Scotland is a thriving tech and financial hub that is expected to help grow the UK economy. Just like other growing tech centers, though, it has no immunity or exemption from cyber threats. Organisations and individuals in Scotland continuously encounter various kinds of cyberattacks. In mid-2021, Audit Scotland, the country’s central auditor, issued a warning about the rise of sophisticated malware attacks in the public sector.
What makes the Scottish cyber threat landscape different from those in other areas, however, is that the country appears to have better preparedness in dealing with the online and digital risks. The number of cybersecurity firms in the country grew by 300 percent in the 2017 to 2019 period. Scotland is also the base of more than a dozen financial institutions with their own cybersecurity departments.
Additionally, there is a notable increase in the demand for cybersecurity talents including those who specialise in incident response, training, consultancy, monitoring, detection and analysis, SCADA, network security, information risk assessment, and management, as well as end-user device security.
Rarely does Scotland figure in news reports about cyberattacks or serious cybersecurity problems. What has the country been doing to fare relatively well in preparing for or addressing the ever-changing cyber threat landscape?
Elevated security mindfulness
Scotland has a good system to keep everyone informed about cyber threats. In December 2021, the CyberScotland Partnership, the country’s online resilience partnership, presented a list of six cyber threats that will most likely become prominent in 2022. These are as follows:
- The rise of ransomware attacks
- Supply chain security issues
- Mobile malware
- Greater risks associated with hybrid working and BYOD arrangements
- Social media profile attacks
- The rise of attacks on IT providers
Cybercriminals are said to be getting smarter in defeating cyber defenses. Even in the midst of a lingering pandemic, there’s no letup among bad actors in spreading malicious software, disrupting businesses with denial-of-service attacks, stealing data, and undertaking various other adversarial actions against organisations. With all these, there is an obvious need for better SOC security. And Scotland has a good number of SOC solutions that continuously evolve in response to emerging threats.
Also, there is a need for better cybersecurity information dissemination, something Scotland competently handles. Through the CyberScotland Partnership, the country has shown its leadership in making cybersecurity advice available to everyone. With Scottish government funding, the National Cyber Security Centre’s Cyber Aware advice has been published in various alternative formats to help individuals and organisations in becoming safe and secure online.
The alternative formats allow those who are hard of hearing, deaf, blind, visually defective, as well as those who have learning or cognitive difficulties to access useful information and resources on how to be safe when using digital and online technologies. Scotland’s policy is to make its cybersecurity guidance and advice available in braille, British Sign Language, Easy Read, and closed-captioned videos.
Government Strategic Framework
In addition to Scotland’s booming cybersecurity industry and dynamism in cybersecurity information sharing, it is also remarkable for medium-term planning when it comes to cyber resilience. This is demonstrated by its Resilient Essential Service: Scottish Government’s Strategic Framework 2020-2023, which aims to “establish a common cross-sector approach to cyber resilience and critical infrastructure.”
This comprehensive framework does not only apply to government bodies but also to critical infrastructure (CI) operators and responder communities. The Scottish government involves CI players at tactical and strategic levels while forging “resilience partnerships” to enable more efficient responses to threats and attacks.
The strategic framework is Scotland’s risk-based approach in planning, preparing, responding, and recovering from cyber-attacks. “It is necessary that the operators of Scotland’s national and local infrastructure understand and protect their critical assets, understand the cyber threat to their organisation, the risk to their infrastructure, manage the risk from their supply chain and recognise staff as a potential access route,” an excerpt of the framework reads.
Essentially, the framework guides everyone to come up with prevention, response, and recovery plans that are in line with the following characteristics:
- Based on current best practices, standards, and principals
- Based on sensible cyber threat understanding
- Owned as a board-level risk
- Baked into existing risk management and planning processes and decisions
- Guided by an accurate understanding of the nature and likelihood of the threat and a cycle of review and action
- Proactive management of infrastructure, supply chain, and staff risks
- Informed by expert advice from authoritative organisations
- Developed with the cooperation of stakeholders and other interested parties
- Integrated at an appropriate scale to ensure a proper appreciation of the scope and depth of a problem
- Effectiveness in enabling other organisations to minimize cyber threat impact
The framework has four action plans, namely the Learning and Skills action plan, the Public Sector action plan, the Private and Third sector action plan, and the Economic Opportunity action plan. The Learning and Skills action plan focuses on building a growing skilled cybersecurity profession for Scotland. The Public Sector action plan ascertains that there is a common baseline for good cyber resilience practices. Moreover, the Private and Third Sector action plans layout a detailed program of work to raise awareness on the fundamentals of cyber resilience.
Ultimately, the framework seeks to ensure the active management of cyber threats and security weaknesses especially in relation to corporate risk management processes and policies. It also aims to create effective processes for the identification and assignment of critical assets that can become targets of cyber threats, assessment, and analysis of threats and vulnerabilities, continuous management and response to threats and vulnerabilities, support for staff at all levels especially to encourage appropriate behaviors in reducing cyber risks, and the implementation of proper technical controls and policies.
Cyber attacks are inevitable, but this does not mean that nothing can be done to mitigate their impact or even prevent them from successfully penetrating cyber defenses. Scotland proves that it is possible to do well in dealing with cyber threats by being deeply mindful of the threats, having carefully thought out plans, and ensuring good cybersecurity information dissemination.
Even for a relatively small country like Scotland, cybersecurity should be taken seriously. Nobody is safe from cyberattacks, and the worst that can happen in one region across the world can also happen in Scotland. The country’s robustly growing cybersecurity industry demonstrates the kind of resolve the Scots have embraced to become better at managing cyber threats and risks.