Publication: Cyber crime: A serious risk to Scotland's public sector

May 25, 2021 by Audit Scotland

Cyber crime: A serious risk to Scotland's public sector


Blog: By Dr Bernadette Milligan, Audit Manager

Recent cyber attacks at SEPA and the University of the Highlands and Islands have highlighted the threat that cybercrime poses to the public sector in Scotland.

The Christmas Eve attack on SEPA led to data being stolen and has significantly impacted the organisation’s operations,  with the criminal gang responsible, Conti, having now launched a serious attack on Ireland’s healthcare system.



These incidents highlight that cybercrime is a risk that the public sector in Scotland needs to take seriously.

Fraud risks have increased with the pandemic, as our Emerging fraud risks paper outlined. And the latest UK Government statistics show that 39% of UK businesses identified cyber security breaches or attacks in the last 12 months, with 27% reporting weekly attacks.

Phishing, where attackers send emails with links to fake websites designed to steal your information and commit fraud, remains the most common form of attack.

Recently, however, there has been a worrying rise in sophisticated ransomware attacks, with SEPA and the University of Highlands and Islands both falling victim.

A strategic risk that needs the attention of boards

What is clear is that cybercrime demands the attention of everyone in an organisation, including governance boards. It should not be just reserved to IT teams but needs to be treated as a strategic risk with tested plans and a positive cyber security culture across the organisation.

If you sit on a governance board or work in an organization, ask yourself, can I answer these questions?

  • How do we defend our organisation against phishing attacks?
  • Do we have a cyber incident response action plan and when was this last fully tested?
  • How do we control the use of privileged IT accounts and ensure software, devices and access are up to date?
  • What authentication methods are used to control access to our systems?
  • How do we make sure our partners and suppliers protect data we share with them?
  • How are we backing up our data and systems?
  • Have our staff undertaken cyber awareness training recently?

Thankfully, there are resources and help available to ensure you are as prepared as you can be.

Key resources to improve your cyber resilience

The Scottish Government’s Scottish Public Sector Cyber Resilience Framework sets out the standards that public bodies in Scotland should be looking to achieve.

Help in achieving this can be accessed via the CyberScotland Partnership website, a one stop shop for cyber advice and guidance. It signposts to key resources which offer a great starting point for governance boards.

In particular the National Cyber Security Centre’s Board Toolkit is designed to help board members and senior management to better understand cyber security and have those conversations with their technical experts. Using the toolkit needs a bit of investment in time but will help boards build an effective cyber security strategy.

For Boards and executives looking to increase their knowledge and understanding, and help make good use of the board toolkit, the Scottish Business Resilience Centre (SBRC) is currently running Executive Education Training: Cyber Security.

What you can do to improve now

Recent incidents have highlighted some key areas of improvement that Boards should discuss with their technical experts in the immediate term, including:

  • The importance of back-ups – they need to be offline and/or immutable, and tested to ensure a quick recovery of critical systems in the event of an attack
  • NCSC Active Cyber Defence Measures – this collection of free resources can be put in place to monitor, test and improve the cyber security and resilience of systems and help with remediation
  • Cyber incident response arrangements and exercising – plan and playbook templates can be found on the Scottish Government website and NCSC’s Exercise in a Box is also an essential online tool which helps organisations find out how resilient they are to cyber-attacks and practise their response in a safe environment.

Further information

NCSC glossary

NCSC blogs