Scotland’s technology ecosystem contributed £4.9bn gross value added (GVA) to the country’s economy in 2019, accounting for 3.5 per cent of total GVA, according to Scottish government data.
And it is Edinburgh that is the most active tech community in the UK outside London, with Glasgow not far behind in fourth place, according to the Scottish Government’s digital strategy, A Changing Nation: How Scotland will Thrive in a Digital World.
It’s fair to say technology in Scotland underpins all walks of life in both the private and public sector, consequently cybersecurity is a huge focus for local and national government.
In February 2021, the Scottish government published the Cyber Resilient Scotland: Strategic Framework, outlining the threat cybercrime poses to the fabric of Scottish society.
“We live in a rapidly evolving, and hyper-connected, digitalised society that presents us with opportunities to flourish. This constantly evolving digital landscape in which our organisations and businesses find themselves in also presents new opportunities for criminal exploitation. A cyber resilient organisation is a competitively strong and trusted organisation,” said Kate Forbes, the finance and the economy secretary.
The good news, according to the strategic framework, is that public sector organisations are doing a great job in terms of protecting themselves, with 88 per cent of eligible Scottish public sector organisations having achieved Cyber Essentials accreditation at the time of publication.
However, the report also states, “public bodies and public services remain at significant risk from cyber threat and it is imperative that the public sector should continue to remain a key priority focus”.
A constantly evolving threat
It would be naive to assume that even if an organisation has achieved Cyber Essentials accreditation it is fully protected against cyber criminals. Cybercrime is a constantly evolving threat.
According to the Sophos State of Ransomware 2022 report, 59 per cent of central and local governments were targeted by ransomware in 2021. The report also states that overall (in public and private sector industries) there was a 78 per cent increase in ransomware attacks over the course of the year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale.
Michael Matheson, the Scottish transport, infrastructure and connectivity secretary, outlined the importance of improved cybersecurity: “New technologies for delivering public services have brought incredible gains in terms of efficiency and effectiveness. However, they also bring new vulnerabilities. For the public to trust government with their data, we need to make sure that our digital services are secure and resilient by default.”
The requirement for more stringent cybersecurity in the public sector in Scotland came under the spotlight in December 2020 when the Scottish Environmental Protection Agency (Sepa) was targeted by a massive attack.
An investigation by Police Scotland concluded it was likely that the attacks were carried out by an international organised crime group. The fact that the attack took place at one minute past midnight on Christmas Eve was no accident.
Those responsible will have reasoned that Sepa, like most public bodies and most private organisations in the western world, would be short-staffed over the holiday season. Unfortunately, they were right and that meant by the time the attack was detected and response arranged, it was already too late.
According to Audit Scotland in February 2022 the full financial impact of a cyber attack on Sepa remained unclear nearly 12 months after the attack, as Sepa was still in the process of rebuilding its digital infrastructure.
It is a testament to the hard work and resilience of the Sepa workforce that the agency was able to keep delivering key services, such as flood warnings, despite not paying the ransom.
Mind the skills gap
Organisations today are required to be a lot more proactive when it comes to cybersecurity, and the importance of round-the-clock protection from a staffing point of view is clear. But the challenge extends beyond the obvious crunch times like weekends and national holidays.
The shortage of skilled staff is a major concern, particularly in the public sector where talent tends to migrate towards more lucrative rewards available in private industry.
The challenge is particularly pressing in Scotland where according to the Scottish Trade Unions Congress wages in the public sector are lower than they are in the rest of the UK.
According to a May 2022 survey by CIPD (the professional body for HR and people development), 41 per cent of businesses in Scotland reported they were finding it hard to fill vacancies, particularly in professional occupations. Furthermore, cybersecurity is a deeply technical discipline which makes the challenge even harder.
A UK government report Cyber Security Skills in the UK Labour Market 2022, reveals about 51 per cent of businesses have a basic skills gap and a third of businesses have more advanced skills gaps, “most commonly in areas such as penetration testing, forensic analysis and security architecture”, while “almost four in 10 businesses have an internal skills gap when it comes to incident response and recovery, and do not have this aspect of cybersecurity resourced externally”.
This last point is particularly worrying as it highlights the crucial difference between having the ability to detect nefarious cyber activity versus the capacity to deal with it.
As a result, developing effective cyber–incident response is rightly one the key outcomes identified within the Scottish Government’s strategic framework.
One initiative that will play a part in training a new generation of cybersecurity experts is the
Abertay cyberQuarter which is a new £18m cybersecurity research and development centre housed within Abertay University.
This initiative brings together students, academics, and organisations such as Sophos, which is a founding member, to help solve global cybersecurity challenges.
“We are delighted to be supporting such an exciting project as the Abertay cyberQuarter,” said James Cuthbertson, sales manager for Scotland at Sophos.
“We want to help students and graduates advance their careers by offering industry experience with a leading UK-based cybersecurity company. In the long-term, this kind of collaboration will be of great benefit to the Scottish cyber community.”
Security as a service
It will take time for initiatives like cyberQuarter to have a meaningful impact across Scotland. In the meantime, organisations short on people with necessary cyber skills are being served by an increasing number of firms offering “cybersecurity as a service”.
For instance, Sophos is working with AG Barr, the maker of Irn Bru. In recent years, the manufacturing industry became a prevalent target for security attacks due to legacy systems and unpatched applications.
The main challenge for AG Barr was access to the skilled resource required to search out proactively security threats across a technology estate of laptops, desktops, servers, mobiles and tablets on a 24/7 basis.
AG Barr became an early adopter of Sophos MDR (managed detection and response) and has been able to undertake preventative work to increase security and avoid breaches rather than fire-fighting security threats as and when they occur.
“Having experts we can trust at the end of the phone, without delay, to help us navigate the constant security threats we face, not only delivers peace of mind but extraordinary value for money. It also saves us the expense of recruiting up to five new employees to take on this work,” notes Paul Ginestri, information security specialist, AG Barr.
Some firms in this emerging cybersecurity space are well-known and trusted names such as Sophos, which currently has more than 10,000 organisations using its managed services, others are new entrants.
There is a huge variance in the cost, level of service and protection available from third party providers which can make choosing a service a daunting task.
“When it comes to managed security services, organisations need to do their due diligence,” says Cuthbertson.
“Some providers appear to offer broad coverage, but more often than not, full incident response is missing. They will identify an issue, but then hand over how it’s handled to the customer. You need to be aware of false economies.”
Partner content in association with Sophos
To find out more about Sophos and cybersecurity as a service please visit sophos.com