Cyber attacks a threat to Scottish businesses

The NHS came under attack again last month when malware was detected on its systems.

Headlines warning of phishing scams, hackers, viruses and trojans are breaking all too frequently and, contrary to what many people might think, it’s not just the big players that are targets.

“It doesn’t matter who you are or what you do, if you hold any sort of data you will be the target of a hacker at some point,” says Gerry Grant, chief ethical hacker at the Scottish Business Resilience Centre (SBRC).

“I think a lot of people are still under the impression that criminals are only looking for a big payout and will only target the larger organisations.

“In reality, it tends to be smaller and medium-sized businesses that are targeted because they don’t have the same defences in place.

“It’s about trying to make people realise that they need to take this as seriously as the big companies do.”

With an estimated 348,045 small and medium-sized enterprises (SMEs) operating in Scotland, it is a nation of rich pickings in the eyes of cyber criminals and raising awareness of the risks is vital.

“I think there is a mixed understanding of how real it is among small and privately owned enterprises,” says John Whitehill, cyber security director for PwC in Scotland.

“It is getting better and people are more aware of the risks but I think behaviours and some of the things individuals do still conflict against that.

“There is still more to do in SMEs to make sure they are doing what they can to respond.”

Whitehill believes high-profile incidents such as WannaCry have helped raise awareness that there are real threats online. “Cyber as a topic is much better understood across businesses now than it was even a couple of years ago,” he adds.

In smaller organisations and in the case of many individuals, there can be a lack of understanding as to how data is collected and used online. While some people will be guarded about internet shopping, they will share personal details on social media sites without a second thought.

“In business it is really about realising that there is a never-ending journey that we are on here,” says Whitehill. “The threat and risk is never going to go away.

“It’s only going to become more and more real and I think the objectives of cyber crime are turning more and more to financial gain. Organised crime groups are very much in it for the money these days.”

One of the most common, if not terribly sophisticated, threats is phishing emails, which can come in two forms: a general phishing email that might be sent out to millions of people in the hope that somebody clicks on the link, or a carefully planned and targeted spear phishing email.

“What’s common at the moment is where somebody will send out an email that looks like it came from a director in an organisation, asking [an employee] to transfer money urgently,” explains Grant.

“Typically in an attack like that, the attacker will do a bit of research and find out who the company director is to make it look like the email is coming from them.”

Another prevalent threat is mandate fraud. Grant explains how that kind of situation tends to play out: “An attacker will know you are due to pay an invoice to somebody and they will email saying that person has changed their bank account details, can they pay the money into the new account instead.

“They are unsophisticated but they are quite common and reasonably successful.

“The amount of money transferred can range from the thousands to the tens of thousands.”

Investing time and money in staff training and up-to-date IT systems is the first step towards helping to protect a business against cyber attacks.

“An organisation will run a fire drill every six months to make sure everyone knows where the fire exit is, but what does a company do when it comes to training staff as to what they should do when an email comes in?,” says Grant.

“We need to be improving awareness with our staff. I think staff in general have a false sense of security when it comes to emails – they think their IT department will catch all the spam and phishing emails but they won’t.

“A lot of the time, the user gets the blame for being the weakest link but in actual fact they are the last line of defence and if you train them what to look out for they can protect you as much as any fancy software.”

Whitehill highlights the importance for some firms of protecting their intellectual property in addition to safeguarding their systems.

“If you are a firm that does research and design, then looking after your IP is absolutely key,” he says, adding: “For some organisations like the health service, protecting patient data is really important. Those medical records and data have a value so people are looking to take it and sell it for money.”

An increasing amount of work is being done in Scotland to raise awareness of the risks and offer advice to firms around cyber resilience.

PwC is one of the organisations working hard to highlight the issue, along with Scottish Enterprise, the Scottish Government and the SBRC, Police Scotland and Scotland’s universities, some of which are leading the way in terms of cyber research.

Some industries, Whitehill says, are more alert than others to the risks, while Israel is a model we can learn from. “What you have got is pockets of industry in countries which are really investing a lot in cyber security.

“You tend to find financial services organisations put a lot of money into their own research and development (R&D).

“Israel is a country that invests a lot in cyber security R&D and in terms of innovation investment and start-ups, Israel is a good example.

“They have access to a lot of good university talent, which is very similar to Scotland where we have a very strong university population who are doing some really amazing things.”

Edinburgh University is the only university in Scotland to be accredited by GCHQ, the Government’s intelligence and security organisation, as an Academic Centre of Excellence in Cyber Security Research, Edinburgh Napier has a strong focus on R&D in the field, and Abertay’s ethical hacking course was the first undergraduate degree in the world to have the word “hacking” in the title. It’s now recognised as one of the UK’s leading vocational security programmes.

“We have a growing cyber security industry in Scotland,” says Grant. “We have companies like ZoneFox and Quorum Cyber in Edinburgh which are doing some really good work.

“We held the first Scottish Cyber Awards last year and it was a huge success.”

Among the 2016 winners was Glasgow Caledonian University which picked up the award for Cyber Resilient Community Impact.

“There is a lot of work going on in the universities,” says Grant. “They are offering a lot of good courses around cyber security right now.”

He also points to Scotland’s legal sector as one which has increased its focus on cyber security.

“The Law Society of Scotland won a Leading Light Innovation Award [at the Scottish Cyber Awards 2016] and they have just released a paper around cyber security for law firms.

“That’s an industry that’s taking it quite seriously, particularly with the General Data Protection Regulation coming in.”

Clearly cyber awareness in Scotland is on the up, but there’s one leak in the talent pipeline which needs to be plugged. “We have a lot of really good talent coming through in Scotland from the universities,” says Grant.

“What we are tending to find, though, is we lose quite a lot of that talent down south to big companies in London.

“I think we can do things in Scotland to help retain that talent and make Scotland a leading light in cyber security.”

This article appears in the AUTUMN 2017 edition of Vision Scotland. An online version is available here. Further information about Vision Scotland here.