It’s been a challenging year in the cyber world. If you’ve tried to buy groceries and found empty shelves, waited for a GP appointment that never came, or watched your council services grind to a halt, you may have felt the sting of a cyber attack – even if you didn’t know it at the time.
Over the past 12 months, retail giants like M&S, the Co-op, Jaguar Land Rover and more have all been hit. Local authorities, including West Lothian Council, have faced serious disruption. These incidents have caused real-world consequences for real people, resulting in suspended services, exposed personal data and disrupted supply chains.
The common thread across many of them is depressingly familiar: a lack of technical controls such as multi-factor authentication, procedural weaknesses, and vulnerabilities in the supply chain. These events aren’t just abstract technical glitches, of course; they’re moments when digital systems that people rely on every day suddenly stop working.
When a council’s IT goes down, it’s not just a few emails that get delayed. It’s housing applications, social care referrals, school support, payroll, and more. When a retailer is hit, it’s not just a website outage. It’s logistics, wages, and customer trust – hitting consumers particularly hard in isolated and rural communities which lack a range of alternatives.
The impact of these incidents feels personal, and unfortunately the trend of disruptive cyber-attack is growing. The National Cyber Security Centre’s Annual Review 2025, published in October, confirms the scale of the challenge. Nearly half of all incidents handled by the NCSC over the past year were of “national significance”, and the number of highly significant attacks – those that seriously impact central government, essential services, or large parts of the population – has increased by 50%.
That is the third consecutive year of growth. The review also highlights how attackers are evolving. Ransomware, of course, remains one of the most disruptive threats, and attackers are increasingly targeting organisations they believe are likely to pay. However, artificial intelligence is now being actively used to automate phishing campaigns, generate convincing fake content, and identify vulnerabilities at scale. The cyber crime ecosystem is resilient, and is adapting quickly to these emerging technologies.
This is the backdrop against which Scotland is launching its newly refreshed Strategic Framework for a Cyber Resilient Scotland (2025-2030). The framework sets out a clear ambition: by 2030, Scotland will be a digitally secure and resilient nation. It recognises that cyber resilience is not just a technical issue.
It’s a matter of public safety, economic stability and social equity. The framework is grounded in the reality that cyber threats affect everyone. It’s not just about protecting government systems or large corporations. It’s about making sure that families can shop online safely, that children can learn in secure digital environments, and that councils can deliver services without interruption. It’s about ensuring that businesses – from sole traders to multinationals – can operate and grow with confidence in a digital economy.
One of the strengths of the framework is its focus on collaboration. It brings together public sector organisations, private companies, third sector groups, and communities. It recognises that no single organisation can tackle cyber threats alone. Resilience comes from working together, sharing information and building capacity across the board. Central to these efforts is the Scottish Cyber Coordination Centre (SC3).
Formed in 2023, SC3 is our national hub for incident response, threat intelligence, and early warning. It plays a critical role in coordinating responses when incidents occur, ensuring that the right people are involved and that the right action is taken quickly.
As SC3 continues to evolve to help protect the public sector, so do its capabilities. The Cyber Observatory is a new capability that will help track the cyber maturity and cyber risks facing the public sector, and identify vulnerabilities before they become problems. This proactive approach is essential. Waiting for an attack to happen is no longer an option.
Businesses have a vital role to play in this national picture as well. From small local enterprises to large corporations, cyber resilience is essential for protecting operations, customers and reputations. The framework encourages businesses to treat cyber risk as a strategic priority.
It promotes collaboration across sectors and highlights the importance of securing supply chains, training staff, and reporting incidents. Scotland has the skills on hand to help businesses achieve this – our cyber security industry is growing rapidly.
More than 400 companies now operate in the sector, nearly triple the number from 2018. This growth brings economic opportunities, but it also strengthens our national resilience. And by investing in skills, innovation and research, we can build a workforce that’s equipped to meet the challenges of a digital future.
The framework supports this through partnerships with schools, colleges and universities. Initiatives like CyberFirst are helping to build a pipeline of talent, ensuring that Scotland has the skills it needs to protect its infrastructure and support its digital ambitions.
This kind of behind-the-scenes work is essential. It strengthens the foundations of our digital infrastructure and ensures that when something goes wrong, the response is swift and co-ordinated. But resilience isn’t just about what happens after an attack. It’s also about preparation, awareness, and vigilance.
Digital technology is advancing rapidly. We’re connecting more devices, using more apps and relying almost exclusively on online services for everything from banking to healthcare. This brings enormous benefits, but it also increases our exposure to risk. The attack surface available to bad actors is expanding, and the threats are becoming more sophisticated.
The framework doesn’t shy away from this. It acknowledges the pace of technological change and the need to keep up with emerging threats. It highlights the importance of agile leadership, adaptive programme management, and data-driven decision-making. It also emphasises the need to anticipate change, not just react to it.
But perhaps most importantly, the framework puts people at the centre. It recognises that cyber resilience starts with awareness. Not everyone has equal access to digital tools, or the same level of confidence using them. Older adults, disabled people, rural communities, and those whose first language isn’t English may face additional barriers.
Cyber resilience must be accessible to all, and the framework commits to making sure, via the CyberScotland Partnership, that support and guidance are available in formats that meet diverse needs.
The strategic framework is a strong foundation and enabler for these national initiatives. But it will only be successful if we all get involved. Whether you’re a parent, a teacher, a business owner, or a public servant – cyber resilience starts with awareness and action.
The threats may be complex, but the solutions often aren’t. By taking simple steps and staying informed, we can all make Scotland a harder target for cyber criminals and a safer place for everyone. So next time you’re online – whether you’re shopping, working, or just scrolling – take a moment to think about your digital safety.
Check your settings. Check your security. Talk to your family about incidents or attacks you’ve heard of. These small actions add up. Cyber threats are touching our personal lives more than ever before. Our response needs to be collective. Let’s get resilient.
