Government needs to get serious about cybersecurity. As a nation we invest heavily in supporting data-driven innovation and building the technologies of the future. But we spend far too little on securing that data, which is so vital to the success of start-ups and established industries alike. The recent cyber-attack on SEPA is painful evidence of the yawning gap between our efforts to digitally transform, whilst protecting critical government services. As we go to print, another cyber-attack has downed systems at the University of the Highlands and Islands. We investigated this ‘incident’ as we did with SEPA, with the help of a global darknet threat intelligence firm in Israel and found that there were thousands of leaked credentials and compromised accounts belonging to the university on underground web forums. The university has perhaps understandably not responded to our inquiries – as it is in the middle of a police investigation – but the question is surely how many more of our public sector agencies, healthcare providers, companies, schools, universities and colleges alike are exposed on darknet sites. If we don’t the answer to these questions, we aren’t even at the beginning of trying to solve what is a massive – and growing – problem.