Scottish Cyber Activity Report 2026

4. Looking Ahead

4.1. Themes & Lessons

The SCAR demonstrates a clear set of cross-cutting themes that should inform strategic decision-making across Scotland’s public sector.

Cyber risk is systemic

It affects organisations across all sectors, all sizes, and all levels of digital maturity. It cannot be solved by individual organisations acting alone. This is the fundamental rationale for collaboration, information sharing, and coordinated response. The sector requires shared threat intelligence, coordinated vulnerability disclosure, and forums for collective learning. This is precisely the role that SC3 is designed to fulfil, and collaboration across the public sector is essential for the continued improvement of cyber resilience.

Leadership and governance are the primary outcome-drivers

Technical controls such as firewalls, endpoint protection and intrusion detection systems are necessary but not sufficient. The ability of organisations to detect incidents quickly, make rapid decisions about response and recovery, communicate effectively, and learn from the experience depends primarily on governance and leadership capability. This places responsibility squarely on boards and senior leaders, not on IT departments. Governance frameworks for cyber risk, incident response planning that assigns clear decision-making authority, and board-level awareness and oversight are the most critical investments organisations can make.

Business continuity plans for digital services need improvement

Current business continuity plans, developed over time to handle system failures, financial disruptions, and supply chain interruptions do not adequately address the scenario of sustained digital infrastructure failure over a period of days and weeks, not hours. The sector requires business continuity and disaster recovery plans explicitly scoped for cyber scenarios, tested through exercises, and regularly refreshed. This is particularly critical for organisations that have not experienced a cyber incident as the assumptions embedded in their plans are untested and likely to be unrealistic.

Communications is not a secondary concern, it determines outcomes.

The reputational consequences of how an incident is communicated can exceed the technical consequences. Organisations require dedicated communications plans for cyber incidents, pre-established governance and decision-making authority, and trained communicators. Communications planning should be integrated into incident response planning, not treated as an afterthought. Alternative communication strategies are equally important, and how an organisation communicates when primary systems are down. When an organisation loses the ability to communicate internally (because email is compromised or unavailable), or cannot communicate externally (because its website is down or its public comms channels are controlled by an attacker), the incident rapidly becomes a crisis of confidence. Staff and colleagues do not know what is happening. Citizens and clients do not receive information. Media narratives develop without counter-narrative.

Incident response capacity is a sector-wide concern

Whilst most organisations have incident response plans, access to specialist incident response support is not universal. This is a gap that requires active management, potentially through closer integration with commercial CIR providers or expanded public sector capability. The pandemic revealed the vulnerability of distributed incident response; cyber incident response would likely overwhelm existing capacity if multiple large organisations were compromised simultaneously.

Data theft and extortion require strategic thinking, not just technical response

Early ransomware typically encrypted data and demanded ransom for decryption. Modern ransomware increasingly combines encryption with data exfiltration, or even bypassing the encryption process altogether, threatening to publish stolen data if the organisation refuses to pay. Whilst there has been investment into ransomware protection, evidence now suggests threat actors are focusing on data exfiltration as a primary source of extortion.

Technical controls need to be put in place

Organisations should define and routinely monitor baselines for normal network and system activity. Staff must be provided with clear guidance to help them recognise indicators of suspicious behaviour. Out‑of‑hours monitoring and escalation arrangements need to be robust, ensuring that responsibility does not fall on a single individual and that there are no single points of failure. Backups must be immutable, regularly tested, and resilient against ransomware. To support effective recovery sequencing, organisations should have a thorough understanding of their system dependencies, including those hosted on‑premises, in the cloud, or delivered by third‑party suppliers. Disaster recovery strategies should account for scenarios involving partial system loss, full system failure, and long‑term service degradation.

Supply chain risk is critical

Organisations have limited visibility into their supply chain and do not regularly assess the cyber risk posed by suppliers. Through-life assurance is limited, and as supply chain attacks become more common, this represents a significant vulnerability. The sector requires standardised approaches to supplier assurance, shared understanding of acceptable cyber practices among suppliers, and coordinated approaches to managing supply chain risk.

Regular exercising is a must

Exercises should be conducted regularly and designed to be as realistic as possible, involving business units, executive leadership, and technical teams. These exercises need to incorporate challenging scenarios such as prolonged outages, the loss of identity systems, loss of email services, and extortion‑based attacks to ensure organisations are prepared for the types of disruption that are increasingly common. Crucially, any lessons identified during these exercises must lead to lessons implemented. This requires structured follow‑up mechanisms that ensure actions are tracked, completed, and embedded into organisational practice, rather than remaining as observations without meaningful change.

Education Networks in Local Authorities

represent a specific area of concern. Incident data reveals that education networks operated by local authorities lack adequate security measures compared to their corporate network counterparts. These education networks often handle significant volumes of data relating to children and young people. The disparity in security posture between corporate and education networks within the same organisation suggests that education networks are not subject to the same governance, investment, and monitoring standards as the primary corporate infrastructure. Given the sensitivity of the data they hold and the potential for them to be exploited as an entry point to the wider network, this gap requires urgent attention.

