Cyber resilience economic opportunity: key actions 2018-2021

Appendix Four: The cyber security landscape (snapshot as at September 2018)

The NCA reported that 2017 was "punctuated by cyber attacks on a scale and boldness not seen before"^[22]. The cost of cyber attacks to UK businesses in 2016 was in the region of £29.1 billion, with around 3 million organisations affected^[23].

Recent high profile attacks that have had an impact include:

• The global Wannacry attack in May 2017 which affected more than 150 countries worldwide, seriously impacted the NHS in Scotland and England, and caused Nissan to shut down production in their Newcastle factory for two days.
• The largest ever recorded cyber heist on the Bangladesh bank (reportedly to the tune of $100m).
• The Equifax attack where it was reported that over 145 million US customers had sensitive data breached.
• A reported $500m theft of cryptocurrency from a Japanese exchange in January 2018.

Alongside this threat, the ubiquitous use of data (and a need to manage it appropriately) has sparked an increased focus on privacy and ethics, which is evident in recent legislative changes such as the new General Data Protection Regulation (GDPR), the NIS Directive (which aims to raise security and resilience of network and information systems across the EU), and the UK Government's current work on developing security standards for Internet of Things (IoT)^[24].

All of these factors contribute to an increasing demand for robust cyber security products and services, with the cyber security market expected to grow globally to over $144 billion by 2023.^[25]

Scotland's cyber security company base has grown considerably in response to Scottish, UK and International demand, from a baseline of around 50 companies in 2017, to just over 90 companies, with a roughly even split between products and services. These companies span several areas including risk and assurance, digital forensics, serious gaming, payment engines and block-chain.

In addition, there are cyber security departments and services embedded within other businesses (for example, financial and business services organisations). Six Security Operations Centres (SOC's) operate in Scotland, and the number is increasing. An increasing number of financial institutions have chosen to carry out their cyber security operations in Scotland.

As well as a growing company base, Scotland has world class research and academic capability in the field of cyber security. SICSA supports a specific cyber security research theme^[26], and at least six Scottish Universities now offer relevant cyber qualifications. Edinburgh Napier University was the first University in the UK to have their cyber security masters course recognised by GCHQ, Abertay was one of the first universities in the world to offer an ethical hacking degree, and the University of Edinburgh's School of Informatics is formally recognised as an Academic Centre of Excellence for Cyber Security Research (in a context where cyber skills are becoming increasingly valuable, with an anticipated global shortage of 1.8 million cyber professionals by 2020).^[27]

Coupled with an ecosystem that includes numerous supporting institutions and aligned public sector support, when compared with previous emerging markets and technologies, the Scottish cyber supply-side appears to have the necessary ingredients, show the right characteristics and demonstrate enough early scale to make a claim to be considered a credible, potential high-impact cluster worthy of support at this time.