Recent cyber attacks at SEPA and the University of the Highlands and Islands have highlighted the threat that cybercrime poses to the public sector in Scotland.
The Christmas Eve attack on SEPA led to data being stolen and has significantly impacted the organisation’s operations, with the criminal gang responsible, Conti, having now launched a serious attack on Ireland’s healthcare system.
These incidents highlight that cybercrime is a risk that the public sector in Scotland needs to take seriously.
Fraud risks have increased with the pandemic, as our Emerging fraud risks paper outlined. And the latest UK Government statistics show that 39% of UK businesses identified cyber security breaches or attacks in the last 12 months, with 27% reporting weekly attacks.
Phishing, where attackers send emails with links to fake websites designed to steal your information and commit fraud, remains the most common form of attack.
Recently, however, there has been a worrying rise in sophisticated ransomware attacks, with SEPA and the University of Highlands and Islands both falling victim.
A strategic risk that needs the attention of boards
What is clear is that cybercrime demands the attention of everyone in an organisation, including governance boards. It should not be just reserved to IT teams but needs to be treated as a strategic risk with tested plans and a positive cyber security culture across the organisation.
If you sit on a governance board or work in an organization, ask yourself, can I answer these questions?
Thankfully, there are resources and help available to ensure you are as prepared as you can be.
Key resources to improve your cyber resilience
The Scottish Government’s Scottish Public Sector Cyber Resilience Framework sets out the standards that public bodies in Scotland should be looking to achieve.
Help in achieving this can be accessed via the CyberScotland Partnership website, a one stop shop for cyber advice and guidance. It signposts to key resources which offer a great starting point for governance boards.
In particular the National Cyber Security Centre’s Board Toolkit is designed to help board members and senior management to better understand cyber security and have those conversations with their technical experts. Using the toolkit needs a bit of investment in time but will help boards build an effective cyber security strategy.
For Boards and executives looking to increase their knowledge and understanding, and help make good use of the board toolkit, the Scottish Business Resilience Centre (SBRC) is currently running Executive Education Training: Cyber Security.
What you can do to improve now
Recent incidents have highlighted some key areas of improvement that Boards should discuss with their technical experts in the immediate term, including: