OCTOBER SEPTEMBER
NOVEMBER
AUGUST
the cyber scene 18 Championing Business Resilience Magazine recently
Police Digital Security
10 Centre
Bringing the first police-backed cybersecurity certification schemes to market.
caught up with Scottish Cyber Awards Champion, Emily Beeney to chat about her big win and what inspires her work in STEM.
12 SME Business Resilience,
JANUARY
JULY
FEBRUARY
20 Make a pledge to make your business safer
Introductory Guide
The Scottish Business Resilience Centre (SBRC) has launched a comprehensive guide for start-ups and SMEs with input from all sectors – including Police Scotland, Scottish Fire and Rescue Service and cyber and resilience experts.
DECEMBER
JUNE
MAY APRIL
The #PadlockPledge is a new initiative as part of the Safer Business, Stronger Scotland campaign led by the Scottish Business Resilience Centre.
MARCH
46 Small print.
Big difference.
16
It can be easy to overlook terms and conditions in the busy day-to-day running of a business. The Competition and Markets Authority (CMA) has previously found that less than half of UK businesses know the rules on unfair terms well and on average, only review their terms every four years.
World-Renowend speaker
47 addresses ‘The Enterprise Conversation’
A world-renowned TED speaker, whose talk has gathered over three million views, returned to Dundee to inspire local business people to unlock the potential of their communities. Dr Ernesto Sirolli, a global practitioner of economic development and community advocate, gave a keynote speech at ‘The Enterprise Conversation’.
6 Business Resilience / Winter 2020
34 Don’t let a scammer enjoy your retirement
Essentials 36 Cyber The Beginning of a Cyber Resilient Business.
is Document Security 38 What and why is it so important?
27 Customers or criminals? How to spot the signs
Good customer service is by far and large one of the most effective preventive measures to combat potential criminals.
39 ACT E-learning, one year on. management 40 Time and how to make the most of your day
28
GDPR
Time flies and already a year has passed since the General Data Protection Regulation (GDPR) took effect.
your supply chain 29 Securing Businesses across Scotland are currently in a state of flux due to a number of economic factors.
30 Web application attacks
42 Why your disaster
recovery shouldn't stop with backups resilience 44 Airport Why robust resilient planning is taking off in our airports
40
The significance on the recent inclusion of the XML External Entity Reference.
32 Scottish businesses urged to
'open their eyes' to the signs of human trafficking
Scotland 33 CSSC A national initiative providing business leaders with safety and security communications.
DARING
TO BE DIGITAL Digital is disrupting how we do business and, to be successful in this information age, organisations need to embrace the changes arising from developments in technology.
46
sbrcentre.co.uk 7
Bitcoin is a merchant’s dream come true By Danny Brewster, Managing Director at Fastbitcoins.com
Ten years ago, a research paper titled “Bitcoin: A Peer-to-Peer Electronic Cash System” was published, under the pseudonym, Satoshi Nakamoto. The paper outlined a format for a radical new digital currency called Bitcoin, created by marrying computer science, distributed systems, applied cryptography, economics and game theory.
8 Business Resilience / Winter 2020
Feature article This currency promises to deliver big benefits over traditional currency for everyone including merchants - now that more innovative solutions are available to allow Bitcoin to be taken mainstream. Yet, misconceptions around what Bitcoin is, coupled with a genuine lack of understanding of money by the general public, remain hurdles that stand in the way of it fulfilling its potential to become the native currency of the internet age. Shifting popular beliefs Many people think of Bitcoin as an asset which you can buy and sell to make money. Whilst the volatility in its exchange rate ensures Bitcoin remains attractive to speculative traders, there is much more under the hood that ensures Bitcoin remains both scarce, extremely useful and thus valuable from an economical point-of-view. One of the largest misconceptions surrounding Bitcoin today is the cost of participating or simply buying “a Bitcoin”. The currency is actually divisible up to eight decimal places so you can in fact hold or acquire a fraction of a bitcoin. And here at Fastbitcoins.com, we are making it super easy to buy and sell small amounts from as little as £10.00. With this in mind, merchants better engage with the users of this currency. As the user base of it grows, so too will the opportunity for merchants to make money and keep customers happy. Taking advantage Bitcoin has made it possible to transfer value directly between two people remotely without having to employ or trust a third-party such as a bank or clearing house.
For merchants, removing the middleman of a transaction is a very big deal; with a way to accept Bitcoin transactions, they won’t just eliminate the transaction and chargeback fees card payment companies charge, they will also be able to meet customer demands for digital payments and open themselves up to a completely new demographic of clients. Furthermore, merchants could use the savings obtained by not having to pay third-party fees to drive lower costs of goods and services for customers, whilst also driving better profit margins. A win-win! When a merchant wishes to accept Bitcoin for their goods or services they are faced with two options, either embark on the complexity of deploying their own Bitcoin payments infrastructure, or employ the services of a company like FastBitcoins.com that gives merchants the ability to accept payments in Bitcoin either online or in person at the point of sale through an easy-to-use hardware solution. Such solutions also importantly give a merchant the ability to completely remove or reduce the exposure to the price fluctuations in Bitcoin.
Getting ahead The latest technology developments in Bitcoin are finally making it possible for the whole world to benefit from what it has to offer as a legitimate form of money. Along the way, merchants have a very big opportunity to get ahead of the curve and drive fresh business opportunities.
sbrcentre.co.uk 9
10 Business Resilience / Winter 2020
Feature article
Police Digital Security Centre Bringing the first police-backed cyber-security certification schemes to market yber-crime and fraud are a growing threat to UK businesses. With over a third of businesses having suffered at least one cyber attack or breach within the past 12 months, the consequences can be significant, causing financial loss and reputational damage. The good news however, is that the overwhelming majority of cyber-crime can be prevented by taking a few simple steps. To tackle this threat, the Police Digital Security Centre (PDSC) has been launched with a simple mission – to reduce the vulnerability of organisations to cyber-crime. As part of Police Crime Prevention Initiatives (PCPI) and building on the success of the ‘Secured by Design’ brand, PDSC is uniquely placed to deliver a truly joined-up and consistent approach to tackling cyber-crime. Focused around five strategic priorities, PDSCs work includes an award-winning community outreach programme, design and delivery of accredited training through the Police Crime Prevention Academy, and the first police-backed digital security certification schemes, which launched at the IFSEC Conference on 18 June. The PDSC has collaborated with BSI to deliver new Digital Security Certification schemes. The combination of two well-known and trusted brands will help police forces signpost small and medium businesses towards a list of locally based companies who have successfully achieved the Digital Security Providers award by consistently demonstrating compliance with tough industry standards. It will also help police forces champion local businesses who have successfully achieved the Digitally Aware or Digitally Resilient awards, generating opportunities for them to grow and innovate online.
C
Certification Schemes The new certification schemes consist of three separate awards which have been developed in collaboration with the British Standards Institution (BSI), the UKs National Standards body. The Digital Security Provider award is aimed at companies who offer digital security products, services or consultancy. It has been designed to help consumers find a digital security provider who they can trust to deliver a product or service that meets their needs. Successful applicants will have met tough industry standards and will be awarded ‘Secured by Design Police Preferred Specification’ for 12 months. The second and third awards focus on business resilience. The entry-level certificate, called ‘Digitally Aware’, is aimed at businesses with the lowest risk of cyber-crime. To obtain a Police/BSI Certificate, applicants will need to successfully complete an online questionnaire that is based on the National Cyber Security Centre’s ‘Small Business Guide’. For organisations with a higher level of risk, the ‘Digitally Resilient’ award is aimed at helping organisations demonstrate that they have implemented appropriate controls to reduce their risk. ‘Digitally Resilient’ requires additional assessments that are carried out by certified professionals through BSI. The new certification schemes will be a unique and recognisable accreditation that will assist product vendors who are seeking a clear differential in a very crowded and ever-changing digital security marketplace. It will seek to be an industry recognised security standard for producers of digital security products in the same way that SBD has achieved for manufacturers of security-related products in the building industry, such as doors, windows and locks.
For more information, please visit www.policedsc.com
sbrcentre.co.uk 11
12 Business Resilience / Winter 2020
To download the guide, please visit www.sbrcentre.co.uk or scan the QR code with your smartphone.
The Scottish Business Resilience Centre (SBRC) has launched a comprehensive guide for start-ups and SMEs with input from all sectors – including Police Scotland, Scottish Fire and Rescue Service and cyber and resilience experts. ackling issues from fire safety and GDPR to cyber resilience and counter terrorism, SBRC’s SME Business Resilience Introductory Guide covers every concern a small business might face in their initial years. Eamonn Keane, Chief Operating Officer for Cyber and Innovation at SBRC said, “On top of trying to grow their businesses, SMEs are under pressure from every corner – cybercrime, fraud,
T
business resilience and tens of other issues a stressed small business owner might not even think of. “The most common reasons businesses fail can be down to reasons like mismanagement or even location but a lack of experience and vital support in the industry can also be a contributing factor. “The guidance relates to enhancing business resilience and can be applied to all companies across the varied spectrum of the SME sector. It provides both general resilience advice, whilst also concentrating on the primary tasks identified for new SMEs. These risks can particularly impact business within the first year of operation. “By providing SMEs with a strong foundation in business resilience on which to
build and expand their knowledge, this will in turn afford them a greater chance of developing into a sustainable, profitable enterprise." Research carried out by the SBRC has identified eight reasons why a start-up or SME might fail, including: Money and cash flow Lack of market research Location Industry experience Weak business plans Poor administration Ineffective management The guide is designed to strengthen the hundreds of thousands of smaller businesses across Scotland, in turn safeguarding millions of jobs and improving communities across the country.
