Scotland’s environment protection agency is building back better after it was hit by a devastating ransomware incident last year. The agency hosted a webinar as it aims to help others learn the lessons of global cybercrime

Scotland’s environmental protection agency received a special commendation at the annual Scottish Cyber Awards last month for its ‘honesty and transparency’ following a series of public engagement events in the aftermath of a devastating cyberattack.

The Scottish Environment Protection Agency (SEPA), which was hit by a ransomware incident on Christmas Eve, led a public webinar, Cybercrime: Ready, Resilient & Responsive which sought to communicate the ‘lessons learned’ to private, public and third sector organisations across Scotland.

The two-hour event, attended by more 600 people, coincided with the release into the public domain of an audit commissioned by chief executive Terry A’Hearn, to comprehend the full extent of the attack, his organisation’s response to it, and the opportunity to ‘build back better’ in terms of its IT and digital systems.

A’Hearn said the review will not only be valuable for SEPA but, he hopes, for the people and organisations across Scotland, and beyond, faced with rising cybercrime threats.

“This is a global scourge and has had huge impacts on people and organisations all around the world, so anything we can do to help others protect themselves from this, both individually and collectively, I think we need to do that,” he said.

“Yes, we know that’s difficult for us, and it brings challenges – because people will ask questions – but you don’t make the world a better place by doing the wrong thing, by burying your head in the sand.”

The overarching ‘lessons learned’ audit was conducted by international business advisory service Azets, with contributions from Police Scotland and the Scottish Business Resilience Centre (SBRC).

As well as describing the attack on SEPA, some of which has been redacted to protect the criminal investigation, identity of key staff and the integrity of its systems and administration and delivery of its work, the report offers learnings for the public sector as well as 44 recommendations for SEPA, which the organisation has accepted in full.

The webinar on Wednesday, October 27, gave a unique perspective into SEPA’s experience of a cyberattack, which detailed the effect on its 1,200 staff, and their resilience, as they managed to find alternative means of maintaining vital services, such as flood warnings, when their digital systems had been rendered inaccessible.

Attendees heard how the attack was likely conducted by ‘serious and organised criminals’ from outside the UK and displayed ‘significant stealth and malicious sophistication with a secondary and deliberate attempt to compromise systems’.

The audience heard from cyber experts, including Police Scotland, the Scottish Government, and the National Cyber Resilience Advisory Board.

They were told how ransomware groups are criminal businesses driven by a return-on-investment requirement. Recent cyberattacks have included double extortion and targeting back-ups. Unlike traditional, physical events such as a fire, a cyberattack is coordinated and designed to impact all environments and data belonging to an organisation.


The police investigation into the ransomware incident remains ongoing. SEPA has been open and transparent about the lessons it needs to learn and about its decision not to pay hackers to regain access to their network. The organisation suffered as a result, with a cache of data published by the criminals on the dark web but it was credited with taking a firm stance.

Detective Inspector Michael McCullagh, of Police Scotland’s cybercrime investigations unit, told the online conference: “Cybercriminals are sophisticated; they’ll hide in your network and escalate privileges. They’ll also use social engineering to hide who they are, to stay below the radar.”

McCullagah – who said he could only speak about cybercrime tactics generically, as the SEPA incident is still a live investigation – warned that organisations needed to ensure they had two-factor authentication IT processes in place to protect against the human factor.

It was a point emphasised by David Ferbrache, chairman of the Scottish Government’s National Cyber Resilience Advisory Board, who said email phishing campaigns are becoming ever more sophisticated.

He urged businesses to get immediate outside help from professional cybersecurity firms, if they do not have the internal expertise to develop resilience, adding: “There’s a lot of good information out there, there’s no shortage of advice.”

Jude McCorry, CEO of the Scottish Business Resilience Centre, praised the support of the Scottish Government, which has helped with the establishment of the recently founded Cyber Scotland Partnership – a ‘one-stop shop’ portal for help and information about cyber preparedness, resilience, and response.

She said accreditations such as Cyber Essentials are helping to drive enhanced awareness and skills of organisations to deal with online harms. The government-backed Digital Boost scheme has also played a vital role in supporting businesses cyber readiness levels.

But she called for a greater focus on providing more wraparound ‘holistic and pastoral’ support. She emphasised the need for a support organisation that has a ‘physical presence’ covering education, cyber exercising, technology, and policy, as well as intelligence, incident management and recovery.

“What we need is a long-term funded support option for Scotland, for businesses and for the public sector,” she said.

“The reason I say ‘long-term’ is we need to attract, hire and keep that expertise in Scotland, and give them job security. We can’t fund cyber on an ad hoc basis for this nation.

“So, I’m really delighted, and I welcome, Mr [John] Swinney’s [the Deputy First Minister of Scotland’s] commitment to looking at proposals, as a matter of urgency, for the establishment of a recognised, authoritative and collaborative function to combat cybercrime.”

Advice and tools are available from Police Scotland, Scottish Business Resilience Centre, and National Cyber Security Centre

• Protecting yourself against cybercrime – Police Scotland
• Cybercrime Harm Prevention Guidance from Police Scotland
• Register for the ‘Exercise in a Box,’ a free, 90-minute non-technical workshop, from the Scottish Business Resilience Centre
• Scottish Business Resilience Centre helpline for Scottish organisations in the event of a cyber-attack
• Cyber security advice for businesses, charities, and critical national infrastructure with more than 250 employees
• Cyber security advice for businesses, charities, clubs, and schools with up to 250 employees