Lessons must be identified and shared faster

The current pace at which lessons are captured from incidents and disseminated across the sector is not sufficient. The sector requires structured mechanisms for rapid lesson capture, anonymisation where necessary, and timely dissemination. SC3 has a central role to play in accelerating this process, but organisations must also commit to contributing their own lessons openly and promptly.

The themes and lessons identified in this report are not theoretical. They are grounded in the real experience of Scottish public sector organisations that have faced significant cyber incidents. Two cases of organisations who have published reports on their incidents illustrate the recurring nature of these challenges and, critically, the sector’s difficulty in absorbing and acting on lessons at pace.

In December 2020, the Scottish Environment Protection Agency (SEPA) was targeted in a ransomware attack by the Conti criminal group. The attack occurred on Christmas Eve, when staffing was at its lowest, and resulted in the encryption of critical systems and the theft and subsequent publication of approximately 1.2 gigabytes of data.

SEPA’s recovery was extensive; the organisation took the strategic decision to rebuild its digital infrastructure from new rather than attempt to restore compromised legacy systems. A formal lessons learned review was published in late 2021, identifying 44 discrete lessons across areas including incident response frameworks, business continuity, backup integrity, network segmentation, communications, staff welfare, and multi-agency coordination. The review was transparent and widely shared across the public sector, and the wider public in their report.^[6]

In November 2023, nearly three years after the SEPA attack, Comhairle nan Eilean Siar (Western Isles Council) was struck by a ransomware attack that caused severe disruption to council services. The attack encrypted on-premise systems, rendering many core services unavailable. Recovery extended over a year, with some systems still not fully restored twelve months after the incident. The financial impact exceeded £1 million in one-off and ongoing costs. Five IT vacancies at the time of the attack compounded the challenge, and the strain on staff was described as overwhelming all of which was detailed in their own published report.^[7]

The lessons identified from the Western Isles incident are strikingly similar to those identified by SEPA three years earlier. Both organisations found that business continuity plans were inadequate for enterprise-scale digital failure. SEPA discovered that emergency management procedures stored on compromised systems were inaccessible when needed most; the Western Isles found that corporate business continuity plans were used inconsistently across departments and were not scoped for a cyber scenario of this magnitude.

Both organisations identified the critical importance of leadership and command structures in driving recovery. Both highlighted communications resilience as essential, SEPA was praised for its transparent external communication, whilst the Western Isles review noted that internal communications were sporadic and staff felt uninformed. Both reported severe workforce strain, with small teams carrying unsustainable workloads over extended recovery periods. Both identified gaps in detection and monitoring capability, with the Information Commissioner’s Office specifically highlighting to the Western Isles the need for a Security Information and Event Management (SIEM) system and enhanced endpoint monitoring, capabilities that SEPA had already identified as priorities in its own review.

One notable finding from the Western Isles review was that the council’s schools network, which operated on a separate infrastructure, was largely unaffected by the attack. This physical separation likely prevented the ransomware from spreading to education systems. However, as noted elsewhere in this report, education networks in many local authorities lack the same level of security investment as corporate networks. The Western Isles case demonstrates both the protective value of network segmentation and the risk that, in other authorities where such separation does not exist, education networks could serve as either an entry point or a casualty of a wider attack.

Many of the lessons identified from both incidents are demonstrated in this report, showing that the lessons are not unique to victim organisations, but indeed the whole sector. In publishing the SCAR, SC3’s hopes are that these core issues are identified and addressed within each public sector organisation.

4.2. Conclusion

Scotland faces a cyber security challenge that is systemic, persistent, and evolving. Cyber attacks affect organisations across all sections of the public sector. They impose operational, financial, and reputational costs. They undermine public confidence and can disrupt essential services. Yet the evidence presented in this report demonstrates that resilience is achievable. Organisations that have invested in governance, planning, exercising, and capability have recovered quickly from incidents and have maintained public confidence. The sector collectively possesses examples of good practice, and the knowledge of what works.

The challenge is to spread this good practice more widely and to address the gaps that remain. 30% of organisations lack formalised incident response support. Nearly half have not fully integrated cyber risk into business continuity planning. Many organisations lack dedicated cyber incident communications plans. Lessons from incidents are not being identified and shared across the sector quickly enough to prevent recurrence. These gaps are addressable through focused effort and investment. The fact that some organisations have solved these problems demonstrates that the solutions are available; what is required is the will to implement them across the sector.

SC3 is Scotland’s focal point for coordinating this work. Through its standards and insights, threat intelligence, vulnerability coordination, incident management, and exercising workstreams, SC3 facilitates the sharing of learning, the development of common approaches, and the building of relationships across the sector that enable rapid response when incidents occur. This report is published to support that work, to inform senior leaders about the cyber risk facing Scotland’s public sector, and to highlight the actions required to reduce that risk.

The coming year will be critical. The sector should treat the recommendations in this report as a starting point for a conversation about cyber resilience at board level, at leadership level, and across the sector. Investment in governance, planning, and exercising will pay dividends in the form of faster incident response, less operational impact, and greater public confidence.

The Strategic Framework for a Cyber Resilient Scotland sets out the vision that Scotland thrives by being a digitally secure and resilient nation. Whilst there is work to be done, collaboration is embedded across the public sector, and with SC3 as a focal point of coordination, this vision is within reach.