PROTECT your retail business from crime
Types of retail crime The Scottish Business Resilience Centre works closely with retail businesses to help them keep their operations secure. Here is a list of examples of the types of crimes to look out for and how to combat them.
Shoplifting is a common crime committed against retail business. It involves stock being stolen by a thief posing as a customer. It may be committed by individuals or organised groups.
Money fraud is when criminals use an illegal method to pay for goods. This may include counterfeit cash, stolen bank/ credit cards.
Checkout fraud includes a number of tactics where criminals avoid paying in full for goods when paying at the tills. Examples include swapping barcodes or price stickers for a less expensive item or deliberately failing to swipe a product at a self-checkout. Refund fraud is another crime that can happen at the till. It can take the form of an offender attempting to return a stolen item in exchange for money or credit, or falsifying receipts. Break-in can be committed against retail stores, usually when the shop is closed. These ‘smash and grab’ crimes involve forcing entry and stealing merchandise. Vandalism is also a risk for retail businesses. It could include graffiti, smashed windows or damaged signs. Online scams are a risk for retailers, particularly those who sell online or hold customer data digitally. They could become a victim of online fraud or cyber security breaches.
Assess the risk and take reasonable steps to reduce it. Take measures to make it more difficult for a crime to be committed. Reduce the rewards for potential criminals, in turn will increase the risk of the offender being caught. Ensure any action taken is realistic and cost effective.
Retail business security measures Premises security
Theft prevention
Taking steps to secure your retail premises can help protect against vandalism, burglary and other crimes. You should carry out a premises security survey to assess your environment and reduce opportunities for crime. Measures you might take include alarm systems, security lighting or shutters.
Measures to prevent theft may include regular stock checks, locked cabinets for high value items and CCTV. Check new employee references thoroughly and have procedures in place to prevent theft by staff.
Money security
Cyber security
Reduce the risk of cash theft by reducing the amount of money you keep in your till and on premises. Help to prevent payment fraud by checking for counterfeit notes, using a secure chip and pin system, if the pin doesn’t work and they ask for a manual process, check the signature and the name on the card carefully. Inform your line manager if in any doubt.
14 Business Resilience / Winter 2020
Look out for suspicious behaviour to identify shoplifters. If you hold sensitive information digitally, in is important to manage the risks of a cyberattack. Common measures to keep your business safe online include strong passphrases, firewalls and security software. As a retail business, you should ensure that your pointof-sale system is as secure as possible. If you sell online, you could be particularly at risk of online scams, malware and viruses.
Avoiding
ATM Scams
With over £11 billion is expected to be withdrawn by the public this winter, fraudsters will be looking to target unsuspecting shoppers by tampering with ATMs. Criminals and scammers can manipulate ATMs in the most discrete ways – you might not even notice any difference or danger. Alongside physically tampering with ATMs, another tactic scammers use is to distract shoppers mid-transaction.
SBRC has published a handy guide to show shoppers the four tell-tale signs that an ATM may have been affected.
sbrcentre.co.uk 15
Scottish Cyber Awards
Scotland’s most dynamic cyber security talent was celebrated at an annual award ceremony – with a fantastic representation of women working in STEM. The hugely anticipated Scottish Cyber Awards, hosted by the Scottish Business Resilience Centre (SBRC), is now in its fourth year and attracted more than 300 of the sector’s leaders across business, law-enforcement and academia. his year saw over 100 applications from across the country, with a considerable number of entries submitted under the categories, ‘Outstanding Woman in Cyber’ and ‘Cyber Evangelist of the Year’. Dominating the evening by picking up a double award was Emily Beeney, Vice-President in Technology Risk at Morgan Stanley, Glasgow. Emily was firstly presented with the ‘Outstanding Woman in Cyber’ accolade, before being announced as the overall winner of the night when she was announced as the ‘Champion of Champions’ for her inspirational work in cyber security.
T
Speaking of her win, Emily said,
To be able to influence the younger generation to get into technology is so big and so rewarding. 16 Business Resilience / Winter 2020
Judge Eamonn Keane, Head of Cyber and Innovation at SBRC said on the night, “The Scottish Cyber Awards has once again cemented the immense talent we have in the cyber security industry in Scotland. It is a chance to showcase the everyday heroes who are demonstrating real leadership and ambition in their ideas, passion and drive to combat some of the issues we face in the current cyber landscape. “I’m very proud of the achievements highlighted tonight and hope we can continue to inspire future generations into work in the cyber field. Speaking as a judge, we are always overwhelmed by the high calibre of applications and Emily’s was no exception. “Emily inspires a generation of female leaders as an active STEM Ambassador, Women in Technology Chapter Leader and avid volunteer. Her technical skills, impactful solutions and commitment to giving back to the community made her our well-deserved winner of the night.”
SCOTTISH
CYBER
AWA R DS 2 02 0
THE WINNERS Best Cyber Start Up FullProxy Outstanding Woman in Cyber Emily Beeney, Morgan Stanley Best New Cyber Talent Maria Khokhar, Seric Systems Best Cyber Breakthrough Edinburgh Napier University/Cyan Forensics Collaboration with Police Scotland Young Scot Cyber Evangelist of the Year Toni MacKenzie and Clara O'Callaghan, Turing Testers Cyber Security Teacher of the Year Toni Scullion, St Kentigerns Academy Leading Light Innovation Quorum Cyber The prestigious Cyber Evangelist of the Year Award was awarded to Toni MacKenzie and Clara O'Callaghan of The Turing Testers, who helped launch a nation-wide cyber treasure hunt to engage more schoolgirls with data science. Finance Secretary Derek Mackay delivered the keynote speech on the evening, praising nominees for their work protecting and educating the people of Scotland against cyber threats. Also celebrating on the night were; FullProxy (Best Cyber StartUp), Maria Khokhar, Seric Systems (Best New Cyber Talent), Young Scot (Collaboration with Police Scotland), Quorum Cyber (Leading Light Innovation), Information Services, Strathclyde University (Outstanding Cyber Team). The awards were backed by global sponsors, with this year’s headline support from Adarma alongside other key partners, CGI, Clydesdale Bank, SQA and SOPHOS. The Scottish Cyber Awards was held on Wednesday 20 November at the Sheraton Hotel in Edinburgh.
Best Cyber Education Programme NCSC-Certified Undergraduate and GCHQ-Certified Postgraduate Programme in Cybersecurity Outstanding Cyber Team Cyber Security Team - Information Services, Strathclyde University Best Customer Experience (public vote) Check Point Software Technologies LTD Champion on Champions Award Emily Beeney, Morgan Stanley Glasgow For more information on the Scottish Cyber Awards 2019 visit www.scottishcyberawards.co.uk
sbrcentre.co.uk 17
Championing the cyber scene Business Resilience Magazine recently caught up with Scottish Cyber Awards Champion, Emily Beeney to chat about her big win and what inspires her work in STEM.
s Vice-President in Technology Risk at Morgan Stanley in Glasgow, Emily Beeney leads the cyber analytics team with a focus on the detection of potentially malicious activity within their network. Having spent seven years working within forensic investigation teams for the finance industry, Emily is well versed in the subjects of insider and adversarial tradecraft. Part of Emily’s work is to successfully build both statistical models to identify anomalies within security logs and high-grade alerts for when known malicious actions occur.
A
It is so rewarding to be able to give back to your community in a meaningful way.
Having been absorbed in technology from a young age, this cultivated Emily’s enthusiasm and led to her work as an active STEM Ambassador. “STEM subjects caught my imagination from a young age, whether it was learning to code with my grandad or playing with circuit boards with my dad.” She said. “For me, the opportunity to stand in front of young people and try to pass on some of the magic which my family created for me, is so important.
18 Business Resilience / Winter 2020
“In the last five years, I have run code clubs, developed and delivered custom cyber lesson plans, run intro to code sessions at numerous schools, supported teachers with Computing curriculum changes, given career talks - the list goes on. “If you aren’t currently signed up as an ambassador, I would definitely encourage you to think about it – it is so rewarding to be able to give back to your community in a meaningful way.” Speaking of being crowned the ‘Champion of Champions’ and ‘Outstanding Woman in Cyber’ at the coveted Scottish Cyber Awards in November 2019, Emily admitted the wins were unexpected and had left her ‘overwhelmed’. “Reading bios for all of the other finalists in the Outstanding Woman in Cyber category I was blown away by the female talent which Scotland has to offer and had my gracious runner up face planned - and practiced - for the evening. “I am humbled to be provided with the platform to promote Cyber as a career path for young people and hope that I am able to use this honour to really inspire the next generation of Cyber professionals.”
In her award nomination Emily was commended for the work she’s involved in as a primary contributor to a pilot scheme with Girl Guides Glasgow. We asked her to tell us more about this project and what it sets out to do.
