Scotland’s new online resilience partnership has identified six cyber threats that businesses may face in 2022.

The CyberScotland Partnership, chaired by Jude McCorry, chief executive of the Scottish Business Resilience Centre, believes the potential threats could damage organisations next year if they don’t take steps to protect themselves.

The group is now calling on companies to educate and equip themselves to mitigate the potential impact these areas pose to business operations.

Last month, the National Cyber Security Centre published its annual report noting a marked increase in cyber related incidents and attacks.

McCorry said: “Ignorance about potential cyber attacks is not an option anymore – action must be taken to ensure businesses do not become a statistic.” 

Ransomware attacks on the rise

Ransomware attacks have received a lot of media attention over 2020 and 2021, and according to CyberScotland, “show no signs of going away”. A Sophos report found that 35 per cent of British businesses were hit by ransomware attacks in the past year.

To avoid systems being infiltrated by cyber criminals and then being held to ransom for their data, the “most basic thing” that an organisation can do to mitigate this is to check that their systems – including firewalls and antivirus programmes – are up to date.

Regular backups are vital, as is having an offline backup available too; organisations are more likely to get their data back by relying on a recent copy than paying ransom. As a follow up to this, the partnership is urging businesses to consider becoming Cyber Essentials certified – giving the organisation and its stakeholders reassurance that systems defences are strong.  

How secure is your supply chain? 

Given the rise in cyber attacks and vulnerable nature of organisations due to the pandemic, the CyberScotland Partnership says it is vital that, in 2022, steps are taken to clarify an organisation’s position should an attack happen with a partner or supplier.

According to the organisation, the online nature of business means that “digital supply chains” are becoming larger and more complex and it is becoming increasingly difficult for other businesses in the chain to ensure they are protected when they don’t know what cyber processes and procedures other businesses might have.

There are several scenario-based training programmes on the market including the National Cyber Centre’s Exercise in a Box programme which has a supply chain scenario being run by the Scottish Business Resilience Centre. For those in the public sector, teams can call on the Cyber Security Procurement Support Tool for additional insight. 

Beware mobile malware

Cyber criminals have tapped into citizens’ reliance on living digital lives and “we can expect to see a rise in mobile malware attacks”. Savvy cyber hackers will look for more ways for individuals to download or access cleverly planted malicious software to gain access to private data.

To counter this, individuals need to be clear on permissions they grant to download applications onto company owned devices, and should also be mindful of the origin of similar applications being downloaded to personal devices. Completing regular software updates as prescribed by device vendors will also help to limit widespread issues.

Hybrid working

With next year marking the second anniversary of remote working, it may be possible that organisations have not reviewed their cyber policies and training programmes, meaning they have an out-of-date picture of the devices and tools their teams are using.

According to CyberScotland, organisations must conduct a device audit and take action to update or decide if more stringent changes need to be made. This audit should consider whether employees are using personal or company devices for work, explore awareness around clicking on suspicious links, and the importance of backing up work on these devices to a secure network.

Protect your social profiles

Social media profiles – which detail everything about a user from where they live to where they work – are increasingly becoming a “solid route” for cyber criminals to set up fake profiles to connect with individuals through platforms. This allows them to gain access to personal details to break into organisations.

The partnership says people must be mindful of who they are speaking to and ensure that no personal details or files are shared with unknown contacts.

Consider attacks to your IT providers

Attacks on cloud service providers and microservices that organisations use are on the rise. 2021 has seen several large-scale outages on major cloud providers, the most recent being Google Cloud in November 2021. Alongside being mindful of the wider supply chain, organisations need to be prepared should an IT service they rely on suffer a cyber attack or outage.

According to CyberScotland, having a backup service to increase an organisation’s resilience is wise, especially one that can be dialled up should the outage from the CSP or other IT vendor continue for any length of time. This will limit any broader impact to the business which may also result in governance issues. It is highly recommended that organisations look for an IT provider that is Cyber Essentials certified.

The IT Managed Services directory features over 170 Scottish companies that provide IT managed services, and will easily identify those that are both cyber resilient themselves through the Cyber Essentials programme, while also showing providers who offer vital security services.

More information on resources to protect your organisation from a cyber incident is available online here.