More than one in four Scottish firms have fallen prey to a cyber attack within the last three years, new government figures have shown.

Being directed to fake websites, email hacking, ransomware and bank fraud were among the most common incidences of online crime, according to the Digital Economy Business Survey.

The research, conducted by pollsters Ipsos Mori on behalf of the Scottish Government, further showed just 30 per cent of businesses felt ‘fully equipped’ to protect against cyber security threats. 

Fourteen per cent felt poorly or not at all equipped to deal with cyber security threats, the survey of 3,346 companies – spanning a diverse range of sectors including agriculture, ‘business activities’, construction and health/social work – revealed.

The implications of not being fully prepared or protected from cyber harm were also explored in the survey.

The data indicated that of the businesses that experienced a cyber attack, 26 per cent ended up requiring specialist services to get back up and running; 23 per cent need to replace or upgrade computer equipment, 17 per cent suffered financial loss and 13 per cent reported re-training of staff. Some nine per cent said it damaged their reputation and seven per cent said it led to a data breach of sensitive information.

Yet despite that just six per cent of businesses had obtained an official cyber-security accreditation, such as Cyber Essentials or Cyber Essentials Plus, which was down from 10 per cent in 2017 and 76 per cent did not have accreditation and were not planning to obtain it in the future. Amongst those who did not have a cyber-security accreditation, only 9 per cent were planning to obtain accreditation in the next 12 months.

Jude McCorry, chief executive of the Scottish Business Resilience Centre (SBRC), said: “Despite the fallout that companies have experienced globally over the last year, it remains concerning that so many companies have fallen victim to some level of cyber incident, or feel they lack the skills necessary to deal with an attack. Organisations must take stock of this alarming trend and take steps to strengthen their IT security before they are targeted.

“Alarmingly, despite all the high profile cyber incidents over the last year, organisations on the whole have their heads in the sand when it comes to cyber resilience and are ignoring the benefits of accreditations such as Cyber Essentials or workshops like Exercise in a Box can provide them. They must realise that it’s not so much a case of ‘if’ their systems will be attacked, but ‘when’ so business owners must go on the offensive and prepare themselves and start implementing best practice. Accreditations and training are simple ways for business owners to become more aware of their cyber processes and demonstrates to their customers and suppliers that they take their cyber resilience seriously.

“On a brighter note, there’s a lot of support available from external organisations in the event of an incident. Police Scotland, NCSC and SBRC are three that operate within the UK to ensure that organisations are armed with the right information, processes and tools to tackle cyber challenges. Over the last year, we have also seen new partnerships come to the fore including the CyberScotland Partnership. But these groups can only do so much; the onus is on each organisation to act. If not I suspect we’ll see these figures rise in future.”

The survey was commissioned by the Scottish Government, in partnership with Scottish Enterprise, Highlands and Islands Enterprise, South of Scotland Enterprise and Skills Development Scotland.

It was an in-depth report on how businesses use digital in their day-to-day operations – providing updates to those conducted in 2014 and 2017 – to benchmark their digital progress.

Overall it found that 97 per cent of Scottish businesses have an internet connection and 3 in 4 state that digital technologies had positively impacted productivity, innovation and/or low carbon working.

Almost all technologies saw an increase in use between 2017 and 2021 including mobile, cloud, remote working software, data analytics and internet of things. However skills levels remain a concern with just one in five businesses declaring themselves ‘fully equipped’ with the right tech skills, a statistic that has worryingly fallen from 26 per cent in 2017 and 37 per cent in 2014. And in terms of investment in skills the picture was also bleak: 29 per cent of businesses were taking action to develop their existing employees’ digital technology skills, down from 34 per cent in 2014. The most common reason they gave for not developing staff tech skills was that it was not applicable for business needs (65 per cent).

Forty per cent of businesses stated that digital technology, though, was essential to the operation of the business in responding to the Covid-19 pandemic and 38 per cent stated that it was important or very important in their response. There remains however a geographic imbalance, with larger ‘digitally mature’ businesses tending to be based in Glasgow, Lothians, Central Scotland or the North East.

In terms of productivity, 75 per cent of firms reported that digital technologies had positively impacted their productivity, innovation and/or low carbon working. The greatest impact experienced by businesses was that digital technologies helped make their processes more efficient (59 per cent). And a third reported that digital technology had impacted innovation by helping the business create new or significantly improved products or services.

Stuart Mackinnon, FSB’s deputy head of external affairs for Scotland, said: “The latest Scottish Government’s digital economy business survey is a weighty piece of research that will inform the debate about how to build the skills and capacities that will be vital to covid recovery. It shows more Scottish businesses are using technologies such as cloud computing and, perhaps unsurprisingly given the circumstances, remote working software. On the skills front, only one in five Scottish businesses say they’ve all the digital skills they need to meet their needs. But frustratingly only one in three businesses say they’re taking any action currently to develop those skills. 

“The findings on cyber security still shows there’s much work to do. While FSB and others have been highlighting to businesses the importance of building their security, the fact is that too many firms still aren’t taking this issue as seriously as they should. While cyber-security accreditation might not be necessary for some operators, it is clear that many big businesses and public sector bodies will expect their suppliers to have gone through this process.

“We know that the public support for businesses in Scotland to improve their digital capabilities is in the process of being revamped. While many firms are grateful for the help, there’s a need to ensure that enterprise support in Scotland is designed to deliver real change amongst our business community. However, it is also up to business owners to ensure they’re acting in their own self-interest by keeping their firm and their staff up-to-date.”

For the full survey visit here.