Cybersecurity was once viewed as little more than an interesting plot in a script for a Hollywood film. Now, the UK government has gone as far as to deem cyber-attacks on Britain as one of its highest priorities for action, classifying them as a ‘Tier 1’ threat.
A successful cyber-attack can be catastrophic for a business or organisation; often publicly so. In 2011, Sony was the victim of an attack that cost $171m and resulted in over 100 million customers having their personal details compromised. In 2014, Sony’s film studio division infamously bowed to hackers’ demands to cancel the cinematic release of The Interview, a comedy about the imagined assassination of Kim Jong-un.
These types of attacks are becoming more frequent and more damaging. In 2017, NHS England estimated that 7,000 appointments, including operations, were cancelled because of a malicious computer infection, known as a ransomware, which threatened to release sensitive information and block computer access to it until a ransom was paid.
This incident must serve as a wakeup call to charities, small businesses and voluntary organisations tempted to believe that hackers and cyber vandals are only interested in highly profitable FTSE 100 companies. That kind of thinking is naïve and dangerous.
Households also require a mindset change because Scots now spend £38 billion a year using online transactions. Alarmingly, one in ten of us admit to having experienced unauthorised use of our personal data and this number will continue to grow without adequate safeguards in place.
The harsh reality is that our ability to combat these threats are well below what they need to be. This month, a test of UK university defences against cyber-attacks found that in every case “ethical hackers” were able to obtain valuable data within two hours.
More alarmingly, the National Audit Office released a report in March outlining what it saw as failings in the way the Cabinet Office created its current cyber security programme. It also raised questions over the UK government’s readiness to prevent cyber-attacks beyond 2021.
Reassuringly, charities in Scotland are being urged to bid for grants of up to £1,000 to improve their cyber security. As an incentive, the Scottish Council for Voluntary Organisations is only making the funding available to organisations that already have some form of protection in place against threats such as malware.
Larger sums of money continue to also be invested nationally, with the UK government allocating a budget of £1.3 billion to the National Cyber Security Programme.
Glasgow Science Centre is playing its part. During the Scottish Government’s Cyber Scotland Week, we are inviting school pupils and the public to take part in a digital workshop where they can learn some of the skills used by ‘ethical hackers’. There will also be an opportunity to speak to Police Scotland about what the front line of cyber security looks like.
Deputy first minister, John Swinney called it right when he said, “By doing these basics properly, most attacks around the public sector can be prevented or mitigated”. While we can’t make all networks and machines impenetrable, we can deter hackers by addressing basic failings such as password management and network configuration.
As is often the case, threats can bring an abundance of opportunities. As Colin Lobley, the head of Cyber Security Challenge UK says, “tapping into more diverse talent pools” must form part of organisation’s cyber resilience hiring strategy. The benefits, he states, is that it will allow businesses to “possess the diversity of thought required” to better combat cyber-attacks while improving diversity within businesses and organisations.
If, as a country, we want to see more people entering the cyber security profession, then we must begin teaching people, particularly young people, skills in cyber resilience. If we grasp this opportunity, then we will also take a huge step towards addressing our national skills gap that leads to 10,000 unfilled IT vacancies a year.
Dr Stephen Breslin is Glasgow Science Centre’s Chief Executive.
Cyber Scotland Week runs from 22-28 April.