���˿���

Has the review completely reshaped the entire skills alignment programme? Has it completely changed how we think about it and what we intend to do? Is it fair to say that it has had a major impact on rethinking the direction of travel for the programme?

Will you say a wee bit more about that? There has been a skills alignment assurance group, and now there is a shared outcomes assurance group. What is the fundamental difference between the two? Do you have confidence that the new group will be an effective way to monitor progress as we move forward?

The backup data seemed to be targeted at an early stage. I am a wee bit surprised about how easy it was to access the backup systems. From my long experience of working in computing, I would have expected it to be logical for the backup data to be physically separate so that it could not be subjected to that sort of cyberattack. It should be completely protected and separate from the main data, but that does not seem to have been the case here. Should you recommend that SEPA and other organisations look more closely at that, and that they should separate and protect any data that is essential to keeping their business running?

Does that give assurance, though? There is bound to be another attempt at a similar attack on an organisation. In my opinion, it is still dangerous to have a direct link to the backup data and servers from the main data and servers. There should be some physical and logical separation of the two so that, if the attack is successful in one part of the operation’s data, it does not succeed in the other. Does SEPA plan to consider that?

Auditor General, one of the lessons from the attack is that the cybercriminal fraternity is a step ahead of the game, despite organisations’ best efforts to have the best systems, including security systems, in place. I imagine that a number of the recommendations try to address that.

The cyberattack is still the subject of an on-going police investigation, but are you able to tell us exactly where the attack managed to penetrate SEPA’s systems—the route source—or will that remain confidential?

That is good to hear. Convener, you will be delighted to hear that, in my day, when I worked in computing, our guys used to put the backup in a case and take it to the bank. We would actually take a hard drive away and make sure that it was physically protected so that, if something like that happened, the information could be immediately restored. There is a lesson from the past in that regard.

My final query is about staff training. It is recognised that SEPA staff were well trained in all those aspects and were aware of them. Are there further plans to improve training in relation to cyberattacks and to make staff more aware of the possibilities and the risks?

Before I ask a question on SEPA’s financial sustainability in light of the cyberattack, I will ask about something else about which I am curious.

What volume of data are we talking about? In the report, I can see only a reference in the appendix, on page 9, to about 1.2GB of data being stolen. Is that it? Are we talking about only 1.2GB of data? That is a tiny amount of data that has had such a catastrophic impact.

I refer to my earlier point about offline storage. You can buy data sticks that accommodate huge amounts of data for £10 or £50. You can put almost your entire data set on separate physical data sticks. Nothing can hack them if you do that.

Is there any information on the volume of data that SEPA lost and whether the right strategy is in place to protect it?

My final question is about the long-term implications for SEPA’s financial sustainability. You said that we do not know the full cost of the cyberattack, but do you have any indications of how it will affect SEPA’s financial sustainability?

I imagine that cyberattackers make a reasoned guess about how we all behave when we use computers. We are all vulnerable to inadvertently clicking on a link in an email—that seems to be a common route. It seems to me that all systems need the sophistication to guard against that, even when we make those mistakes. Perhaps your colleagues can talk about whether additional protections can be put into systems so that, if we are subjected to phishing and even if we click links, a degree of protection is still available.

Good morning. I want to develop a discussion about how and whether NPF4 deals with not just the vacant and derelict land that Sarah Shaw mentioned a moment ago, but the derelict and abandoned dirty, filthy shops that blight our high streets. A lot of good work is being done in a lot of town centres across Scotland, with communities and councils doing a lot to improve areas and towns, where they can. However, many of my constituents often ask me, “What can we possibly do about the 18 abandoned shops that are blighting our high street?” The properties in question are mainly privately owned.

My question, therefore, for Sarah Shaw and perhaps my Ayrshire colleague Craig Iles is: what can we do about this? Should NPF4 strengthen powers in that respect, or do we already have sufficient powers under planning legislation to deal with the issue through, say, amenity notices?