“This year, the Scottish Girl Guiding Association teamed up with Skills Development Scotland and Education Scotland to release the Digital Scotland Challenge badge. The Girl Guides’ own research showed that one in two girls think that STEM subjects are more for
This year Scottish Cyber Award judges were impressed at the representation of woman working in the cyber field, despite the industry still statistically being more male dominated. When asked if she felt the STEM industry is becoming a more attractive career path for women and if more needs to be done to encourage this at a younger age, Emily said:
Cyber industry to be male dominated from a capability perspective. Research has shown that gender biases are created from as young as five years old, and this is why, for me, focusing on primary school age young people is so important.” And working with youngsters is something Emily is particularly passionate about, having been involved in Morgan Stanley’s ‘StepIn Step-Up programme and Young Scot’s DigiKnow campaign. Speaking of the former, she said: “The StepIn Step-Up programme is an introductory one-day programme designed for female S4-
“The calibre of the finalists for the Outstanding Woman in Cyber award this year was inspiring, and to me this demonstrates that there is no reason for the
boys and only 37% of those surveyed said that they would consider a career in technology. “In an attempt to combat this perception and shift the dial, the Digital Scotland Challenge badge was created to teach Guides about computers, algorithms, creativity and design, and to highlight the diversity of career opportunities within the tech industry. “The pilot scheme, run by the Morgan Stanley Women in Technology Network, aimed to support local Girl Guide units to achieve the badge, by developing custom content, mapped to the badge criteria, to be delivered over four meetings – and we are aiming to roll this out further afield in 2020.”
S6 students which I was really excited bring to Glasgow for the first time. “The day gave an oversight into the different technology programmes Morgan Stanley offers, as well as providing the opportunity to partake in interactive challenges, panel sessions and career workshops. “Technology careers are narrowly marketed in mainstream media, and I think that it is important to showcase the diversity of roles within technology to allow students to make an informed decision when selecting either their Highers or degree subject.”
sbrcentre.co.uk 19
MAKE A PLEDGE TO MAKE YOUR BUSINESS SAFER
The #PadlockPledge is a new initiative as part of the Safer Business, Stronger Scotland campaign led by the Scottish Business Resilience Centre. The #PadlockPledge is a clear commitment to building resilience and encourages businesses of all sizes, from any sector, to get involved to create safer business and a stronger Scotland. We’re asking businesses to select an action to improve their resilience. SBRC will help to provide the support needed to make this happen. This could be anything from pledging to making your passwords more complex, to keeping your staff safe through lone worker training, or through joining the Scottish Business Resilience Centre as a highly valued member and make the most of training and networking opportunities. There are a number of examples of #PadlockPledges on the Safer Business Stronger Scotland website, or you can even make your own one up. The best part is you can make as many pledges
as you wish to make your workplace safer and stronger! From the moment you sign up and tell us about your pledge, our team at the Scottish Business Resilience Centre will be on hand for any help, advice and support. Our unique connection to Police Scotland, Scottish Fire and Rescue Service and Scottish Government gives us exclusive access to the latest intelligence on legislation, criminal trends and threats, allowing us to provide the very best advice to safeguard your staff, customers and business.
HOW DOES MY ORGANISATION GET INVOLVED?
It is completely free to sign up and make a pledge! Some of our suggested #PadlockPledge actions come at low cost for training courses and you can benefit from further discounts by becoming a fully-fledged member of the Scottish Business Resilience Centre. If your organisation is ready to sign up and make the commitment, or if you’d like more information, visit www.saferbusinessstrongerscotland.com You can also contact us at the Scottish Business Resilience Centre for an informal chat by calling 01786 447441
20 Business BusinessResilience Resilience//Winter Winter2020 2020
As the first organisation to sign up to the #PadlockPledge, the Scottish Community Safety Network has pledged to create a safe business travel policy with help from SBRC. Pictured is CEO Lorraine Gillies.
Pictured is Tracey Smith from GTS Solutions who are showing their commitment to creating safer business and a stronger Scotland by pledging to put business resilience at the heart of their organisation!
sbrcentre.co.uk 21
Putting
‘Safe’
into place Building Resilient Business
In this issue of Business Resilience Magazine, we’re looking at building resilient business and how you can put ‘safe’ into place in all aspects of your business. From fire safety, GDPR, preventing human trafficking and championing counter terrorism, there are many ways you can put safety at the heart of your organisation.
22 Business Resilience / Winter 2020
sbrcentre.co.uk 23
Letting property for short term stays
Do you have paying guests? Short term stay letting property including AirBnB accommodation is incredibly popular and has seen a surge in popularity in the last few years. The industry is worth billions of pounds in revenue. If you are an owner of a short term let property or AirBnB then there are a number of responsibilities involved which you should be aware of. One of the most important is fire safety.
ire safety law applies to you if anyone pays to stay in your property, other than to live there as a permanent residence. Fire safety law in Scotland is enforced by the Scottish Fire & Rescue Service (SFRS) and their teams of Legislative Enforcement officers. The legislation which is relevant to AirBnB’s is the Fire (Scotland) Act 2005 and Fire Safety (Scotland) Regulations 2006. A link to Sector Specific Guidance for Existing Premises with Sleeping Accommodation can be found in the resources section at the end of this article. Fire safety law applies to short term letting accommodation premises regardless of how they are marketed, so will include relevant premises marketed through ‘peer to peer’ online platforms i.e. AirBnB premises. Fire safety law applies to you if you let out a room within your own home as guest accommodation even if you only do it occasionally.
F
As a short term let property owner, what are my responsibilities? The Fire (Scotland) Act 2005 makes you the ‘duty holder’ or person in control of the premises to take steps to ensure the safety of paying guests who let the property from you. You must: 3 Carry out an Fire Safety Risk Assessment (FSRA) 3 If the outcomes of the risk assessment require it – take the 3 necessary steps to improve your fire safety measures 3 Review the fire safety risk assessment regularly to ensure its 3 currency is maintained You may be able to carry out an FSRA yourself, particularly if your premises is small and straightforward in internal layout. As a rule, if your premises are significantly larger than a family home, or if they include long, unusual or complicated routes to an exit, you will require more detailed advice on the
24 Business Resilience / Winter 2020
range of fire safety arrangements that you need to consider. You may prefer to have someone else carry out an FSRA. There are a number of fire risk assessors available who can assist that you can pay to complete an FSRA, however you remain legally responsible for the FSRA. The Scottish Fire & Rescue Service, being the enforcing authority are unable to carry out FSRA’s for you. However they can offer guidance and advice on how you can achieve this and ensure your property is not only safe for guests but also legislatively compliant. What is a Fire Safety Risk Assessment? An FSRA is a holistic assessment of your premises, the persons likely to stay in those premises which includes elderly, very young children and disabled people. An FSRA is based upon the risk of fire breaking out and what measures you as the duty holder require to ensure are in place to prevent that fire in the first instance and ensure the safety of those paying guests. Gold Standard It is prudent for you to maintain a written record of your FSRA. If you have five or more employees (including any who work part-time) or your premises is subject to a license enacted upon it, the law says you must make a written record of the significant findings of the FSRA. Keeping a record will save you time and effort when you come to review and update it. It will also good practice and management compliance should the Scottish Fire & Rescue Service require to visit your property. Taking time to carry out an FSRA and act upon the findings not only ensures the safety of your guests but also protects your premises and increases your business resilience. After all, your property is a significant financial investment so it makes perfect sense to protect it as much as you possibly can.
Putting 'Safe' into place
The 5 steps of fire safety risk assessment Assess the fire risk within your property and consider how to maintain the safety of your guests and premises. Make a plan to improve fire safety measures within your premises. Keep a record of your FSRA and review it regularly. STEP 1 What is a fire hazard? Think about how a fire could start on your premises. Walk round your premises, both inside and out and look for hazards. Fire starts when heat comes into contact with fuel (anything that burns) and oxygen in the air. You need to keep heat and fuel apart. With that in mind, look for: Naked flames Portable heaters Electrical equipment Signs of smoking Matches and ash trays Anything else that could emit heat or anything which may cause sparks Pay particular attention to kitchens and guest bedrooms and where people may use matches and candles or areas where they may smoke. Think about what could burn and how quickly a fire could spread. Laundry materials, curtains, furniture and cooking oil could all burn, just like the more obvious fuels such as fuel, paint, varnish and other flammable liquids likely to be found in a household. Check outside for fuel too. A common cause of fires in properties is ignition of external refuse – ensure that any refuse stored externally is well away from the building, not up against it in bins or located underneath overhangs or eaves of roofs. Don’t just consider fire spread – think about whether anything external which catches fire could affect the escape route from your premises. Consider your buildings construction – are walls made of brick, hardboard or chipboard? Are there polystyrene tiles on the ceiling and if so are they located within a main means of escape? STEP 2 Consider who is at risk? Everyone is at risk if there is a fire. You need to think about yourself, your family, your guests and anyone else who visits the premises. Some people should be considered to be at an elevated risk compared to others. For example, young children, the elderly or those with physical disabilities or cognitive impairments may be particularly at risk and require specific consideration. STEP 3 Consider and implement your fire action plan Using what you have found in STEP 1 and STEP 2 you should be able to remove or reduce any hazards identified. Think about whether a heat source, such as a hair dryer or hair straighteners, could fall, be knocked or pushed into something that could ignite. Is the electrical equipment within your property modern/working properly? Has it been PAT Tested recently and is your mains wiring in good serviceable condition – when was your last EICR carried out? Electrical fires are one of the most common causes of fire in the UK.
