'Forget your fire alarm... everything you go to should start with warning at least three people will try and get your data today'

“Today began with the message that we’re not expecting a fire alarm but here’s the full drill: how many sessions do you go to that start that like this?” asks Scottish Business Resilience Centre director Mandy Haeburn-Little. “You’re probably talking about a one-in-30-year incident, but we begin almost every public meeting with this statement.

“Forget your fire alarm. Actually, everything you go to should start with the statement, ‘today you should expect at least three people to try and get your data and if you’re a business, they’re going to go after your customers too’. That would help to get the message across because, statistically, that’s where we are.”

The proposition attracts an echo of nervous laughter round the room from those who have gathered for Holyrood’s latest cyber security conference. However, it serves to highlight the scale of the problem. “The reality is that for any police force in the UK, if everybody lifted up the phone today and said, ‘I think I’ve had a breach’, the police forces would fall over,” adds Haeburn-Little. “That’s the reality, but Scotland is developing a different approach.”

That approach involves a number of strands off the back of the Scottish Government’s recently published cyber resilience strategy. Among them is an active discussion about the creation of a cyber hub for Scotland, the first resource of its kind involving police, government, third sector and others with a view to supporting businesses and networks.

Work is also underway with students at Glasgow Caledonian University around the design of a business app that would combine, among other things, updates on latest trends as well as tips and advice.

“What’s different about it is eventually it will start to collect the analytics on who is requesting what information in Scotland so it will mean that we will know who wants to know about cyber bullying at teenage level, how many people are looking at trolling and need more information, how many people are suffering a breach, and for the first time, Scotland will have some genuine analytics,” Haeburn-Little tells delegates.

The next step, which is being looked at with Police Scotland, revolves around how the app could be used to report cyber crimes. After all, digital has “changed the nature of investigations”, underlines Keith McDevitt, who served as a police officer with the legacy Central Scotland force for over 30 years, latterly heading up the now disestablished Scottish Crime and Drug Enforcement Agency’s eCrime Unit before being appointed as the Scottish Government’s cyber integrator.

This added complexity, however, necessitated a much simpler communication, he says, one that meant those in charge of investigations had enough confidence to ask the right questions and those providing answers “stopped speaking in maths”.

In one domestic murder case McDevitt helped investigate, for instance, a phone examined for evidence by forensics came back negative. It was soon sent off to another team with additional kit “that we didn’t understand but thought it could reveal more information”, he recalls.

“The guys got it and there is this thing called deleted data. In about 30 seconds, three photographs were revealed that had been deleted that were the before, the during, and the after of the murder.

“That was the complete investigation, that was the whole evidence, and it would have been unforgivable for us not to have found that. But you have to know to ask the right questions.”

From a business point of view, the suggestion is that those questions are, in many cases, not yet being asked. Research published by KPMG and Cyber Streetwise a few days earlier claimed that small businesses north of the border were “unprepared and unconcerned” when it comes to cyber attacks.

Less than one in four (23 per cent) Scottish-based small businesses and consumers who responded to a UK-wide survey claimed to be completely prepared for a cyber security incident, the worst figure of ten UK nations and regions surveyed.

“Now that may be we’re just a little bit more realistic, slightly dour, and that’s just our view in life,” says KPMG’s technical director for cyber security, David Ferbrache. “But I think, actually, there are some hints in there that there is an issue.”

More than that, one in five (19 per cent) admitted they had failed to take any steps to protect their data. “Scotland didn’t quite top the league table on the stats, quite the reverse actually – it ended up down at the bottom of the league table on quite a few key statistics,” the former head of cyber and space at the Ministry of Defence says.

“We’ve had a bit of a free lunch in relation to being on the internet, enjoying the plug-play reality and the opportunities it gives us, which are super,” adds McDevitt. “The thing that probably changed significantly is states and organised crime have actually realised this is a cracking vehicle for them and that threat has changed.

“So, folks, the free lunch is over. There is actually a responsibility on behalf of us all to start to understand something about the risk, the threat and then get it into context, which is the other difficulty.”