Rising to the cybercrime challenge

Three years after the Scottish Environment Protection Agency (Sepa) was crippled by a cyber-attack, another public body – Comhairle nan Eilean Siar – is recovering from a digital assault by online criminals. Now Holyrood can reveal the results of exclusive polling on whether the public sector has risen to the cybercrime challenge.

Gathering more than 50 responses from public sector technology leaders, the polling shows that the Sepa breach made a mark on the sector. More than three quarters of respondents – all working at Scottish public-sector bodies – said their organisation had either made “some” or “significant” improvements to their cyber strategy since the incident, and 66 per cent said they worry about cyber-attacks daily. 

Almost half of respondents – 48 per cent – revealed they had suffered a cyber-attack in their workplace and for those hit, four in ten (39 per cent) said it took at least a month for their organisation to get back to normal. More than one in 10 (13 per cent) said this took more than five months.

According to Beverly Bowles, head of cyber at ScotlandIS, becoming a victim of a cyber-attack is an almost inevitable consequence of the digital era. She said: “People should be more alert to the fact that it’s not if, it’s when you will be attacked. They need to be cognisant of that.”
And it is this inevitability that is fuelling a sense of urgency across organisations, with a majority of respondents – 90 per cent – now regarding cybersecurity as a priority.

Kurtis Toy, chief executive of the Cyber Centre of Excellence, told Holyrood that cyber resilience is what can make the difference between being hit by a cyber-attack and getting knocked out by one. He said: “An important part of cyber resilience is your back-up plan and technologies. So, your business continuity plans – what to do when it all goes wrong. I cannot emphasise enough how important this is. Everybody needs to plan to fail. Because if you haven’t already got a plan and things go wrong, it’s very difficult to implement one after, particularly in larger organisations.”

But despite the pressing need to become resilient, two out of 10 of those surveyed by Holyrood said they still do not feel their organisation is very prepared in the event of a cyber-attack, suggesting there is still a gap to close.

Toy added: “I think a lot of people assume that because we rely on, for example, Microsoft so much, it’s almost unimaginable to have no access to it. But we have to imagine that so that we can put the controls in place to ensure it stays unimaginable. What do you if you have no email?”

Wendy Moncur, leader of the cybersecurity group in computer and information sciences at the University of Strathclyde, said the complexity of tools is often a barrier for those willing to learn to use them. “We need to develop tools that don’t demand digital literacy,” she said. “Currently, there’s still a bit of a tendency to feel foolish if someone makes a mistake. We should be moving towards the stage where we avoid cybersecurity designs that are hard for people to get their heads around.” 

But all of that costs money. As many as 41 per cent of those polled said their organisation does not have enough funding dedicated to cybersecurity, with more than two thirds saying support from central government in this area is insufficient.

Yet, on the back of the Local Government Information Unit announcing that many councils fear they will not be able to balance their budgets in 2024-25, it seems local authorities are lacking the resources needed to face the ongoing threat. And, when it comes to councils, the need for a reliable cybersecurity framework becomes a matter of public security as prolonged downtime of services can cause significant mayhem across the area. 

Not only that, but authorities hold a wealth of information in areas including social care and planning applications. For instance, in 2021 a cyber-attack on Gloucester City Council disrupted housing benefit claims and Covid-related services, and saw more than 240,000 documents leaked to a file-sharing site in New Zealand.

“If you can’t deliver your services to the public because you haven’t secured your systems, well, that would have a massive effect on public trust,” said Bowles. “And it’s not just a case of others using the data, it could impact somebody’s health and wellbeing if a council is breached.”

Strengthening cyber preparedness will not be an easy task in the current digital landscape, given the unprecedented pace of advancements in technology. Although most respondents (82 per cent) said they had a cybersecurity strategy in place, 39 per cent said they either didn’t know when they last updated that strategy or that they did it more than a year ago. That suggests that many public sector organisations may have strategies that pre-date emerging technologies such as generative AI, with ChatGPT only launching in November 2022. 

Toy stressed the need “to get faster” at responding to these developments. “I don’t necessarily believe cyber strategies should be updated every two or six months. It should be more based on ‘we have learned something; we should update in response’,” he said. “The focus should be on making sure that when you do need advice, that advice at that time is up to date. It needs to be something that’s almost like a live level of information.”

He also suggested that anyone within local authorities should take part in mandatory cybersecurity training, particularly those in senior leadership roles, with tabletop exercises occurring at least once every six months.

Toy said: “It is not just a case of ‘they did a training course three years ago’, but more a case of every year, their training is updated. And it needs to be engaging, it can’t only be ‘go read this policy’ and assuming that every person has memorised every policy in an organisation, that’s not feasible. 

“We should be focusing on National Cyber Security Centre-assured training that is bite-sized enough that people are actually going to be able to remember it and can repeatedly do it on a regular basis. And it should always be available to them. So, if they realise ‘I’m not quite sure if that’s a phishing email’, they could go back to the training and redo it at that time, rather than having to wait until the next time around.”

Looking ahead, he pointed to “the importance of maintaining the integrity of information” becoming a key concern over the next year. Toy said: “Councils in particular need to be thinking about how to make sure that the information they’re holding, for example about elections, is true, particularly with the threat of state-sponsored attacks or interference. We need to consider that in addition to ransomware, deletion or blocking the information, that an additional threat exists - what if they just changed it? Would the councils know? How would they know?”