Now think about what you need to do if there is a fire on your premises. How will it be detected and how will you alert people on the premises? For example, do you have an automatic fire detection system? Are the detectors of the correct type and in the right place? Is the system tested regularly? Can you hear the alarm in each bedroom? Is the alarm loud enough to wake someone who is sleeping in bed? Are your smoke and heat detectors interlinked? What action will you take to protect people on your premises and make sure everyone can find their way out in an emergency? You need to make sure your guests know what to do if a fire occurs. Will everyone on the premises be able to find their way out in an emergency? Would any escape routes benefit from emergency escape lighting? Are areas immediately outside final exits clear of obstructions and adequately lit? Have you practiced a fire drill? Do you have equipment to allow someone to put a small fire out? STEP 4 Record, plan and train It is a good idea to keep a written record of the significant findings from your risk assessment. This should include: Any fire risks you have identified in STEP 1 Any measures you have implemented to reduce or eliminate those risks Any additional actions you require to take (Use an Action Plan and define reasonable timescales for completion, signing/dating completed actions off as they are completed) STEP 5 Review regularly Any written FSRA should be seen as a helpful, living document. It’s not something that should be completed and then forgotten and requires to be reviewed regularly. You should review the assessment regularly and, if necessary, update it If any changes occur in the way you use your premises, or if the layout changes, the risks may also change If any review identifies new risk, you need to ensure you consider and address these to keep your paying guests as safe as possible ‘Gold Standard’ is to maintain a written, documented copy of your FSRA as well as any new plan that you need to implement - this demonstrates a responsible management attitude to fire safety For further information on FSRA within short term let properties, contact your local SFRS Fire Safety Officer or Watch Manager Gary Wood SFRS, Senior Business Resilience Officer, Scottish Business Resilience Centre: gary.wood@sbrcentre.co.uk Gary Wood Senior Business Resilience Adviser
There are a number of resources available online for guidance and advice on FSRA including blank FSRA templates and example templates. To find out more, visit: www.sbrcentre.co.uk/FSRA
sbrcentre.co.uk 25
Putting 'Safe' into place
ARE YOU PREPARED TO
Serious Organised Crime and Counter Terrorism Lead, David MacCrimmon urges Scottish businesses and individuals to remain vigilant as the UK threat level is reduced to substantial. n the 4th November, the Home Secretary Priti Patel announced that the UK threat level was being reduced from “Severe” where it meant an attack was highly likely, to “Substantial”, meaning that an attack is likely. The reduction in the UK threat level to Substantial indicates positive developments by the Police and the Security Services in countering acts of terrorism, foiling attacks and apprehending those persons who had been preparing acts of terrorism. We should remember that despite this change in status, the security services are still monitoring a significant number of “subjects of interest”, those who are former IS fighters, or those individuals with a warped sense of ideology or who are easily radicalised. Speaking as a police officer, be assured that Police Scotland continue to work with partners at home and abroad to counter the threat from terrorism and ensure the safety and wellbeing of our communities. Communities defeat terrorism, and that also includes the business community, so we must maintain strong links. With the news that the UK threat level has been reduced, organisations and individuals must remember to be vigilant. We need to think ahead to what is happing here in the UK, with not only Christmas, but a general election, which means our towns and cities
O
will be busier than usual, so I would ask that you remain vigilant, be alert but not alarmed. When you’re out and about this Christmas think about your personal safety also. Stay alert to your surroundings. Crowded places are soft targets and, in the past, Christmas markets on mainland Europe have been targeted. This shouldn’t deter us from going out and enjoying outdoor markets at this time of year, remember there are people out there to protect us, police and security. On that, you may see an increase in police or security personnel at outdoor markets and events. This is something that you should not be concerned about, and in fact we as a society are starting to get used to it. Although some may be put off by seeing more security, police and even armed police at outdoor events it is often not in response to any specific threat, but part of a national response to keeping people safe. You may also see vehicle barriers in place, aimed at stopping vehicle attacks that have been seen in the past on mainland Europe. Event organisers and business will be working with the police, to minimise the risk and prevent these things from happening, to keep you safe and ensure that you enjoy your Christmas.
26 Business Resilience / Winter 2020
Are you looking to improve your organisational resilience and personal safety? SBRC can deliver ACT Awareness sessions designed to give businesses and individuals a greater understanding of the terrorist threat landscape in the UK. Furthermore, our ACT Awareness sessions enhances your preparedness towards terrorist attacks and critical incidents. ACT Awareness sessions can be delivered to your organisation free of charge by SBRC. Our members benefit from bespoke workshops surround this topic also. To find out more, please contact enquiries@sbrcentre.co.uk
David MacCrimmon SOC and Counter Terrorism Lead
Putting 'Safe' into place
Customers or criminals? How to spot the signs Good customer service is by far and large one of the most effective preventive measures to combat potential criminals and will assist in deterring most opportunistic individuals from committing fraudulent transactions.
Angela Brand Business Resilience Adviser
aking the appropriate measures to secure your assets such as keys/refund cards/PDQ machines are also essential in reducing the risk of fraudulent transactions being completed by organised criminals.
T
When dealing with customers, you should always acknowledge them and be engaging. Not only does this make a genuine customer feel valued, but it demonstrates to a potential criminal that you are aware of their presence. On speaking to customers, always remain facing them, do not turn your back on them or leave them unattended at the front desk or till area. Be sure to keep them in view for as long as possible if you must leave the front desk or till area unattended and are unable to ask another member of staff to assist you.
Always be on the lookout for suspicious behaviour and be mindful of someone’s actions which may be an attempt to divert your attention away from the front desk or till area.
Are they attempting to engage you in meaningless conversation in order to distract you, allowing an accomplice to infiltrate the till area? Is the customer acting nervous? Are they being rude, or far too friendly for the situation at hand? Some individuals who are undertaking a criminal act may look at you with nervous glances, show what could be considered an unnatural smile, as well as fidget and avoid making eye contact. Be mindful of customers who attempt to take the PDQ machine away from the till area, or that move it out of your line of sight and attempt to hide their payment card or shield their actions whilst a sale is being processed. Always keep all refund cards, till keys and other items either securely locked away or on your
person. Do not leave keys or PDQ cards lying out at the front desk or in the till area. If you have to leave the machine unattended it should always be stored securely in a locked drawer or similar, never left out where it is accessible by member of the public. Where possible PDQ machines should be secured by means of a key code or locking mechanism. This also applies to any pre-programmed cards with functionality attached, such as management authorisation swipe cards for issuing refunds – where possible they should be programmed to require an access code prior to proceeding with a refund. Protecting your devices is also key to fraud prevention. If you own PDQ card machines, they should be considered an asset. They should be protected throughout their complete life cycle and can be compromised by criminals who will use them to perpetrate fraud. This will have a financial impact on the business and can cause reputational damage which may further adversely affect your business. Securing your PDQ device should begin from the moment that they are released from the vendor to the retailer. From this point, the tracking of the asset, once it is delivered, becomes the responsibility of you (or whoever acquires it, like a third provider and then retailer) wherever it is stored, whenever it is in transit and wherever you choose to install it. This also applies to any pre-programmed cards with functionality attached, such as management authorisation swipe cards for issuing refunds. You should report fraud and any other financial crime to Police Scotland without delay. Reporting these sorts of incidents helps Police Scotland tackle fraud and allows them to identify areas of concern and patterns of behaviour. Any information you provide on fraud is valuable and could help prosecute offenders and ensure the safety of the public.
sbrcentre.co.uk 27
Putting 'Safe' into place OCTOBER SEPTEMBER
NOVEMBER
AUGUST
DECEMBER
JANUARY
JULY
FEBRUARY JUNE
MAY APRIL MARCH
GDPR regulations came into effect last May 2018 and many businesses made data a priority, however, has complacency set in as time has passed?
he GDPR was designed to protect consumers by helping to make sure that their data, when held by a third party is more secure. In the digital age, customers have become more aware of the value of their data and it is likely that there will be increasing instances of complaints and litigation by individuals who perceive that their data has been misused or mishandled. Recent articles highlight that businesses are still neglecting GDPR and at the fundamental level, many business owners and staff still don’t know who it effects and what new rights it provides, or appreciate just how damaging a data breach can be, both to the company bank balance and to business reputation. Our first Constellate immersive learning App “GDPR - Accredited Training”, was developed with this in mind, providing a complete foundation on the principles, responsibilities and processes under the GDPR, reducing
T
www.constellateapps.com | Constellate apps are powered by Droman Solutions and SBRC
28 Resilience / Winter 2020
organisational risk of non-compliance. Developed and maintained by our subject matter expert, this app is the first in a series of business resilience ‘serious games’ providing accredited training which is engaging, flexible and always available at any moment of need. Over the year we have reviewed customer feedback and as a result the app is now available as a web app, as well as a downloadable version for mobile devices. We have also added an administration utility to facilitate easy allocation and management of licences. We have a strong desire to support businesses and organisations of all types and sizes, so everyone benefits from our ‘company rate’ of £15 per user (plus VAT). Our Corporate Social Responsibility Strategy includes discounted rates for charities – please contact us for more details.
