CyberScotland Bulletin

April 2022

The CyberScotland Bulletin is designed to provide you with information about the latest threats, scams, news and updates covering cyber security and cyber resilience topics. We hope you continue to benefit from this resource and we ask that you circulate this information to your networks, adapting where you see fit. Please ensure you only take information from trusted sources.

If there are any cyber-related terms you do not understand, you can look them up in the NCSC Glossary.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Keep up to date on social media, follow us on Twitter and LinkedIn.

Scottish Cyber Winner 2021
Section National Cyber Security Centre (NCSC)

National Cyber Security Centre (NCSC)

Cyber Aware Campaign

The National Cyber Security Centre (NCSC) has launched its latest Cyber Aware campaign which provides actionable advice on defending digital assets against the threat of online scams and hacking. The message focuses on securing your most important accounts by following two simple steps:

  1. Use a password based on 3-random words (3RW)
  2. Secure accounts by enabling 2-step verification (2SV)

Using three random words (3RW) will help you to set passwords that are unique, strong and easy to remember. Enabling 2-step verification (2SV) significantly decreases the likelihood of an account being hacked. 2SV works by asking for more information to prove your identity. For example, getting a code sent to your phone when you sign in using a new device or change settings such as your password.

Section

Department for Digital, Culture, Media and Sport (DCMS) Cyber Breaches Survey 2022

The annual DCMS Cyber Security Breaches Survey 2022 has been published, detailing the cost and impact of cyber breaches and attacks on businesses, charities and educational institutions.

The survey highlighted that cyber attacks are becoming more frequent with almost a third of charities (30 per cent) and two in five businesses (39 per cent) reported cyber security breaches or attacks in the last 12 months. Of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%).

The NCSC has a range of cyber resilience guidance and advice on their website to help organisations improve their cyber security practices. The Small Business Guidance and Small Charity Guide contain easy steps to increase protection from the most common types of cyber crime. If you want to improve your security further, then you can seek certification under the Cyber Essentials scheme. The CyberScotland website has the latest cyber security guidance and resources for Scotland.

Cyber Breaches Survey 2022 Figure_5.1
Percentage of organisations that have identified breaches or attacks in the last 12 months. Img DCMS
Section

NCSC Threat Report

The NCSC produces weekly threat reports drawn from recent open source reporting. View this week’s report here.

NCSC are also producing regular email updates relating to the Russian invasion of Ukraine and any cyber threats that may impact UK organisations and citizens. The NCSC are not aware of any specific, targeted cyber threats to the UK as a result of the invasion but are encouraging organisations to remain vigilant and follow their advice to improve your security. Dr Ian Levy (NCSC Technical Director) explains in his blog post, what you should consider if you use Russian technology products or services at home or as part of your organisation’s IT infrastructure.

To ensure you get the most up-to-date information from NCSC, you can sign up to their email service where they are sharing all advisories, threat reports, and urgent communications. Select ‘threat report and advisories’ to receive the most up to date content.

Organisations should consider joining the Cyber Security Information Sharing Partnership (CiSP), a government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment. Check out the details for why you should become a member and how to register.

The NCSC’s Reporting Service

The NCSC is a UK Government organisation that has power to investigate and take down scam email addresses and website. Since April 2020, members of the public have reported over 10.5 million suspicious emails to the UK’s cyber experts, resulting in the take down of 76,000 online scams.

You can help to play your part in protecting others by reporting suspicious activity online and help make the internet a safer place.

In Scotland, report all scams to Advice Direct Scotland by calling 0808 164 6000 (Mon-Fri 9am-5pm) or online at www.consumeradvice.scot. Visit scamwatch.scot to use the Quick Reporting Tool.

If you become a victim of cyber crime you can report this to Police Scotland by calling 101.

Section Scottish Government

Scottish Government

National Cyber Resilience Advisory Board welcomes applications for new Board Members

Would you like an opportunity to help contribute to Scotland’s cyber resilience? The National Cyber Resilience Advisory Board (NCRAB) was established in 2016 to provide a cross-sectoral Board to support and ensure an evidence-based, collaborative approach to cyber resilience.

