BUSINESSES in Scotland face a one in two chance of a cyber security breach, and the severity of those attacks is getting worse, the founding CEO of the UK’s National Cyber Security Centre (NCSC) has warned.
Speaking to The National, Professor Ciaran Martin warned that “cyber attackers are getting bolder and they’re starting to act with impunity”.
On Christmas eve, the Scottish Environment Protection Agency (Sepa) was hit by a “serious and complex” cyber attack which impacted directly on their work and cost millions to remedy.
In May, Ireland’s Health Service Executive (HSE) was forced to cancel operations and maternity services after being hit by a similar attack, the effects of which are still being felt months later.
That same month US firm Colonial Pipeline had to shut its entire network after a “ransomware” attack, leading to fuel shortages up and down the East Coast.
“What’s happened in 2021 is the severity of the impact of cybercrime has worsened,” said Martin, who is now an advisor to Paladin Capital Group.
READ MORE: Scottish university targeted by 'limited' cyber attack
While these large-scale attacks make the headlines, there is a different side to cyber attacks. Rather than aiming at large bodies, small and medium-sized enterprises (SMEs) and individuals are also targets.
“We are not only talking elite hackers here,” Martin says, moving on to talk about the “phishing” cyber scams which have occasionally hit the headlines in the pandemic, with texts purporting to be from the NHS asking for a fee for a vaccine, for example.
“I know plenty of cyber security professionals who fell for the better designed ones, and I almost fell for one myself very recently.
“I got a very good fake from the phone company that I’m with telling me to top-up, I was really tired and I almost paid it. The money was peanuts but it was my bank card details, CVC number and so forth, but I stopped just in time.
“Anybody can fall for this stuff, and if a fraction of 1% fall for it then it’s probably worth the criminal’s time.
“This is pretty easy to do and it’s easy to send out in large volumes. You can send out hundreds of thousands of these things at once, maybe half of them don’t get delivered but who cares, it costs peanuts.”
Martin warned that this scattergun approach taken by cyber attackers against individuals may provide a blueprint for similar attacks on SMEs in Scotland and the wider world.
“If you can hit a large number of SMEs for small amounts of money, that can be as effective as extorting one larger organisation, particularly as those larger ones might have better defences, recovery systems, or more margins to hang on and not pay,” he explains.
“It is not a catastrophic situation yet, but it is therefore something on which the time to act is now.
“There have been relatively few ‘spectaculars’ on SMEs, but we’ve got the aggregation of small harms into a serious national problem.”
READ MORE: Russian hackers targeting Covid-19 researchers, UK security agency warns
Martin said that one survey of Scottish business found four in 10 SMEs do not feel prepared against cyber attacks. He adds: “Of the six in 10 that said they did feel prepared, I’m sure that’s a testable assumption.”
The former NCSC chief compares the steps SMEs can take to protect themselves against such attacks to the Covid vaccine: “It’s not an immunisation but it’s a major reduction in risk.”
These steps include using two-factor identification, which can protect against “brute force” cyber attacks, good practice around passwords, and keeping systems up-to-date.
Martin explains how one expert he knew would be brought into firms and asked to design a new cyber security strategy. “You don’t need that,” he’d say, “you need Windows 10 and not Windows 7!”
While up-to-date systems will always help, he says: “The first and most important thing is to have offline backups. We used to say ‘have backups’ but attackers have gotten wise to this.
“The main risk is that you can’t continue, but if you have a good offline backup you can’t be held for ransom forever. It’s not free, but it’s not overly expensive and it’s a very sensible precaution to take.”
As the nation looks to recover from the impact of the pandemic, which has “turbo-charged” the importance of the digital economy, Martin says that “good practice and the basics” can go a long way to help protect against seriously damaging cyber crime.
“It is certainly something that is holding back our economies already”, he says. “As recovery takes hold we need to think very, very seriously about making sure economic growth is not compromised by repeat attacks from criminals.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here