Putting 'Safe' into place
Securing Your Supply Chain Businesses across Scotland are currently in a state of flux due to a number of economic factors. he continued uncertainty around BREXIT is putting extreme pressure on supply chains and logistics companies who, as well as facilitating business as usual, are facing increasing demands to move raw materials or finished products to strategic locations as companies stock pile goods that will minimise, at least in the short term, the potential impacts that delays at ports or increases in tariffs might bring. The sector relies heavily on foreign drivers, mainly from the EU, but with the rules covering the movement and employment of EU citizens still unclear, the result is that the already significant shortage of drivers is being exacerbated. Customer demands and changes in the way we as a population shop today necessitates that we are living with a ’Just in Time’ supply chain. Gone are the days of companies having large stores of parts or ingredients. As deliveries are made, they immediately become part of the manufacturing process so the supply chain needs to function with maximum efficiency and any interruptions can have very serious consequences. We now demand next day delivery for goods ordered online and we want transparency on exactly when that package is going to be delivered. For this to function, a complex network of operations exists unseen to the customer. To help mitigate some of the challenges raised by BREXIT, SBRC has facilitated a working group for its supply chain members to give them the opportunity to come together, discuss shared issues and identify best practice for minimising the impacts on their businesses. We have been able to provide a liaison with HMRC for them to ensure that they have the most up to date guidance and a point of contact for specific issues.
T
Stewart Hurry SSCS Project Manager and Secure Transport
With all this uncertainty, it is sometimes useful to ensure that you give some focus to the things you have control over, and one of these areas is security. This means the security of your supply chain and the people, places and processes that allow your businesses to function. Within the centre we have the expertise to provide advice and assistance to companies on all aspects of security from the physical security requirements, cyber resilience, recruitment, security policies & procedures and training. Having a trusted independent review of current arrangements will give board members and managers a health check on not only their own situation but the possibility of looking at companies involved in the supply chain and, if necessary, having important conversations about protective or improvement strategies. The reviews will benefit companies whether you are looking at attaining AEO or C-TPAT accreditation or simply to ensure that you have adopted and implemented appropriate standards. Many organisations see security as a cost rather than a benefit. The financial commitment to making a few changes or upgrades to your security will be much less than the total loss of a container full of stock, interruption to your manufacturing process, denial of service of IT systems and loss of data. If you include potential impacts on brand, reputation or customer confidence the argument for having a review conducted is even more compelling. If you are interested in discussing any of the services available you can email us at enquiries@sbrcentre.co.uk or give us a call at the office on 01786 447441 and one of the team will be happy to help.
sbrcentre.co.uk 29
Web application
attacks
and the significance on the recent inclusion of the XML External Entity Reference (‘XXE’) web application vulnerability as No 4 threat on the OWASP Top 10.
30 Business Resilience / Winter 2020
Putting 'Safe' into place
he exponential growth of our internet usage through web application technologies has been replicated by the growth of malicious criminal activity exposing the vulnerable individual and corporate internet user to ever increasing risks. The internet has developed into a significant enabler for highly organised and sophisticated criminal crime gangs with a previously unseen technical competence. The challenge evolves rapidly and in this developing era of accountability through legislation such as GDPR, the security professional supported by the executive team must strive to ensure the appropriate technical and organisational measures are implemented to prevent a cyber breach and loss of data. Web application attacks and malicious criminal websites grow daily. The increasingly motivated and sophisticated cyber-criminal continues to discover innovative methods to maliciously penetrate web applications and as a threat vector now exceeding in growth over other areas of cybercrime. In 2018, 1 in 10 URLs analysed were identified as being malicious, up from 1 in 16 in 2017. Additionally, despite a drop off
T
The focus of this article is to highlight that whilst academic and industry research, testing and mitigation principally focuses on the popular injection attacks such as SQLi and Cross Scripting Attacks, XML XXE attacks grow in risk and is somewhat overlooked where in deployment in execution, yield similar if not greater severity and impact. While XSS attacks may steal data and SQLi attacks may steal databases XML attacks may use the already built in properties of the XML parser to steal files. This may of course be used by SQLi attacks however it is likely that monitoring will be in place. Using an XML attack would hide such actions in the web logs rather than the SQL logs leading to a certain amount of anonymity. What is an XML XXE attack? The Extensible Markup Language (XML) is used extensively in web application technologies first introduced in the 1980’s enabling data exchange, data storage and configuration that fundamentally supports most web service activity between provider and consumer. Essential to XML is the XML Processer often referred to as the XML parser and the use of entities and schemas.
In 2018, 1 in 10 URLs analysed were identified as being malicious, up from 1 in 16 in 2017 in exploit kit activity, overall web attacks on endpoints increased by 56% in 2018. By December 2018, Symantec was blocking more than 1.3 million unique web attacks on endpoint machines every day. The Open Web Application Security Project (OWASP) supported by MITRE are the internationally recognised authority on web application attacks. OWASP produce the Top 10 (OWASP, 2017) vulnerabilities harvesting significant data from many application security specialists across the globe. In 2013, the OWASP Top 10 decreed Injection flaws such as SQLi, NoSQL, OS Command Injection and LDAP as the number 1 threat. In 2017, injection flaws remained as No.1 threat, however, of significance the XML XXE vulnerabilities not previously cited in 2013 was highlighted as No. 4 in importance due to the prevalence of occurrences. SQL Injection attacks remain the most important vulnerability and have been subject to substantial academic and industry research. However, the recent inclusion of the XML XXE vulnerabilities, also classified as an injection attack, as the No. 4 threat vector merits further examination to raise awareness to software developers and security teams to implement measures to prevent XML XXE attacks.
Entities are a feature also defined in Document Type Definition (DTD), are generally classed as internal, external and parameterised. Many XML parsers support Document Type Definition (DTD) to enable authoring and readability thus affording similar wrongful manipulation for nefarious purposes, a methodology that has also been used in the XXE BIL (Billion Laughs) denial of service attack. Even as research into more powerful XXE attack techniques remain active, the publication rate of XXE vulnerabilities are increasing as a potential treat vector. Prevention, Mitigations The easiest way to avoid all types of XXE is to disable Document Type Definitions (DTDs) completely on your web application! In addition, consider the following: Whenever possible, use less complex data formats such as JSON, and avoiding serialization of sensitive data Developer training and awareness Implement Positive server side input validation Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system Implement Dynamic Application Security Test (DAST) Implement Source Code Analysis Tools (SAST) Implement a suitable Web Application Firewall( WAF)
Eamonn Keane Head of Cyber Security and Innovation
sbrcentre.co.uk 31
Putting 'Safe' into place
Scottish businesses urged to 'open their eyes' to the signs of human trafficking With Brexit looming there is concern amongst businesses in Scotland with the possible impact upon the workforce, especially migrant workers. David MacCrimmon SOC and Counter Terrorism Lead
hat concerns me more, however, is that if
W the migrant workforce were to be
diminished even slightly, does this present an opportunity for people to be exploited? I suppose what I am saying here is, will there be an increase in cases of human trafficking to fill gaps in the workforce quickly? The UK is still seen as a desirable place to come for employment opportunities, and this can lead to, as it has previously, criminal gangs exploiting people and making money from them as they’re put to work, often in horrendous working and living conditions. We must open our eyes to this, not just the eyes of the public, but the eyes of the business community. We need to be able to spot the signs of potential victims of human trafficking and know what to do and who to call should we encounter victims. Victims of human trafficking are often hidden in plain view, and there are many examples of that, whether it has been cases of cleaners in large office blocks, workers in hand car washes in our towns and cities, or those working on our high streets in nail bars and other shops. Hidden in plain sight also extends to moving trafficking victims about. We associate moving victims about with smuggling, and the two are entirely different things. Yes, sometimes victims of trafficking are moved about from place to place in cars, vans and trucks, but often this is done in plain sight too.
32 Business Resilience / Winter 2020
Many victims of trafficking can simply be told to go from one destination to another by bus or train. They are often given tickets to do so, and frequently there will be someone to meet them at the other end, to take control of them. This control can be through fear and intimidation, through threats of violence or actual violence, or simply as part of a debt. With all that in mind, I want you all to open your eyes. Whether you are working in retail, or in a large office block or a venue, if you work on the transport infrastructure, the train stations or bus stations, if you travel yourself on public transport, or are a driver in the haulage industry, if you spot something that’s not right, if you see someone that you feel may be the victim of human trafficking, someone who is displaying the signs of being a victim, such as: 3 Appearance of neglect, physical neglect 3 Signs of poor nutrition 3 Withdrawn, submissive 3 Old injuries, or vague about how they came about injury in the first place 3 Excessive working hours 3 Distrust of persons in uniform; There are many more indicators that I could add to this list. Human trafficking is not just a crime, it’s a human rights violation, and we need to help support victims that have been identified, and you can help in that.
