Digital technologies bring enormous opportunities for businesses, but they also bring new threats and vulnerabilities that we must manage safely. It is likely that cyber-crime costs the UK economy billions of pounds each year. Further, the Cyber Breaches Survey 2021 identified that 39% of businesses in the UK and a quarter of charities (26%) reported having cyber security breaches or attacks in the previous twelve months, with an increasing number of businesses experiencing these issues at least once a week.
Scotland’s new Digital Strategy positions cyber resilience as key to operational resilience and business continuity, and aims to embed cyber resilience into the design of Scotland’s future digital services, The Strategic Framework for a Cyber Resilient Scotland, published in February 2021, seeks to ensure that businesses and organisations are aware of the cyber risks they face, have access to up-to-date information, advice and guidance, and can withstand, respond to and manage incidents, knowing where to find the right kind of support.
The Programme for Government in September 2020 identified cyber security as the critical underpinning factor that would ensure Scotland is safely and securely able to develop smart digital solutions to meet the needs of the immediate and long-term economic future.
This section examines the extent to which the cyber security skills required by business are readily available in the workplace, and the technical controls and accreditation that are in place within businesses to ensure they are digitally resilient and secure.
Base: All businesses (3,346)
Multiple responses allowed
Cyber-attacks (see figure 10)
- Amongst all businesses surveyed, 28 per cent had experienced a cyber-attack in the last 2-3 years. The most common attacks businesses faced was being directed to fake websites (15 per cent) and having emails hacked (11 per cent).
- 71 per cent of businesses experienced no cyber-attacks in the last 2-3 years.
- Of those businesses that experienced a cyber-attack, various implications were reported such as the business requiring specialist services (26 per cent). Other implications included cost of replacing/ upgrading equipment (23 per cent), financial loss (17 per cent), re-training staff (13 per cent), damage to reputation (9 per cent) and data breach of sensitive information (7 per cent).
- 6 per cent of businesses had obtained a cyber-security accreditation, such as Cyber Essentials or Cyber Essentials Plus, down from 10 per cent in 2017. 76 per cent did not have accreditation and were not planning to obtain it in the future.
- Amongst those who did not have a cyber-security accreditation, only 9 per cent were planning to obtain accreditation in the next 12 months.
Base: All businesses (3,346)
Cyber-security skills (see figure 11)
- Amongst all organisations surveyed, half (52 per cent) were responsible for managing their own IT infrastructure and systems, while 27 per cent did not manage any of their own IT infrastructure and systems.
- 82 per cent felt that they were fully or somewhat equipped with the relevant skills to protect against and deal with cyber security threats. 14 per cent of businesses, on the other hand, felt that they were poorly, or not at all, equipped with the relevant skills to protect against and deal with cyber security threats.
- 81 per cent of businesses feel that their workforce is very or fairly aware of cyber threat and risk and how to mitigate it. 15 per cent reported that their workforce is not very or not at all aware.
- In regards to external advice, guidance and support on cyber security, the most common source reported by businesses was Police Scotland (38 per cent). 19 per cent stated that they would go to the National Cyber Security Centre, 12 per cent would go to the Scottish Business Resilience Centre and 4 per cent would contact an IT company/ consultant/ external provider.
There is a problem
Thanks for your feedback