It brings together leaders and influencers from across the private, public and third sectors to provide strategic advice, challenge and support to Scottish Ministers and the Scottish Government to help guide work being undertaken to achieve the vision set out in the Strategic Framework for a Cyber Resilient Scotland, where Scotland thrives by being a digitally secure and resilient nation.

NCRAB are looking for new Board members who are interested in helping to drive the ambition to improve Scotland’s cyber resilience and cyber security. If you would like the chance to be part of shaping and implementing our national policies in this area, this is a great way to get involved and contribute.

Application Process:

Download the NCRAB-Application-pack

Please submit completed application to [email protected]

Applications close on 4 May 2022.

If you have any questions about the role, application process, or to arrange an informal conversation about the role, please email [email protected]

Section Trending Topics

Trending Topics

Scottish Charity falls victim to cyber attack

Sadly, the charity sector can be an attractive target for criminals. Charities hold funds, personal, financial and commercial data that is of interest or monetary value to a range of cyber criminals and other groups.

According to the DCMS cyber breaches survey, around three in ten charities (30%) reported having any kind of cyber security breach or attack in the last 12 months. Among those identifying any breaches or attacks, almost half of charities (44%) say this happens once a month or more often, and a quarter of charities (26%) say they experience breaches or attacks at least once a week.

Last month, the Scottish Association for Mental Health (SAMH) announced on their website they were the recent victims of a cyber attack and were dealing with an incident which was impacting their ability to receive and respond to emails across their services. Police Scotland are investigating and providing support to those affected.

Charities can significantly increase their protection against the most common cyber threats by following the actions in the NCSC’s Small Charity Guide. It is essential that organisations have a clearly defined plan to prevent, detect, respond and recover from cyber attacks and then testing out this plan in advance so that staff know what to do if they are impacted. The free Cyber Incident Response Plan provides useful information on preparing a robust and effective incident management and response capability. The documents will compliment any existing Incident Response Plan or assist you in creating one.

small charity guide
https://www.ncsc.gov.uk/collection/charity
  • NCSC has a free staff training package alongside a range of helpful resources.
  • Use NCSC’s free ‘Exercise in Box tool’ to help test your response to dealing with various cyber incidents including ‘threating leak of sensitive data’ and ‘a ransomware attack delivered by a phishing email’ scenarios. Charities can also sign up to Scottish Business Resilience Centres’ ‘Micro Exercise in a Box’ facilitated workshops where they will talk you through a scenario and help improve your organisation’s resilience.
  • Check out Scottish Council for Voluntary Organisations website for helpful links including their cyber check-up tool to help self assess of your current cyber resilience and work out your next steps.
Section

Cadbury Chocolate Scam

Consumers are being warned about a phishing email offering a ‘free Easter Chocolate basket’ from Cadbury. The messages which have been circulating on social media contains malicious links that are designed to steal your personal information in return for ‘free chocolate’.

Cadbury have confirmed that this message is a scam and wasn’t generated by them, they are encouraging consumers not to interact. Always treat unexpected emails, texts, phone calls and social posts with caution. The NCSC has published guidance to help people recognise scam messages, and advises that if a message feels suspicious or too good to be true, contact the organisation directly. Our CyberScotland blog ‘Phishing Explained’ includes tips for spotting the tell-tale signs of a phishing attack.

Scottish consumers can report suspected scams at http://scamwatch.scot and report phishing emails by forwarding them to [email protected]

Cadbury Easter Scam
Example of Scam message - Image from Which?
Section

Rising costs of living

The cost of living is impacting people across the country and it’s important to remain vigilant for any fraudulent activity and not let criminals take advantage during this difficult time.

Criminals are opportunistic and look to exploit people that may be looking for ways to save money. They adjust their scams in order to trick their victims in to sending them personal information and or money.

There have been reports from energy suppliers that many pre-payment account holders have been offered discounted prices by criminals. Criminals may tempt individuals in to taking up ‘too good to be true’ offers, such as ‘inflation-beating’ investment opportunities that have unusually high returns, fake food vouchers and shopping gift cards.