Putting 'Safe' into place
CSSC Cross-sector Safety and Security Communications
SCOTLAND CSSC: A national initiative providing business leaders with safety and security communications
SBRC are proud to be associated with CSSC, and to facilitate the hub for CSSC Scotland messaging and liaison with our partners at Police Scotland. It works likes this; authoritative security and safety information is cascaded nationally from a central hub to businesses across the UK, or locally by the regional hubs to members within their regions. CSSC messages are sent with ‘Red’, ‘Amber’ or ‘Green’ priority status and include NCTPHQ bulletins, police ‘Operation Bulletins’ and NFIB alerts from the City of London Police. Since its inception over 600 bulletins, advice and security articles have been broadcast covering subjects such as counter terrorism, large-scale demonstrations, cybercrime, public order events,
and fraud alerts, as well as extreme weather alerts from the Environment Agency and travel disruption advice. Each business sector is represented by one or more Industry Sector Leader (ISL). There are currently over 2,250 ISLs across the UK in over 33 business sectors, who cascade information through their business links, trade organisations and contacts. The potential reach for CSSC messaging is over 10 million people throughout the UK. In addition to sending alerts, CSSC hosts conference calls, security briefing events and conferences. industry sector leaders, as the need arises, can be invited to dial in to high-level telephone bridge calls and to top-level briefings.
sbrcentre.co.uk 33
Financial resilience In August of last year we provided an article on the SBRC website regarding pension scams. Unfortunately, individuals are still falling foul of this dreadful type of fraud with many losing thousands of pounds. As the summer months fast approach unscrupulous fraudsters will be looking to fund their holiday activities with your hard-earned retirement cash. Please review our article again and keep your hard-earned cash safe and secure from those who would very much like you to fund their illegitimate lifestyles.
Don’t let a scammer enjoy your retirement Find out how pension scams work, how to avoid them and what to do if you suspect a scam. Pension scams can be hard to spot. Scammers can be articulate and financially knowledgeable, with credible websites, testimonials and materials that are hard to distinguish from the real thing.
34 Business Resilience / Winter 2020
Putting 'Safe' into place
Scam offers often include:
How pension scams work Scammers usually contact people out of the blue via phone, email or text, or even advertise online. Scammers will make false claims to gain your trust. For example: Claiming they are authorised by the Financial Conduct Authority (FCA) or that they don’t have to be FCA authorised because they aren’t providing the advice themselves. Claiming to be acting on the behalf of the FCA or the government service Pension Wise. Scammers design attractive offers to persuade you to transfer your pension pot to them (or to release funds from it). It is often then invested in unusual and high-risk investments like overseas property, renewable energy bonds, forestry, storage units, or simply stolen outright.
Free pension reviews Higher returns - guarantees they can get you better returns on your pension savings Help to release cash from your pension, even though you’re under 55 (an offer to release funds before age 55 is highly likely to be a scam). High pressure sales tactics - the scammers may try to pressure you with ‘time limited offers’ or even send a courier to your door to wait while you sign documents. Unusual investments - which tend to be unregulated and high risk, and may be difficult to sell if you need access to your money. Complicated structures where it isn’t clear where your money will end up. Long-term pension investments – which mean it could be several years before you realise something is wrong.
Four simple steps to protect yourself from pension scams 1 Reject unexpected offers If you’re contacted out of the blue about a pension opportunity, chances are it’s high risk or a scam. If you get a cold call about your pension, the safest thing to do is to hang up. If you get unsolicited offers via email or text you should simply ignore them. Fortunately, most people do reject unsolicited offers – FCA research suggests that 95% of unexpected pension offers are rejected. Be wary of offers of free pension reviews. Professional advice on pensions is not free – a free offer out of the blue from a company you have not dealt with before is probably a scam. And don’t be talked into something by someone you know. They could be getting scammed, so check everything yourself.
3
2 Step 2 - Check who you’re dealing with Check the FCA Register - Make sure that anyone offering you advice or other financial services is FCA authorised. If you don’t use an FCA-authorised firm, you also won’t have access to the Financial Ombudsman Service or Financial Services Compensation Scheme (FSCS) so you’re unlikely to get your money back if things go wrong. If the firm is the Register, call the FCA Consumer Helpline on 0800 111 6768 to check the firm is permitted to give pension advice.
Check they are not a clone - A common scam is to pretend to be a genuine FCA authorised firm (called a ‘clone firm’). Always use the contact details on the Register, not the details the firm gives you.
Step 3 - Don’t be rushed or pressured Take your time to make all the checks you need – even if this means turning down an ‘amazing deal’. Be wary of promised returns that sound too good to be true and don’t be rushed or pressured into making a decision.
4 Step 4 - Get impartial information or advice You should seriously consider seeking financial guidance or advice before changing your pension arrangements. The Pensions Advisory Service - provide free independent and impartial information and guidance. Pension Wise - If you’re over 50 and have a defined contribution pension, Pension Wise offers pre-booked appointments to talk through your retirement options.
Financial advisers - It’s important you make the best decision for your own personal circumstances so you should seriously consider using the services of a financial adviser. If you do opt for an adviser, be sure to use an adviser that is regulated by the FCA and never take advice from the company that contacted you or from someone they recommend, as this may be part of the scam.
If you suspect a scam, report it Report to the FCA - You can report an unauthorised firm or scam to us by contacting our Consumer Helpline on 0800 111 6768 or using our reporting form. Report to Action Fraud - If you suspect a scam you should report it to Action Fraud on 0300 123 2040 or at www.actionfraud.police.uk. If you've agreed to transfer your pension and now suspect a scam, contact your pension provider straight away. They may be able to stop a transfer that hasn't taken place yet. If you are unsure of what to do contact The Pensions Advisory Service for help on 0800 011 3797.
Be ScamSmart with your pension. To find out more, visit www.fca.org.uk/scamsmart sbrcentre.co.uk 35
Cyber Essentials The Beginning of a Cyber Resilient Business When we think about resilience, what things come to mind? The ability to bounce back to our original form - to recover from a sports injury or illness, for example. Essentially to have some form of damage inflicted, yet have the ability to fully recover from it, almost as if it never happened in the first place. ith this in mind, making your business
W cyber resilient would not mean
eliminating the threat of attack completely, which is almost an impossible task, but to be able to suffer an attack and bounce back, fully recovered, with no long-lasting effects on your business. Cyber criminals are out there. They want your money, your data, your customers data and your Intellectual Property (IP). With the average cost of a cyber attack now over £4,000 for UK SMEs, do you have a plan for what you would do if you could not access your business data, email system, or database? Even without data loss, a cyber attack can damage your hard-earned reputation, and even stop you trading entirely. Loss of data could lead to fines or even prosecution. The National Cyber Security Centre (NCSC) launched the Cyber Essentials scheme in 2014, backed by the UK Government. The scheme was designed to help businesses select appropriate security controls based on the most common types of cyber attacks. It was certainly not intended as a ‘silver bullet’, but to offer businesses a first-step towards creating a more cyber secure organisation. The majority of cyber attacks exploit basic weaknesses in your IT systems. Cyber Essentials addresses those basic issues and will prevent 80% of the most common attacks. It is designed to make it easy to protect yourself. Other business benefits from achieving CE certification include:
Demonstrating to your customers that you take cyber security seriously Allowing you to bid for UK Government contracts Attracting new business with the promise you have cyber security measures in place With the introduction of GDPR just over 12 months ago, holding a Cyber Essentials badge will go some way to demonstrating your business has taking some steps to preventing data breaches. The Cyber Essentials documents are free to download and any business can use them to put the security controls in place. Most companies apply for independent CE certification. If you decide to become certified it is recommended to use an Approved Cyber Essentials (ACE) Practitioner who can help prepare your business for certification, guaranteeing you get approved first time. Up to £1,000 funding towards Cyber Essentials is available to Scottish businesses with up to 250 employees right now. There is more information on CE and how to apply for funding on our website: www.m3networks. co.uk/cyberessentials How does CE fit into creating a resilient business? It ensures you are not going to become compromised due to very basic weaknesses in your IT systems. But it is just the beginning of your security journey. In today’s threat landscape, it certainly has its place, but in many cases it is not enough by itself.
36 Business Resilience / Winter 2020
Putting 'Safe' into place
Businesses are constantly told of the need to be more cyber secure, but business owners simply do not know what that means, or how to do it.
At m3 Networks, we take our clients through what we call the ‘Cyber Climb’. We use this to show where they are now in terms of cyber risk, and create a plan to elevate them up the climb, becoming more resilient against cyber attacks at each stage. We find this visual approach works really well, helping businesses to understand the need to create a resilient business and show how
they can achieve this. Beyond CE, we work with clients to implement further security controls, such as: Email Security and Content Filtering Dark Web Monitoring Phishing Testing and User Security Training Network Monitoring and Penetration Testing
If you have any cyber security concerns you would like to discuss or would like to find out more about our cyber services, you can contact us via our website www.m3networks.co.uk or call 01738 237 001. m3 Networks are an IT support and cyber security specialist based in Perth. They are Approved Cyber Essentials (ACE) Practitioners and hold ISO 9001:2015 certification for quality management.
sbrcentre.co.uk 37
Putting 'Safe' into place
What is Document Security and why is it so important? Every business, public body, charity and individual will have documents that need processed daily such as contracts, invoices, despatch notes and even HR documents. Read on to find out why your organisation should consider document security.
What is Document Security? The word security is defined in the English Dictionary as “being free from danger or feeling safe” and in the context of documents this means they must be filed, stored, processed, backed up, delivered and eventually disposed of securely. In May 2018 the General Data Protection Regulation came into force and document security became a hot topic for all businesses. Why is it so important? Whilst putting in a Document Storage solution may seem daunting, costly or rather time consuming, you must consider the following: Is your current storage method compliant with GDPR? How secure is my current filing cabinet storage solution? What if I lost all documents due to fire or flood? What if I can’t find important documents as they have maybe been filed incorrectly? What if my PC is hacked and personal information stored on the PC is accessed? If my company continues to grow will I lose control of documents or will I outgrow my office due to the volume of paperwork stored?
