Skip to content

I remember as a young Detective, embarking on a career in crime investigation being told ‘procrastination is the thief of time’ in other words don’t put off until tomorrow something that you can achieve today, or you may regret it. That advice served me well for over 30 years in law enforcement, but fast forward to the present. I now find myself in the world of cyber and that advice is as relevant today as it was then.  

Advancement in technology has grown exponentially and the growth of the internet has been massive globally, probably the biggest social and technological change in recent times and certainly within my generation. Of course, the acceleration of digital technology offers huge opportunities for business in Scotland to prosper, but as our reliance on the internet grows, so too does the threat of internet related crime and these new threats and vulnerabilities all need to be managed.  

Charles Darwin said – ‘It’s not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change’ so applying this in a cyber context, we all need to be responsive and adapt quickly to the changing cyber threat landscape otherwise we run the risk of falling victim to a cyber attack. 

Why? Quite simply cyber crime is out of control. Every day, thousands of computers all over the world are attacked or infected as criminals take advantage of anonymity in the online world to hack and steal money, data and personal information if the opportunity arises. Unlike more traditional criminals that we all recognise, cyber criminals are able to commit crimes remotely, with less risk and almost with impunity 

Figures released from the UK Government Cyber Security Breaches Survey 2022 showed that around four in ten of UK businesses (39%) reported having a cyber security breach or attack last year and when you consider that there are over 5.5 million businesses in the UK, I think it puts some perspective on the scale of the activity taking place. 

When you read reports of data breaches, leaked usernames or another scam stealing money from vulnerable people, what you are probably reading about is a lack of cybersecurity, a failure to protect systems, processes, or data which has been exploited by criminals. 

Whilst some of these attacks are complex and more involved, the vast majority are low level volume attacks that can easily be prevented. Unfortunately, there are too many of these lower-level volume attacks getting onto systems and they are hurting business financially and reputationally.  

The problem is that many businesses don’t take cyber security seriously. I still hear ‘it will never happen to me’ – until of course it does – and by then it’s too late, or often people recognise the issue but just don’t do anything about it. Cyber shouldn’t be seen in isolation, it’s just another business risk that needs to be managed. 

Coming from an intelligence background, it will be no surprise that I believe an intelligence led security approach to cyber is required. If you understand what that changing cyber threat landscape looks like, that in turn increases your situational awareness and ultimately allows you to make informed decisions about what you can do to mitigate against the threat. 

I like to draw an analogy with the response we see to a healthcare pandemic, and this was self-evident during the recent Coronavirus outbreak. What was the top priority? It was to find out who was infected and how the virus was spreading. What we then saw were nations, governments, scientists, healthcare professionals, and others all responding openly and quickly. They came together in a collective effort to stop Coronavirus spreading, sharing information and advice to inform people not infected how to protect themselves before ultimately developing a vaccine. 

Unfortunately, this is not what we see in response to a cyber incident. I think businesses are more inclined to keep information on that attack to themselves, probably through fear of losing a competitive advantage or reputational impact. What we need to do is democratise cyber intelligence and threat information and make it available to those people who need access to it so they can prevent it happening to them. To complete the analogy, sharing that information could be the equivalent of a vaccine.   

But to be intelligence led, we need to access good quality information. 

So, for the last few years, I have been actively promoting both CiSP and Cyber Essentials to businesses in Scotland. CiSP is a platform owned by the NCSC and helps organisations understand what that changing threat landscape looks like. It’s a free service and is a means of accessing or ‘democratising’ current threat intelligence and information from other professionals and industry experts, often in real time. 

The Cyber Essentials Scheme is a government backed baseline standard in cyber security and details five network controls that help prevent the vast majority of the most common cyber-attacks. By focussing on basic cyber hygiene, Cyber Essentials show how to address simple weaknesses in IT systems and software to help prevent these common attacks.  

Last year, the Cyber Scotland Partnership (CSP) was formally launched with 16 Strategic Stakeholders. Working together, the Partnership has been amplifying key advice and guidance to organisations, businesses and individuals to help raise awareness of the current cyber threat and signposting through a dedicated website and bulletins how to access that information and I’m delighted that this year, my cyber journey has allowed me to engage in this important arena. 

What lies ahead? Who knows, but it’s vital that every organisation using the internet, regardless of size or sector, understands the cyber threat, how it is changing and takes precautionary steps to protect themselves. Getting the basics right is a great start, like making sure you have strong passwords, not sharing them and restricting who has administration rights, backing up your data, enabling two-step verification and having robust firewalls and anti-virus installed will help protect you in the online world. 

I would firmly recommend making use of the expert advice available from the NCSC and CyberScotland Partnership websites to determine where you might need to focus your efforts in further protecting your assets.

Remember, ‘procrastination is the thief of time’, so don’t wait for something to happen before you take action, why not introduce a culture shift away from reactive mitigation to more proactive staff training and implementation of control measures. But whatever you do don’t put cyber security off until later, you may just regret it.  

About Graham

Graham served as an officer with Central Scotland Police and Police Scotland for over 30 years.  He is experienced in Crime Investigation, Intelligence Development and has managed multi-agency partnerships at a strategic level to reduce the risk of harm within communities.   

Now an independent consultant aligned to the SBRC, Graham helps co-ordinate activities of the Cyber Scotland Partnership to raise awareness of cyber threats and how they can be mitigated. He works closely with the Scottish Government and others to promote Cyber Essentials, CiSP and NCSC resources to help organisations increase their cyber resilience.   

Whilst passionate about his work, he is also a proud dad and granddad and enjoys travelling and spending time with his family and friends.