Cybersecurity professionals have raised concerns that local authorities across Scotland remain underprepared for cyber threats and are hampered by outdated IT infrastructure.
In recent days, multiple Scottish organisations have fallen victim to cyber incidents. Among them are Edinburgh and West Lothian Councils. In Edinburgh, an attempted cyber attack targeting the education department disrupted students’ access to crucial revision materials during exam season. The attack involved a targeted "spear-phishing" attempt—an advanced, more personalised form of phishing. Fortunately, staff identified the threat after receiving a suspicious meeting invitation earlier that day.
Earlier that week, a suspected ransomware attack affected schools in West Lothian. Though no sensitive or personal data was compromised, the council had to implement backup plans to keep schools operational.
Cybersecurity experts are now sounding the alarm, warning that many public bodies are neither equipped to prevent such attacks nor adequately prepared to recover from them.
Dr Karen Renaud, a cybersecurity expert and reader in the Department of Computer and Information Sciences at Strathclyde University, said many organisations lack the foresight and systems needed for effective recovery following a breach.
“If you fail to plan, you plan to fail,” she warned. “Many organisations don’t even have a plan to recover after a successful attack. They put most of their eggs into the ‘resistance’ basket. Balancing things out and trusting everyone to play their part does not need to cost that much more.”
Dr Renaud emphasized that resilience needs to be prioritised alongside resistance.
“Resistance is usually achieved by using technical measures and ensuring that staff are well aware of secure actions they should take. Many organisations fail to give the same amount of time and attention to resilience, so when they get breached things fall apart.
There is a simple technique called replication where you ensure that a fully replicated system can take over if one system fails or is breached.
She also criticised the notion that human users are the weakest link in cybersecurity, calling it a flawed perspective.
“If humans are falling for phishing attacks, they either have not been trained effectively to cope with the new AI-generated phishing attacks or the organisation has not implemented measures like two-factor authentication to act as a safety net in case people do get deceived.
On the surface it might look as if humans are the vulnerability - the actual vulnerability is that organisations respond by applying more and more constraints, rules and restrictions on employees.
When you treat humans as the problem, they will become the problem.
Organisations need to start treating their employees as the solution and giving them the knowledge and ability to be the solution.”
Dimitros Pezaros, professor of computer networks at the University of Glasgow, echoed similar concerns, pointing to the risks posed by legacy IT systems, particularly in public sector environments where regular software updates, or patching, may not be straightforward.
He noted that investment in cybersecurity remains insufficient across many public organisations.
“In contrast to other parts of our civil infrastructure, such as roads and bridges, we have traditionally approached software systems as less critical, hence prioritising requirements such as speed of development, deployment and reduced cost - at the expense of cybersecurity,” he explained.
“We have been able to get away with it and with retrofitting cybersecurity to existing systems, mainly due to the lack or slowness of pervasiveness of software systems. However, in this modern day and age where software and digitalisation are pervasive and are used to drive critical systems, the frequency and intensity of cyber attacks are, and will increasingly be, such that lack of native cybersecurity will be extremely costly to retrofit later, while the consequences of cyber attacks can be dramatic.”
Professor Pezaros also pointed out a rising trend in cyber attacks across multiple sectors—including local councils, healthcare, and retail—where attackers aim to extort victims by threatening to release or withhold access to sensitive information.
“As a minimum, organisations should be able to report cyber incidents promptly and honestly, let relevant stakeholders know what has happened and what elements of the system have been compromised and, operationally, be able to react swiftly to detect breaches and minimise damage, for example through employing principles of data and system segregation. Also, be proactive, making sure that any data they store remains encrypted.”
The wave of cyber threats has prompted mounting political pressure on the Scottish Government to take action. Miles Briggs MSP, education spokesperson for the Scottish Conservatives, commented on the urgency of the situation:
“Last week’s cyber attack, which left pupils in Edinburgh unable to access revision materials days before their exams, shows there are still huge vulnerabilities in the way our councils store information.
Organisations are often too quick to blame people for the problems rather than admitting their cybersecurity system isn’t up to scratch.
SNP ministers need to ensure that public bodies and local authorities have robust cybersecurity mechanisms in place to avoid further security breaches.”
Scottish Liberal Democrat leader Alex Cole-Hamilton added that prior incidents have shown the lasting and costly impact of cyber attacks on public services:
“We know from previous cyber attacks on SEPA and NHS Dumfries and Galloway that these attacks can be complex, expensive and the full impact not truly understood for a considerable period of time.
As more of our lives move online, there are also going to be an increasing number of malicious actors out there trying to cause chaos or make a profit.
The Scottish Government must ensure that local authorities, health boards and public bodies have the support they need to toughen up their digital infrastructure and avoid disruption to people’s lives.”