Exclusive:Cyber security: Lack of planning and outdated IT systems putting Scotland at risk

Over the past week or so a number of Scottish organisations have been hit with cyber attacks, including Edinburgh and West Lothian councils.

Last week pupils in Edinburgh were cut off from revision resources during the annual exam period after an attempted cyber attack on the council’s education department.

Staff managed to spot the “spear-phishing”, a more sophisticated form of phishing which is more personalised and therefore harder to recognise, after receiving a suspicious invitation to a meeting earlier in the day.

This comes after a suspected criminal ransomware cyber attack on schools n West Lothian earlier in the week.

While no personal or sensitive data was accessed in this attack, West Lothian Council had to resort to contingency measures to keep schools open.

Now experts are warning bodies such as councils are not sufficiently prepared for cyber attacks, or on how to recover from an attack when it does happen.

Subscribe to the Steamie newsletter for the best daily political analysis

Dr Karen Renaud, a cybersecurity expert and a reader at Strathclyde University’s computer and information science department, says many organisations have still not grasped the importance of having a system in place that allows them to get back on their feet after a cyber attack.

“If you fail to plan, you plan to fail,” she warned. “Many organisations don’t even have a plan to recover after a successful attack.

“They put most of their eggs into the ‘resistance’ basket. Balancing things out and trusting everyone to play their part does not need to cost that much more.”

Dr Renaud says it is important public bodies enforce robust security measures via different approaches that would allow them to not only withstand attacks, but ensure that any damage done can be mitigated.

She added: “Resistance is usually achieved by using technical measures and ensuring that staff are well aware of secure actions they should take.

“Many organisations fail to give the same amount of time and attention to resilience, so when they get breached things fall apart.

“Many organisations fail to put measures in place that will help them to continue to function if they lose systems to hackers.

“There is a simple technique called replication where you ensure that a fully replicated system can take over if one system fails or is breached.

“Small businesses cannot afford this, but a big organisation surely can.”

She added it is “lazy and incorrect” to suggest human users are a “weak link” that can be deceived, allowing hackers into systems.

Dr Renauld said: “If humans are falling for phishing attacks, they either have not been trained effectively to cope with the new AI-generated phishing attacks or the organisation has not implemented measures like two-factor authentication to act as a safety net in case people do get deceived.

“On the surface it might look as if humans are the vulnerability - the actual vulnerability is that organisations respond by applying more and more constraints, rules and restrictions on employees.

“When you treat humans as the problem, they will become the problem.

“Organisations need to start treating their employees as the solution and giving them the knowledge and ability to be the solution.”

Dimitros Pezaros, professor of computer networks at Glasgow University’s computer science school, told Scotland on Sunday that legacy and outdated IT systems were a “serious concern”, especially in environments where so-called software “patching” might be less straightforward than it sounds.

He warns there is "clearly not" enough investment from public sector organisations to ensure key cybersecurity functions are being kept on top of.

“In contrast to other parts of our civil infrastructure, such as roads and bridges, we have traditionally approached software systems as less critical, hence prioritising requirements such as speed of development, deployment and reduced cost - at the expense of cybersecurity,” he explained.

“We have been able to get away with it and with retrofitting cybersecurity to existing systems, mainly due to the lack or slowness of pervasiveness of software systems.

“However, in this modern day and age where software and digitalisation are pervasive and are used to drive critical systems, the frequency and intensity of cyber attacks are, and will increasingly be, such that lack of native cybersecurity will be extremely costly to retrofit later, while the consequences of cyber attacks can be dramatic.”

Professor Pezaros added there has been an increase in cyber attacks across many sectors, including local government, the NHS and retail, where victims are extorted over access to their sensitive data.

He added: “As a minimum, organisations should be able to report cyber incidents promptly and honestly, let relevant stakeholders know what has happened and what elements of the system have been compromised and, operationally, be able to react swiftly to detect breaches and minimise damage, for example through employing principles of data and system segregation.

“Also, be proactive, making sure that any data they store remains encrypted.”

In Holyrood, pressure is now mounting on SNP ministers to make sure public bodies and local government are supported enough to fend off cyber attacks.

Miles Briggs MSP, the Scottish Conservatives’ education spokesman, said: “Last week’s cyber attack, which left pupils in Edinburgh unable to access revision materials days before their exams, shows there are still huge vulnerabilities in the way our councils store information.

“Organisations are often too quick to blame people for the problems rather than admitting their cybersecurity system isn’t up to scratch.

“SNP ministers need to ensure that public bodies and local authorities have robust cybersecurity mechanisms in place to avoid further security breaches.”

Scottish Lib Dem leader Alex Cole-Hamilton added: “We know from previous cyber attacks on SEPA and NHS Dumfries and Galloway that these attacks can be complex, expensive and the full impact not truly understood for a considerable period of time.

“As more of our lives move online, there are also going to be an increasing number of malicious actors out there trying to cause chaos or make a profit.

“The Scottish Government must ensure that local authorities, health boards and public bodies have the support they need to toughen up their digital infrastructure and avoid disruption to people’s lives.”