What if I use an offsite storage company and I must wait days to get my documents? What if I am asked for a Subject Access Request? It’s a legal right of any person to obtain from any company the information that is held about them by that company? How easily can I do this? What should I consider for improving Document Security? Traditional filing cabinet storage or offsite storage methods are becoming inefficient and insecure. Having to search through files and hope it’s been filed in the correct place is such a waste of time in today’s fast pace business world. Using off site storage the retrieval of an archived file would require a phone call, a long wait and a bill. Businesses are moving towards Electronic Document Management: a digital world eliminating time consuming paper heavy storage tasks and giving access to documents 24 hours a day. This secure electronic filing cabinet manages the creation, storage and control of your documents.
38 Business Resilience / Winter 2020
Some of the Document Security features include: 128 bit encryption: from the moment a document enters the Document Management System it is automatically encrypted with 128 bit encryption.
Role Based Access Control: electronic cabinets can be locked down with access only granted to those members of staff who require access to documents.
Retention Control: In a heavy paper-based office keeping on top of retention policies for documents is a monotonous timeconsuming task. Finance documents must be kept for 7 years, CV’s should only be kept until there is no longer an employment requirement. Using a Document Management System, the software manages this for you. We will set up rules for each document type with the retention policies that you require.
Audit Trail and Traceability: full visibility of a document from when it entered the system and any amendments made.
For more information visit www.documentdatagroup.com
Putting 'Safe' into place
Counter Terrorism Policing have facilitated interviews with two terror survivors who are calling for businesses and religious organisations to complete Counter Terrorism training to help protect the UK from future attacks.
ELEARNING – 1 YEAR ON
atalie Tait and Joanette Fourie, both from London, have shared their own accounts of being caught up in the London Bridge and Parsons Green attacks, to encourage more people to sign up to Counter Terrorism Policing’s online training package – ACT E-Learning – on the first anniversary of its release. The ground-breaking training has since been adopted by more than 3400 businesses nationwide, delivering the potentially lifesaving information to nearly a quarter of a million people. The training is free of charge to all qualifying organisations and consists of six primary modules designed to teach staff about the terrorist threat to the public and how to mitigate it, such as spotting the signs of suspicious behaviour or how to react during a firearms or weapons attack. It is a package that could save your life and as Joanette personally experienced, it can change the way you react in an emergency situation for the better. She had undergone Project Argus training just two days before boarding the carriage that would carry her and an improvised explosive device to Parsons Green.
N
Unfortunately for Natalie, when the worst happened, she was not so prepared and believes that she suffered more trauma during and after her experience as a result. “What affected me most, both during the incident and in the weeks afterwards, was the uncertainty and the panic,” she said. “Experiencing the training before this happened would certainly have helped me. When the fire alarm goes off at work, nobody panics. That’s because that training is drilled in from an early age.” “If this training allows people to react more calmly in that awful situation then the resulting mental trauma can be reduced and that means we’re not letting the terrorists win, because they want to spread fear.” The online course is interactive and can be tailored to suit business needs, offering those who complete it a nationally accredited commendation. Originally designed with industries such as retail, entertainment and hospitality in mind, Counter Terrorism Policing’s National Coordinator for Protect and Prepare, Chief Superintendent Nick Aldworth, also believes faith centres and religious establishments should consider delivering the training to their staff, volunteers and parishioners. He said: “ACT Awareness is available for faith centres to use and I would urge religious leaders to consider this training for their churches, mosques and synagogues.”
Thanks to the training I had just done, I knew instinctively what had happened and what I needed to do.
For more information about the ACT Awareness e-Learning package, and to find out whether your business qualifies for access to this free resource, visit www.gov.uk/government/news /act-awareness-elearning
sbrcentre.co.uk 39
Time management
and how to make the most of your day
40 Business Resilience / Winter 2020
Putting 'Safe' into place
Has the title caught your attention? Time Management is an issue that I am repeatedly asked about by my coaching clients. We all have the same number of minutes and hours in every day and yet some people seem to be far more effective and efficient. How do they manage it? Read on... Time Managers generally fall into 3 categories: 1 You’re an excellent Time Manager – Well done! Share your tips with others (and then skip to the bottom and contact me if there is something else I can help you with). 2 You are easily, or often distracted, and find it impossible to achieve everything you want to do in your day. 3 You find it hard to prioritise with all the demands on your time. There may be others, but these are the ones I often deal with in my coaching or training. There are some easy strategies to help you be more effective and use your time more wisely. You need to know what or who your ‘time stealers’ are. On a typical day in the office, or two half days, keep a time log (with the time down the left-hand side of your page). Be specific and log everything, from how long it takes you to settle in, in the morning to leaving the office (or going to bed). Once done, look at what takes up most of your time. What steals your time? What one thing can you do to minimise this? Here’s some tips: 1 The first step in a good time management process is, know what you are trying to achieve in a given period of time: a) Work out your best time of day, and do the hardest task first.
b) If you have an endless ‘To Do’ list, treat this as your Task list and have a To Do list that only has 3-5 things on it each day, which are manageable and achievable, given your other demands. c) N.B. people who are planners work well with To Do lists; known as ‘Through Time’ people. If you dislike To Do lists and they seem a necessary evil, then you are likely to operate in an ‘In-Time’ way (in the moment and work best to last minute deadlines). In-time people tend to be better either with a post-it note with the most important things on it or a reminder of pending deadlines on your phone/laptop. Don’t try to become a square in a round hole and find new ways of keeping long To Do lists; they won’t work for you! 2 Make sure you do the tasks in small manageable ‘chunks’. 3 Don’t make it daunting. It needs to achievable and realistic (think SMART). 4 If your job means that you are often interrupted, choose time slots in your day which are blocked out and people are asked not to disturb you. Put a flag on your desk (or something similar) which informs people that it’s for focused or project work. Make sure you remain accessible outside of these time slots and let people know what you are doing. People will respect your privacy if you communicate honestly. 5 Avoid the temptation to constantly be looking at emails or your phone. Decide on how often you need to read them and stick to it. This is often one of the biggest problems for people with the increasing number of emails that land in inboxes. There is a lot to be said about how to best manage emails so this is the first tip – turn off your pop-up. And then reward yourself (it may even be giving yourself time to read an interesting article).
If you are interested in learning more about Time Management or any of the other areas I train in or if you are interested in a free, no obligation, first coaching session, do contact me. I look forward to hearing from you. Andonella Thomson. T: 07803 083279 E: andonella@kingscavilconsulting.com www.kingscavilconsulting.com
sbrcentre.co.uk 41
Why your Disaster Recovery shouldn’t stop with backups When you’re building resilience into your business, disaster recovery should be a key part of your strategy. ccording to the London Chamber of Commerce and Industry, 42% of companies experiencing disasters like fire, flood, or a malicious attack will never recover. That’s why more businesses than ever – in Scotland and beyond – are turning their attention to continuity. But there’s a problem. Not all disaster recovery is the same – and if your strategy is no more than offering a musty back office and slow WiFi, you can only hope to mitigate, not eliminate, your risk. Effective disaster recovery and true resilience is more than backups. It’s everything your people need to be at their best.
A
The fundamentals of disaster recovery At the baseline, disaster recovery allows you to continue doing business, even in the event of disaster or should your primary systems and physical space become unavailable. Today, there are more reasons than ever to include this safeguard in your resilience strategy. Natural disasters, fires and accidents remain a cause of concern – but one that largely depends on your geographic location. Meanwhile, today’s political, cultural and technological landscape means the threats are more wide-reaching. It’s everything from terrorism to largescale cyber attacks that can cripple your infrastructure. Of course, prevention is your best approach wherever possible. But there’s always space for the unexpected and uncontrollable – and that’s where disaster recovery comes in. Your most basic disaster recovery plan should include: Physical space where your teams can work (in some instances, this is remotely from home) All the hardware and software your people need to stay productive Internet service provider connectivity But while these are vital ways to keep your business resilient in the event of disaster, they’re just the beginning.
42 Business Resilience / Winter 2020
Putting 'Safe' into place
What does good resilience and recovery really look like? If you broke your leg, you wouldn’t count using crutches as full recovery. But, when it comes to business, a number of disaster recovery plans stop short of what a full recovery really looks like. If your plan only accounts for the baseline requirements of disaster recovery, your employees can end up working with their hands tied for days, even weeks on end. True resilience is business as usual – not just access to space and systems, but all the things your people need to thrive. #1 A fast transition When disaster strikes, the clock starts ticking. Every hour until you’re operational again comes with a bottom line cost and potentially irreversible impact on service and reputation. Effective disaster recovery moves fast, giving every member of your team clear, specific instructions on their role and next steps. These could include: Assigning non-critical staff to work from home Moving key team members to an alternate location Ideally, services will all be configured to make the transition as seamless as possible for your people. This could include WiFi that’s configured to the passwords people already have saved on their devices, or workstations that present a familiar interface. #2 Access to everything During the process of recovery, it’s no good if people are forced to make do with a limited number of applications or restricted access to data. This is where your backup and redundancy strategy comes in. Whether your business critical applications are deployed locally or in the cloud, it’s vital that a recent, up-to-date backup is available whenever and wherever people may need it. Continuous data protection tools can take incremental backups whenever your data changes, guaranteeing that teams will always be working with the right information. Meanwhile, phone access remains a crucial tool, even in our data-driven age. Most VoIP services allow for instant re-routing, so inbound and outbound calls still work using the same telephone number as usual.
