Jude McCorry, chief executive of the Scottish Business Resilience Centre, told virtual attendees that awareness of the threats from cyber criminals had increased significantly since the high-profile ransomware attack on the Scottish Environmental Protection Agency (Sepa). The attack in December was described as an attempt by serious, organised crime to extort public funds.
“When an attack happens, it’s not all about cyber heroics,” said McCorry. “It’s about how you bring systems back online to do what you need to be doing. That’s what we’ll be critiqued on.
“What if we had seen three attacks similar to Sepa? What if it had been an attack on critical infrastructure – on the NHS – and lives had been at stake? We do not want a cyber-resilience model built on pain.”
Ivan McKee, Scottish Government Minister for Innovation, Trade and Public Finance, told the conference that the new Strategic Framework for a Cyber Resilient Scotland, launched this week, offered a clear focus about what had to be done.
He added: “Threats and opportunities are clearly articulated and the partnership is there for organisations to take that work forward.”
McKee announced the new CyberScotland Partnership of ten organisations this week, as well as a one-stop web portal, which aims to offer the widest range of information and resources possible on cyber issues – from general cyber resilience, through reacting to an attack, to building a career.
Cyber risk has to be seen as a business risk for all organisations across the public, private and third sectors, insisted McKee, who argued there had been “good progress in raising cyber resilience in the public sector”. More than three-quarters of public bodies in Scotland had cyber security on their risk register, but there was “still a long way to go”, he said.
Jude McCorry added that the 76 per cent figure was certainly much higher since the Sepa attack.
David Ferbrache, chair of the National Cyber Resilience Advisory Board, said that Scotland had excelled in some areas of cyber over the last five years –including learning and skills, where new qualifications and a vibrant academic sector had “created a buzz around cyber security as a career”.
Dr Natalie Coull, head of cyber security at Abertay University, said that an effective talent pipeline is needed to ensure enough people were available to create the next generation of cyber security tools and solutions.
“Scotland is punching above our weight in terms of options and pathways for people wanting to get into cyber security,” she added.
The cyberQuarter being developed in Dundee as part of the Tay Cities Growth Deal was an opportunity for students, academics and organisations to collaborate to tackle real-life cyber challenges, Coull enthused. The £18 million cyberQuarter will include physical space for experimentation and collaboration, a secure cloud computing infrastructure, and a pump-priming fund to develop new cyber products, services and education programmes.
Ferbrache said that it is vital to “demystify” cyber and to view security and resilience as an essential part of our digital economy – however, he highlighted the need to be able to respond to attacks more swiftly. He told delegates: “The pandemic has seen cyber criminals up their game but the response has been quite impressive.”
He also said that Scotland is “an immensely close cyber community”, which was doing well, but nevertheless had challenges ahead. Ferbrache believes the biggest challenge is to build capacity to be better prepared in the event of large-scale incidents.
Ciara Mitchell, head of cyber at tech trade body ScotlandIS, agreed that the sector was progressing and collaborating well, but she still sees a fundamental challenge. “We still have an identity problem,” she said. “The cyber sector in Scotland is not seen as having hi-tech innovative companies, but we do – and we must strengthen that identity and show our cutting-edge technology.”
Jude McCorry agreed it was about getting the innovation out there: “There is a huge gap between awareness of cyber security in Scotland and the wider UK. If we can get the innovation right, in five years’ time we will have those companies who can help us to get ten steps ahead, and stop cyber crime.”