Seòmar agus comataidhean

Thank you.

Convener, I hope to come back in later, but for the moment I pass back to you.

Will you say a wee bit more about that? There has been a skills alignment assurance group, and now there is a shared outcomes assurance group. What is the fundamental difference between the two? Do you have confidence that the new group will be an effective way to monitor progress as we move forward?

The backup data seemed to be targeted at an early stage. I am a wee bit surprised about how easy it was to access the backup systems. From my long experience of working in computing, I would have expected it to be logical for the backup data to be physically separate so that it could not be subjected to that sort of cyberattack. It should be completely protected and separate from the main data, but that does not seem to have been the case here. Should you recommend that SEPA and other organisations look more closely at that, and that they should separate and protect any data that is essential to keeping their business running?

Does that give assurance, though? There is bound to be another attempt at a similar attack on an organisation. In my opinion, it is still dangerous to have a direct link to the backup data and servers from the main data and servers. There should be some physical and logical separation of the two so that, if the attack is successful in one part of the operation’s data, it does not succeed in the other. Does SEPA plan to consider that?

Auditor General, one of the lessons from the attack is that the cybercriminal fraternity is a step ahead of the game, despite organisations’ best efforts to have the best systems, including security systems, in place. I imagine that a number of the recommendations try to address that.

The cyberattack is still the subject of an on-going police investigation, but are you able to tell us exactly where the attack managed to penetrate SEPA’s systems—the route source—or will that remain confidential?

That is good to hear. Convener, you will be delighted to hear that, in my day, when I worked in computing, our guys used to put the backup in a case and take it to the bank. We would actually take a hard drive away and make sure that it was physically protected so that, if something like that happened, the information could be immediately restored. There is a lesson from the past in that regard.

My final query is about staff training. It is recognised that SEPA staff were well trained in all those aspects and were aware of them. Are there further plans to improve training in relation to cyberattacks and to make staff more aware of the possibilities and the risks?

Good morning, Auditor General and the rest of the panel.

Before I ask a couple of questions about the skills alignment assurance group, I want to pick up on the comment in your opening remarks on the pandemic’s impact on the programme. In paragraph 18, you say:

“From March 2020, much of the skills alignment work was paused to allow staff in the Scottish Government”

and so on

“to focus on the emergency response to the ... pandemic.”

What impact did that have on the entire programme? You go on to say that

“the Scottish Government asked the SFC to review the tertiary education system”

in light of all that. It seems that the impact on the programme was not insignificant, but can you tell us a bit more about the overall impact and whether the review that was initiated in June 2020 has been completed? If so, have you had a chance to assess its effectiveness?

Auditor General, can you say something about the regional dimension of what we have been discussing? You mention in the report that the Government signalled a change to its approach to skills alignment in December 2020. How do we plan locally and regionally—for example, in Ayrshire—to match up skills to emerging economic opportunities? How does that shape up against the training and courses and so on that we offer in our colleges? Can you say a bit more about the regional dimension and what the impact of all your reporting is having on the successful delivery of that?

Thank you very much.

Good morning. I want to develop a discussion about how and whether NPF4 deals with not just the vacant and derelict land that Sarah Shaw mentioned a moment ago, but the derelict and abandoned dirty, filthy shops that blight our high streets. A lot of good work is being done in a lot of town centres across Scotland, with communities and councils doing a lot to improve areas and towns, where they can. However, many of my constituents often ask me, “What can we possibly do about the 18 abandoned shops that are blighting our high street?” The properties in question are mainly privately owned.

My question, therefore, for Sarah Shaw and perhaps my Ayrshire colleague Craig Iles is: what can we do about this? Should NPF4 strengthen powers in that respect, or do we already have sufficient powers under planning legislation to deal with the issue through, say, amenity notices?