Everyone’s a target: The importance of cybersecurity in a fast changing world

It took less than eight minutes for thieves to break into the Louvre last month, escaping into a clear Paris morning with jewellery worth millions of euros tucked away on the back of mopeds. 

Their theft was brazen and shocking, the kind of thing usually reserved for movies and TV shows. Images of the thieves, clad in high-vis vests and gingerly escaping down a mechanical lift, played out on screens all over the world as viewers followed every twist and turn of the drama unfolding on Paris’s streets. 

But compared to the speed of cybercriminals, the Louvre thieves are left standing in the dust, watching in awe as vast sums of money get extorted by criminals whose daring escapes aren’t broadcast for the world to see.   

The world of cybercrime can feel like an abstract concept for some people. The kind of computational dark arts that keyboard-bashing teenage whizz kids deal with, furiously typing away bathed in the gentle green glow of computer code, surrounded by mountains of empty energy drink cans.  

Faced with this image, it's no surprise that ordinary people just don’t relate to it, content in the belief that the password they came up with in 2015 [possibly even saved as ‘2015’] will suffice if criminals target their system.  

But for Maggie Titmuss, as chair of the National Cyber Resilience Advisory Board (NCRAB) for the Scottish Government, the truth is simple: everyone is a target. 

“Any company or public sector body that doesn't have minimum standards of basic cyber hygiene is a target,” says Titmuss. “So, if everybody is a target, it's not just that cybercrime is something that's only going to happen to other people. It's really a question of when, not if, a cyberattack happens to them.” 

Titmuss’s words are backed up by recent data published by GCHQ’s National Cyber Security Centre (NCSC), that says the number of "highly significant" cyberattacks in the UK rose by almost 50 per cent since 2024. The review outlines that these “highly significant” attacks are targeted to disrupt the workings of central government, the operations of essential services and significantly impact a large proportion of the population or economy.   

This rise in cyberattacks coincides with an update to the Scottish Government’s Strategic Framework for Cyber Security, developed by the Scottish Cyber Coordination Centre and NCRAB. The refreshed framework, published this month, focuses on three core missions of cyber security. These are outlined in the framework as overarching missions to create a Scotland that is stronger, more resilient and capable as a cybersecurity nation by 2030. 

“We're all conducting more of our business online,” says Titmuss. “We give our details to companies, and we give our details to the government. All of this gives our data to people that we expect are keeping our data safe and secure. They're protecting your money and they're protecting your services. As a result, cybersecurity is that piece that keeps all of that safe.” 

To create a safer Scotland, the refreshed framework calls for businesses to treat cybersecurity as a strength and not an afterthought. For Titmuss, this means taking the same measures to secure your business as you do to protect your home. 

“If you're trying to deter burglars but you leave your doors and windows open, a burglar can come in and steal whatever they like,” says Titmuss. “If you close the windows and you close the doors, you're a little bit more secure. But then if you put a burglar alarm in, then the chances are a burglar might say, ‘That's too much hassle; I won't get in and out without being detected.’ Cybersecurity is just the same thing.” 

The idea of closing a digital door and installing an online alarm system sounds like an easy one. But in reality, the virtual door on a company's private data is just as vulnerable to a cybercriminal with a keyboard as a front door is to a burglar with a lockpick — if the systems that keep that door locked are out of date or not working in tandem. 

Hackers can exploit weaknesses like these to install spyware onto company devices, used to track sensitive information or cripple IT systems from the inside. To combat this, the framework sets out plans for a "cyber observatory" to help protect Scotland's public sector.

Cybercriminals often target large companies or public bodies with ransomware attacks, where malicious software is used to get inside a business’s computer system and steal data, locking it away until a ransom is paid.  

In May, West Lothian Council was targeted in a ransomware attack by cybercriminals, who stole “personal and sensitive data” from the council’s online education network. The stolen data related to operational issues for schools, such as lesson plans, with pupil records and financial data unaffected in the hack. 

Despite this, the attack caused major concern in the community over fears that data related to vulnerable children may have been stolen by criminals. In the aftermath of the attack, the council urged residents to be “extra vigilant”, warning stolen data might be used for further criminal activities. 

“In the first instance we want to make sure the public sector is resilient,” says Titmuss. “Because we can't ask small businesses or other businesses to do something that we're not prepared to do ourselves.” 

To build resilience in the event of a cyberattack, the framework advises businesses to identify their core services and invest in a backup plan for them. For example, a core service might be the ability to take payments — if this service is attacked, then the business ceases to function properly. By making sure there is a backup plan in place, the business can continue to function even if its additional systems are under attack.  

“It doesn't matter if you're a big company or a small company because the impact is similar in that you cannot continue to do your business,” says Titmuss. “You find yourself in a position where you lose the trust of your customers and it can wipe millions off the share price of the company. But if you're a florist and you do your appointments on the internet and lose access to that, it’s catastrophic for you as a business.” 

In 2024 just over half of businesses and around a third of charities reported some form of cybersecurity breach or attack. This number rose to 74 per cent for large businesses, at an average cost of £10,830 per attack. 

To combat this, the refreshed framework has been designed to increase cyber literacy for schoolchildren by fully integrating cyber skills into the curriculum. The goal is that this education-first approach will enable future generations to see cyber skills as a skill no different from reading or writing. 

“We are hoping by the end of the six years of secondary school, all of those skills will have been embedded within our curriculum,” says Titmuss. “Therefore, we should have a more cyber-savvy set of people coming out of high school.” 

The hope is that by creating a cyber-literate workforce and business community, Scotland will become a harder target for cybercriminals in the future. Even though cybercrime will still pose a threat, Scotland’s future economy should be stronger, more capable and more resilient in the face of an ever-evolving cybercrime landscape.