Public sector cybersecurity lessons are not being shared or are failing to be implemented fast enough across the public sector, according to a new Scottish Government report.
New analysis shows that the same gaps in online defences identified following a ransomware attack in 2020 on the Scottish Environment Protection Agency (SEPA) and on Western Isles Council in 2023 remain today.
Business continuity plans across the sector are also not aligned to modern cyber realities and scenarios, particularly the possibility of long‑duration digital outages, according to the first ever Scottish Cyber Activity Report (SCAR).
The report, produced by the Scottish Cyber Coordination Centre (SC3), combines findings from the Cyber Resilience Assessment – a comprehensive evidence base on Scotland’s public sector cyber posture – with the SC3’s own incident data, threat intelligence and findings from its exercising activity.
It aims to help Scotland’s public bodies understand the wider cyber risk environment, benchmark their own resilience, learn from cross‑sector incidents and exercises, and prioritise investment and improvement activities.
The report also outlines how leadership and governance are the ‘primary drivers of resilience outcomes’, and organisations that recover well are those with ‘ownership of cyber risk at board level’.
Other themes identified in the report include the growing importance of communications planning during incidents; uneven access to specialist incident response support; rising data theft and extortion tactics; supply chain risk; and specific concerns around education networks in local authorities.
Alan Gray, head of the SC3 and deputy director of the Scottish Government’s National Cyber Security and Resilience Division, said: “Our public sector delivers the services on which millions of people depend daily and holds vast quantities of sensitive data. It also operates in a threat environment that’s growing more sophisticated by the month – cyber risk is a truly systemic issue, cutting across all public sector organisations.
“Rather than isolated action, we need collaboration, shared intelligence, and coordinated response. The lessons in this report are clear: business continuity plans must be reviewed and routinely tested against real cyber scenarios; communications resilience must be treated as a core capability, not an afterthought.”
He added: “When the same lessons recur across incidents separated by years, we are not failing to learn; we are failing to implement. The cyber threat to Scotland’s public sector is real, it is growing, and it demands our collective attention.”
The SCAR also gives cause for confidence: it reports that 97% of Scottish public sector organisations now receive actionable threat intelligence; the vast majority have incident response plans in place and are investing in cyber resilience training; and the quality of preparedness across the sector is measurably improving.
Gray added: “These are not small achievements. They reflect years of sustained effort by dedicated professionals across every part of the public sector.”
Since 2018, SC3 and the Scottish Government have coordinated the response to 183 cyber incidents across the public sector. That included 43 incidents in 2025 alone, almost a quarter (23.5%) of the total over the seven-year period. Ransomware was identified as the most common cause of public sector cyber incidents by a significant margin, which reflects broader UK incident reporting.
The SCAR provides a baseline for measuring progress against the refreshed Strategic Framework for a Cyber Resilient Scotland 2025-2030, presenting cyber resilience as a collective challenge requiring coordinated investment, governance, and shared learning, rather than something any single organisation can solve alone.
The report’s publication follows the eighth annual CyberScotland Week, which took place in February and saw businesses, communities and individuals hold events to raise awareness of the importance of cyber resilience in every aspect of life in Scotland. It comes ahead of the national CYBERUK conference which will take place in Glasgow between 21 and 23 April.