It’s important to do your research before handing over any personal details or money to a person or organisation and be wary of any messaging via email, text or social media. If you are considering an investment, you can use the Financial Service Register and Warning List on the Financial Conduct Authority website to check who you are dealing with. They also have tips for avoiding investment scams.

nick-fewings-SoqG9RWd_FA-unsplash

Last week, Advice Direct Scotland ran a Consumer Spending and Financial Awareness campaign, sharing ways Scottish citizens can save money and sources that can help.

If you fall victim to fraud, you should contact your bank to seek advice and report the crime to Police Scotland.

Section Newsletters / Campaigns

Newsletters / Campaigns

Trading Standards Scotland, Shut out Scammers Campaign

Trading Standards Scotland are working in partnership with Police Scotland and Local Authorities to coordinate the annual Shut Out Scammers campaign, which will run for 4 weeks from 25 April – 22 May 2022. The campaign looks to raise awareness of the issues around doorstep crime and signpost organisations that are able to help.

Other scams to be aware of are identified in the latest Trading Standards Scotland Scam Share newsletter. You can sign up for the weekly newsletter here. Check out their #ScamShare Spotlight PDFs focusing on frequently reported email, phone, text and cyber scams in Scotland.

Neighbourhood Watch Scotland

Sign up to the Neighbourhood Watch Alert system to receive timely alerts about local crime prevention and safety issues from partners such as Police Scotland.

Section

Take Five to Stop Fraud – The Art of Impersonation

This week Take Five to Stop Fraud, are running their ‘The Art of Impersonation’ campaign highlighting the ways that criminals pretend to people from organisations we know, in order to gain our trust and ask for payments or personals information.

If you receive a message from someone asking for your information or money, always remember to Stop, Challenge, Protect.

art of impersonation
Section Training and Webinars / Events

Training and Webinars / Events

Heightened Cyber Risk for the Third Sector – Briefing Session, Scottish Government, 28th April

In light of the recent destructive cyber attacks including the SAMH Cyber Incident, the Scottish Government’s Cyber Resilience Unit will be hosting a webinar for third sector organisations to discuss the current cyber threats and steps to help manage your own cyber risk. This session will be at 10-11:30am on 28th April. It will be non-technical and is aimed at those responsible for cyber security within your organisation.

To register for this Microsoft Team’s event, please follow the this link.

If you do not have Teams, you can join via a web browser.

sigmund-eTgMFFzroGc-unsplash
Section

Exercise in a Box, Scottish Business Resilience Centre

Since August 2020, Scottish Business Resilience Centre has been delivering ‘Exercise in a Box’ workshops to organisations across Scotland.

Exercise in a Box is a free online tool from the NCSC, which helps organisations test and practise their response to a cyber-attack. SBRC has been facilitating workshops taking organisations through using this tool. They have delivered over 75 workshops, which were held virtually at the beginning due to the pandemic, and had over 650 organisations take part.

Following the success of this project, SBRC is bringing back more ‘Ransomware’, ‘Digital Supply Chain’, and ‘Micro Exercises’ events across Scotland. They are encouraging organisations from the public sector and housing, health and social care within the third sector organisations to strengthen their defences. These sessions are held both in-person and virtually, so if you haven’t been through this cyber exercising workshop before, this is a great opportunity for you to book your place.

For more details and to book, visit: https://www.sbrcentre.co.uk/events

Video highlights the benefits of cyber exercising. Source: SBRC
Section

CyberUK 2022, 10 – 11 May, Wales

Registration for in-person attendance at the NCSC’s flagship event, CYBERUK 2022, taking place 10-11 May at ICC Wales, Newport, is now open. Held over two days, CYBERUK 2022 will be attended by more than 1500 delegates, integrating cyber security leaders with technical professionals, strengthening the cyber security community. Keynote speeches will also be streamed on the CYBERUK YouTube channel in order to maximise accessibility for all. Apply to attend.

Section Technical Bulletin

Technical Bulletin

Technical Bulletin

The CyberScotland Technical Intelligence Bulletin is designed to provide information about emerging or escalating cyber threats and is created in conjunction with SBRC’s Cyber Incident Response team. You can sign up receive the technical bulletin.

Read the latest bulletin here

Scottish Government
Police Scotland
Scottish Business Resilience Centre
Back to top of the page