This minimises the impact on your people and customers alike. #3 An inspiring environment When your employees are dealing with a disaster, it’s more important than ever that you keep them engaged, enthusiastic and motivated. A poorly-maintained, cramped office that’s rarely used just won’t cut it. As you choose a disaster recovery suite, treat it with the same diligence you would your main office. From good coffee to convenient amenities, it’s the little things that really count – and keep people productive. #4 Resolving the real problem Finally, giving your employees a workstation, internet connection and access to their usual tools and data will always be a temporary measure. An effective disaster recovery plan should always be focused on the ultimate goal of restoring normality. Anything else is just bridging the gap. If you run your IT in-house, assign specific roles for every member of the team during a crisis. This will help you spread people across two areas – keeping you operational and solving the underlying problem. If you work with a third-party IT provider, expect robust SLAs that set clear expectations for investigating and resolving major issues. The best protection for the worst-case scenario as businesses face more threats, from more places, than ever before, now is the time to revisit your business continuity plan. Removing risk is impossible – but the right combination of technology and expertise can dramatically reduce the impact of disaster on you, your business, and your future.
For more than a decade, Consider IT has been providing IT support to businesses of all sizes, in Scotland and beyond. Services include cyber security, VoIP telephony, helpdesks and more. Consider IT’s disaster recovery services minimise your risk with a full clone of your infrastructure as well as access to a high-end Disaster Recovery Suite overlooking the Water of Leith. Find out more about Consider IT at www.considerit.co.uk
sbrcentre.co.uk 43
Putting 'Safe' into place
Why robust resilient planning is taking off in our airports Group Head of Assurance at AGS, Gillies Crichton, explains why Glasgow Airport takes business resilience extremely seriously irports are interesting places, some as large as a small city, some the size of a large town and some the size of a small village. Despite their size, they all have one thing in common…our passengers all want to fly on the day and time they booked their flight. Aviation is a transformational service. In other words, it is possible to fly from one country and arrive at the other side of the globe in around 24 hours. Airports, therefore, play a major part in our everyday lives, whether that be for business or pleasure and therefore, plays a major part in business and tourism. Indeed, a recent study by York Aviation, showed that Glasgow Airport alone, contributes in excess of £1.44 billion (GVA) annually and supports more than 30,000 jobs across Scotland. In the past few years, we have seen a myriad of things which have affected the aviation industry e.g. volcanic ash closing UK airspace, winter weather (including the beast from the east), cyber-attacks at Bristol Airport, incendiary devices sent as parcels to Heathrow and London City Airports and not least of all, the terrorist attack on Glasgow Airport in 2007.
A
At Glasgow Airport, we spend a great deal of time planning and preparing for any and all types of incident, indeed, planning for anything, rather than planning for everything. All of these incidents have drawn massive media attention due to the sheer numbers of people affected by the issues and all of whom expect to be at their destination within the timescales they set. It is, therefore, vitally important that plans are put in place to help mitigate any and all risks that may beset the smooth running of an airport. This means having robust plans which are not merely placed on shelves, gathering dust. However, having plans is only the start of the journey. The plans must be tested to
44 Business Resilience / Winter 2020
ensure they are workable as an untested plan is merely a strategy….it may work when called upon…or it may not. It is too late to test the plan when in the heat of battle. Airports are required to demonstrate to the regulatory authorities, currently the European Aviation Safety Agency (EASA), that they are prepared to deal with emergencies involving aircraft operating into our airports. However, there is a need to take a broader look at what can go wrong and how. The terrorist attack in 2007, taught us that our preplanning for such an event had paid off; we hoped it would never happen, however, we had prepared for it anyway. The fact that we returned to normality in a shockingly short timescale, spurred us on to look further into the benefits of business resilience. We therefore, took the decision to get external verification by way of BS 25999. We then became certificated to ISO 22301 when that became available and have maintained that ever since. This has the benefit of putting a framework around the planning and preparation phases and all the way through to response and recovery. We have a Crisis Management Team (CMT) in place, who all receive induction training prior to joining the team. There is an assessment before going live with the rest of the team. In order to maintain competence, there are a minimum of four exercises per year – one per quarter. In order to remain part of the team, each member must attend a minimum of two per year. These levels of competence of the team have proven to be essential over the years when faced with incidents and events. In the past couple of years, we have had a major gas leak which closed the M8 motorway prior to the morning rush hour, a high voltage power outage and in recent months a report of a suspect package on board an aircraft which had arrived from Gatwick, plus an IT outage, which in the early stages, on the face of it, had all the signs of a cyber-attack.
On the positive side, Glasgow Airport welcomed the arrival of a daily Airbus A380 aircraft operated by Emirates Airlines in April 2019. However, with an aircraft that size, it is not a case of simply “turning up” at the airport. This took months of planning and preparation, including, dealing with unforeseen events and taking the opportunity to build in additional resilience during the construction phase of the area it operates from. In all of the examples, we have had robust plans, based on cause and effect i.e. a single cause can lead to a number of effects, conversely, a number of causes, can lead to a single effect, therefore, our plans are written to be able to deal with anything that faces us. Secondly, the CMT have responded to deal with the incidents whether that be physically dealing with the cause of the incident or simply helping passengers to get to where they need to be. In summary, here at Glasgow Airport, we take business resilience extremely seriously, spending time and effort in ensuring we can deal effectively and efficiently with events and incidents, no matter how large or small they may be. This ensures that we maintain the ability for our passengers to travel unhindered and where this is not possible, disruption is minimised.
Putting ‘Safe’ into place Building Resilient Business
Gillies Crichton. MSc. GIFireE. MBCI. SIRM. Group Head of Assurance, AGS Airports Limited, Glasgow Airport
sbrcentre.co.uk 45
DARING
TO BE DIGITAL
By Jackie Galbraith, Principal and Chief Executive of West Lothian College
Digital is disrupting how we do business and, to be successful in this information age, organisations need to embrace the changes arising from developments in technology.
46 Business Resilience / Winter 2020
ritical to achieving this potential is our future tech talent, including computing students at West Lothian College. Their skills will be vital in enabling companies in every sector of the economy to benefit from the impact of Big Data, the Internet of Things and Industry 4.0. However, the many thousands of high value digital jobs available in Scotland can only be filled if an increasing number of people choose to develop
C
the skills required. Schools, colleges and universities need to generate more interest in digital careers, particularly amongst young people. To inspire more young people at school to choose courses which develop digital skills we offer two qualifications for secondary school pupils in fifth and sixth year – the Foundation Apprenticeship IT: Software Development, and HNC Computing.
Feature article We need to persuade many more young women on why they should choose a career in tech. I graduated with a computing degree in the early 1990s and entered an industry in which it was very obvious that I was in a minority. Sadly, despite the preponderance of initiatives over the last three decades to encourage girls and women to study, build a career and stay in tech, time has pretty much stood still in relation to the proportion of females in the sector which continues to be maledominated with only 18% of tech roles held by women. Earlier this year the second annual progress report on the Scottish Funding Council’s Gender Action Plan demonstrated progress in improving the gender balance in subjects like engineering in colleges and universities. However, computing has not improved, indeed in some areas it is worse. We are working with partners and industry through the West Lothian Regional STEM Hub to tackle this gender imbalance. West Lothian College offers a wide range of industry relevant computing courses. In August we opened a bespoke cyber security lab which provides students with state of the art technology and access to industry specialists. This new facility has been developed in liaison with experts locally and further afield. We've added HNC Cyber Security to our course portfolio and HND Cyber Security will be introduced in August 2020. The college has worked with Edinburgh Napier University to ensure that our courses fit well with their degrees, which means that graduating HNC and HND students will have the opportunity to go straight from college into third year of a relevant degree at the university. National Progression Awards (NPAs) assess skills and knowledge in specialist vocational areas and link to national occupational standards and we have included NPA Cyber Security in a range of computing courses for the past five years. We also offer this as an evening class, which attracts school leavers as well as employees in a number of local companies. Computing lecturer, Ross Tunnicliffe, has led on the college’s cyber security developments. Ross said: “Cyber security is a major growth area at the moment. All businesses big and small are at risk of cyber attacks and we want to play our part in ensuring that the next generation of cyber security experts are trained well to address these. This is not just about teaching technology and techniques, it is also about the ethics behind using these techniques in a professional and law abiding manner.”
Former West Lothian College student, Den Jones is now Director of Enterprise Security at Adobe in San Jose, California. According to Den:
The cyber field is an amazing industry filled with crazy people, personalities and stories of how dark the web and world is. While it sounds depressing, it’s such a rush to be part of such an amazing industry. There’s never a day goes by when I don’t learn from amazing people around the world and realise this field enables anything.
sbrcentre.co.uk 47
JOIN THESE BUSINESSES IN TAKING A
#PADLOCKPLEDGE www.SaferBusinessStrongerScotland.com
48 Resilience / Issue 1
