On Friday, May 12, one story dominated the headlines.
The WannaCry cyber attack had spread across the NHS and other companies across the world, causing mass disruption to the hardest hit. While 11 of Scotland’s 14 health boards tried to minimise disruption to patients, many of us learned about a new kind of threat – ransomware.
During WannaCry, hackers took hold of an estimated 200,000 computers in 150 countries and demanded a ransom for files to be returned. Ransomware and cyber assaults are growing, making them a threat to the public and the private sector as well as anyone with digital information they want to protect.
An investigation by Johnston Press has revealed that, in the past three years, 60 per cent of Scotland’s councils and half of our health boards have encountered attempted or successful cyber attacks.
Ransomware incidents alone were recorded by 14 local authorities.
In England and Wales, 210 incidents of this kind of malware affected 95 councils while ransomware and phishing accounted for most attacks on the NHS south of the border.
The fresh findings from Freedom of Information requests show that while Scotland’s councils and health board reported that no data had been lost and no ransoms had been paid, hackers are persistent in their attempts.
The investigation revealed 19 Scottish local authorities were subject to over 50 notable incidents in the past three financial years.
Between 2014 and 2017, Aberdeen City Council suffered 12 successful cyber attacks including six ransomware incidents and had its webpage defaced. It also recorded over 15 million attempted hits, including intrusion threats, spam, web risks and viruses, in the last eight months of 2016.
Highland Council reported being targeted 953 times, including two partially-successful ransomware attacks, while three ransomware hits got through Dundee City’s defences.
North Lanarkshire Council had two malware incidents in 2015 and three ransomware in 2016.
Four councils including Falkirk and Glasgow City refused to disclose any details stating it would prejudice the effective conduct of public affairs or prejudice the detection of crime, while six, including Angus, Fife, Moray and South Lanarkshire said they had not been subject to any incidents or successful attacks.
A spokesman for Dundee City Council said: “The council uses a Defence in Depth approach using multiple layers of security which includes firewalls, anti virus, intrusion detection and email scanning to name but a few. These layers of protection are maintained to a high standard through regular patching and constant review. The council also continually reviews and improves its backup and recovery facilities.”
The data also shows over half of Scotland’s health boards have had some kind of cyber incident since 2014 but none that resulted in a data loss.
NHS Fife logged 693 attempted malware in the past three years. It was also hit by three successful ransomware attacks which required PCs to be re-built. Data was recovered from back-ups.
NHS Lanarkshire reported 51 attempted or successful attacks but no data loss, while NHS Greater Glasgow and Clyde was subject to four cyber breaches in 2016. Files became inaccessible after being encrypted by ransomware. Data was recovered and the ransom was not paid.
Jann Gardner, director of planning and strategic partnerships with responsibility for IT at NHS Fife, said: “Of the 693 attempted malware attacks only three affected small areas of our network, with swift action taken to contain and repair systems. No patient data was lost or compromised.
“A comprehensive and robust programme of preventative work takes place on an ongoing basis to protect our systems from malicious programmes.”
NHS Tayside reported being bombarded with up to 7000 attempts every month including ransomware.
NHS Orkney refused to reveal the details stating that disclosure could pose a risk to national security
NHS Grampian did not respond, and NHS Lothian reported no cyber attacks had resulted in a breach.
A spokesman for the Scottish Government said: “Scotland’s public sector bodies take cyber security seriously and already implement a wide range of measures to ensure basic security standards are met.
“The Scottish Government has committed to accelerating the development of a public sector action plan to help promote a common approach to cyber resilience across Scotland’s public bodies. Ministers expect to receive recommendations from the National Cyber Resilience Leaders’ Board (NCRLB) shortly.
“Following this, the Scottish Government will consult with Scottish public bodies on any implementation challenges before taking the plan forward.”
The investigation also revealed cybercrime is emerging as a major threat to all sections of society while still massively under-reported.
One in five crimes are now estimated to be cyber according to figures published last week from the Office of National Statistics while Action Fraud says around 70 per cent of fraud is now cyber enabled.
Police forces in England and Wales saw an 87 per cent rise in cybercrime investigated in the past year alone, with around 85 per cent going unsolved.
In Scotland, the situation is less clear with crime statistics only available under traditional labels.
While the Scottish Government and Police Scotland say they were working on classifing cybercrimes, those at the frontline say Scotland is not immune to threat.
Detective Inspector Eamonn Keane from Police Scotland’s cybercrime unit said: “Cybercrime has witnessed significant growth. The cyber threat to Scotland is indicative of that local, national and international threat applicable to all regions in the UK. The top cybercrime types by volume in the Police Scotland area reflect a similiar pattern across the UK to include malware proliferation, ransomware, phishing/ spear phishing, hacking and social engineering.
“The diversity has caused many problems for policing that is playing catch-up to cybercrime’s ever-evolving status.”
A spokeswoman for Police Scotland added: “Cybercrime by its very nature does not recognise or consider geographical borders. Police Scotland continues to work with UK Law Enforcement partners to better understand the specific threat to Scottish communities. We constantly review our practice and procedures, finding ways to improve crime recording threat assessment and, ultimately, the service we provide to the public.”
Take threat seriously
Scotland’s cyber security community has urged the country’s 350,000 small and medium businesses to take the threat more seriously.
Experts say Scotland has proportionately fewer businesses that hold a baseline standard in cyber security compared to the rest of the UK.
Cyber Essentials is the UK government-based scheme which experts say can prevent the most common attacks.
Although not the only measure companies can take, the scheme is endorsed by those working in cyber defence.
Martin Beaton, Cyber Security Network Integrator for Scotland said: “In Scotland, we have proportionately less live Cyber Essentials certificates than the UK. Big business understands the problem and it invests in cyber security.
“But small and medium-sized businesses (SMEs) are in denial; they think they have nothing anything worth stealing. But there are so many robotic programmes just looking for any chink in the armory and they don’t care what data you have, they will scramble it or steal it. A hacker only needs to be lucky once, but companies have to protect themselves all the time.”
In April, the Cyber Security Breaches Survey 2017 revealed that almost half of UK businesses were the subject of a cyber attack in the past year.
The Government survey showed 46 per cent of companies were hit by at least one security breach via malicious emails, viruses and malware. The data, compiled from responses from 1523 businesses between October 2016 and January 2017, showed 67 per cent had spent money on their cyber security. But a “sizable proportion of businesses” did not have basic protections or formalised approaches to cyber security.
Embedding cyber security in our education system means Scots are arming themselves against the growing threat, the Deputy First Minister has said.
John Swinney, who has taken a special interest in cyber security, said: “Scotland’s cyber resilience strategy emphasises the importance of having the appropriate professional skill base in Scotland to prevent or deal with cybercrime effectively.
“The strategy makes clear that, by making this one of the safest places in the world to live and work online, we can ensure that Scotland reaps the economic rewards of expanding digital opportunities.
“Scotland’s education and academic sectors have a global reputation in developing talent and this is an aspiration we share for the cyber security skills market.
“We have begun to embed cyber security within the Curriculum for Excellence, and started to fill gaps within the cyber security skills pipeline.”
Since 2012, youngsters have also been encouraged to consider a potentially lucrative career in cyber security through interactive lectures. Funded by the Scottish Government and industry sponsors, the Christmas Lectures were delivered to 3000 high schoolchildren from Inverness, Aberdeen, Dundee, Edinburgh and Glasgow last year alone.
In 2015, the Scottish Qualifications Authority (SQA) launched the National Progression Awards in Cyber Security, the first qualification of its kind in Europe. The SQA also plans to develop an HNC, HND, and a Professional Development Award in cyber security.