It has not been a great couple of years for the organisations and citizens of Scotland regarding cyber security, with new figures revealing that the number of cyber-attacks has soared to a record high.
In response to a written parliamentary question, the Scottish Government has disclosed that there was a total of 403 attacks reported in 2020-21, compared to 57 the previous year – a 700% increase in 12 months. And it looks as though the 2021/22 figures will dwarf these, with estimates suggesting that there has been 14,280 cyber-crimes, including cyber-attacks, recorded by the police in Scotland, compared with 7,710 in 2019/20.
These figures follow the much publicised and devastating attacks on the Scottish Environment Protection Agency (SEPA) and the charity Scottish Association of Mental Health (SAMH).
Indeed, SEPA is still reeling from the impact of its cyber-attack some 18 months later, with the organisation stating that the cost to taxpayers of the attack has risen to at least £5.5 million.
The ransomware attack which happened on Christmas Eve 2020 resulted in most of the organisation’s data encrypted, stolen, or deleted overnight. The Auditor General for Scotland, in investigating the circumstances of the attack, found that overall SEPA’s cyber defences were good, but there are indications the ransomware software was introduced by a phishing email, although this is still speculation it is probable. In 2019, Fraudulent emails or being directed to fraudulent websites was by far the most common method used by criminals, with 80 percent of security breaches coming in that form.
The timing of the attack, out of hours over the Christmas period, escalated the damage the ransomware caused. The report also disclosed that despite SEPA following best practice for backing up its data, the “sophisticated nature of the attack meant that online back-ups were targeted and corrupted at an early stage, meaning there was no way of accessing historical records quickly”.
SEPA did not pay the ransom, but the damage both reputationally and financial has been high.
Likewise, the attack on SAMH left people wondering what long-term damage would be sustained by the charity and in no doubt that cyber criminals, in this case RansomEXX, have no scruples when it comes to targeting organisations for financial gain.
In a public statement released at the time of the attack’s discovery, Billy Watson, chief executive at SAMH, said: “We are devastated by this attack. It is difficult to understand why anyone would deliberately try to disrupt the work of an organisation that is relied on by people at their most vulnerable.”
The result of the attack left over 12GB of SAMH’s data on the dark web, including personal information such as names, addresses, email addresses and passport information. Emails and phone lines were also affected by the attack leaving SAMH struggling to manage its vital support services across Scotland.
Again, the lesson here is that anyone connected to the net is fair game for cyber criminals regardless of size. Whether you are simply surfing at home or running multi billion-pound organisations, and with the average cost of each incident estimated at £1,200 in 2022, you must ensure you remain vigilant and protected.
Scotland is by no means alone, these incidents are occurring in every territory daily, but it is reacting. Initiatives such as those led by the Scottish Business Resilience Centre (SBRC) which holds online and in-person workshops for public services and third sector bodies, to demonstrate how to be better prepared are being rolled out and extended. To date 450 organisations have already undergone the training, with a further 250 due to participate.
But of course, just like the real Scottish landscape which changes daily, so does the cyber security one. Criminals will take any opportunity to make money. The latest being text scams to try and trick people into handing over their personal and financial information by applying for the UK’s £400 energy rebate, which is being applied automatically to every account and application is not necessary.
Given the past two years, Scotland’s experience has demonstrated that whilst we are more aware of cyber security issues, are taking precautions to address them, we are still miles away from combating them. Compared with a mountain climb, we’re still in the foothills.
If you have any security concerns or wish to discuss cyber protection in detail, please do not hesitate to contact us.