CATEGORIES
CyberScotland BulletinsThe CyberScotland Bulletin is designed to provide you with information about the latest threats, scams, news and updates covering cyber security and cyber resilience topics. We hope you continue to benefit from this resource and we ask that you circulate this information to your networks, adapting where you see fit. Please ensure you only take information from trusted sources.
If there are any cyber-related terms you do not understand, you can look them up in the NCSC Glossary.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Keep up to date on social media, follow us on Twitter and LinkedIn.
National Cyber Security Centre (NCSC)
New principles to help make cloud backups more resilient
NCSC have introduced a new set of principles to strengthen the resilience of organisations’ cloud backups from ransomware attackers.
Backups are an essential part of an organisation’s response and recovery process and making regular backups is the most effective way to recover from a destructive ransomware attack, where an attacker’s aim is to destroy or erase a victim’s data.
Using the NCSC principles to secure backups in the cloud is just one of the ways you can improve your organisational resilience.
Read more about it here
Exploitation of Cisco IOS XE vulnerabilities affecting UK organisations
NCSC are encouraging organisations to take action to mitigate vulnerabilities affecting Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273) and follow the latest vendor advice.
Cisco has published an updated advisory detailing two vulnerabilities affecting Cisco IOS XE devices. Both are being actively exploited.
The NCSC is working with UK organisations known to be impacted and have notified affected UK organisations signed up for the NCSC Early Warning service.
Read more about it here
Business communications – SMS and telephone best practice
The rise in Artificial Inflation of Traffic (AIT) is leaving many businesses out of pocket.
To counter this growing threat, the NCSC have updated their SMS and telephone best practice guidance, which is designed to help organisations, and their customers reduce exposure to SMS and telephone-related fraud.
AIT is a technique used by criminals that generates large volumes of fake traffic through apps or websites. This type of fraud can cause substantial financial cost to businesses.
Read more about the new guidance here
NCSC Threat Report
The NCSC produces threat reports drawn from recent open-source reporting. View the latest report here.
To ensure you get the most up-to-date information from NCSC, you can sign up for their email service where they are sharing all advisories, threat reports, and urgent communications. Select ‘threat report and advisories’ to receive the most up-to-date content.
Organisations that are proactive in their approach to the management and handling of cyber security should consider joining the Cyber Security Information Sharing Partnership (CiSP).
The NCSC’s Reporting Service
The NCSC is a UK Government organisation that has the power to investigate and take down scam email addresses and websites.
As of January 2023, Suspicious Email Reporting Service (SERS) has received over 17 million reported scams since its launch in 2020, which have resulted in 114,000 scams have been removed across 209,500 URLs.
You can help to play your part in protecting others by reporting suspicious activity online and help make the internet a safer place.
In Scotland, report all scams to Advice Direct Scotland by calling 0808 164 6000 (Mon-Fri 9 am-5 pm) or online at www.consumeradvice.scot. Visit scamwatch.scot to use the Quick Reporting Tool.
If you become a victim of cyber crime you can report this to Police Scotland by calling 101.
Trending Topics
CyberScotland Summit 2023
Held in the RBS Conference Centre Gogarburn on the 31st of October the CyberScotland Summit was a successful day filled with interesting talks from a line up of great speakers and panelists, alongside great networking opportunities.
The day began with an opening talk from Clare El Azebbi, Chair of the CyberScotland Partnership, emphasising the value of the partnership, and the event was co hosted by Jude McCorry, CEO of Cyber and Fraud Centre and Karen Meechan, CEO of ScotlandIS, both CyberScotland partners.
There was a wide range of subjects covered on the day including ransomware attacks, AI and its potential for good and bad, diversity in the Scottish cyber landscape and the improvements and changes that can be made, the value of good leadership, the importance of threat intelligence sharing, an update from the NCSC, how to inspire the cyber workforce of the future with a panel that included students from Stirling High School who won last years CyberFirst Girls Competition, and more.
The day was well attended with approximately 250 people present at the event, and the CyberScotland partnership was strongly represented among the attendees and speakers, all engaged in improving the cyber resilience of Scotland.
Read more about it here
New cyber security book aimed at young children launched as first-of-its-kind
The Scottish Government and Education Scotland officially launched ‘The Bongles and the Crafty Crows’ at the cyberQuarter in Dundee on Monday 30th October, with the Cabinet Secretary for Education and Skills, Jenny Gilruth MSP present at the launch.
The unique and first-of-its-kind illustrated learning resource for children aged 4-7, demonstrates the importance of passcodes and passwords to help teach youngsters about cyber security.
The story book will be part of the P1 Bookbug bags for every primary one child in Scotland. It is due to be distributed in November, ahead of Scottish Book Week from November 13-19, with Gaelic language versions also sent to schools delivering in that medium.
Read more about it here
HMRC issue scams warning for 12 million Self Assessment customers
Self Assessment customers are urged to be on the lookout for scam texts, emails and phone calls from fraudsters.
This warning comes as HM Revenue & Customs (HMRC) received more than 130,000 reports about tax scams in the 12 months to September 2023, of which 58,000 were offering fake tax rebates.
The scams take different approaches. Some offer a rebate; others tell customers that they need to update their tax details or threaten immediate arrest for tax evasion.
Read more about it here
Funding injection will help small firms adopt new cyber security tech
Fresh funding has been secured to boost the uptake of new internet-based technologies and cyber-security software among Scotland’s smaller businesses.
IoT Secure is a business support initiative led by Internet of Things (IoT) experts at Censis, Scotland’s innovation centre for sensing, imaging and IoT technologies. The programme offers cyber security workshops and one-to-one consultations to small and medium-sized enterprises (SMEs) and start-ups. It aims to engage with businesses from Scotland’s growth sectors including aquaculture, maritime, agri-tech and manufacturing.
Since launching in 2020, the initiative has helped around 40 companies, with at least 10 more expected to join during the next phase.
The funding from the government will allow the scheme to run until March of next year.
Read the full article here
Record ransomware levels recorded in September, according to NCC Group
A record number of ransomware attacks were detected in September by cyber security firm NCC Group, marking a 153 per cent rise since 2022.
The Manchester-based firm’s Threat Pulse survey showed there were 514 victims’ details released on dark web leak sites last month. It breaks the record set in July 2023, which had previously held the top spot with 502 attacks, according to the company.
Matt Hull, global head of threat intelligence at NCC Group, said: “After the drop in ransomware attacks in August, the surge in attacks during September was somewhat anticipated for this time of year. However, what stands out is the volume of these attacks and the emergence of new threat actors who have been major drivers of this activity.”
Read the full article here
Lesser-Known Social Engineering Attacks
Social engineering has evolved far beyond generic phishing emails. Today’s attacks employ highly targeted, stealthy techniques specially crafted to exploit human psychology. The Cyber and Fraud Centre has posted a blog which delves into some under-the-radar techniques to give a well-rounded understanding of social engineering to be more prepared.
The blog explores lesser known attacks such as pretexting, whaling, dumpster diving, usb drops and shoulder surfing.
Read the full blog here
Booking.com customers targeted by scam ‘confirmation’ emails
Travellers are getting seemingly convincing messages asking them to provide bank card details and threatening their reservation will be cancelled.
In recent weeks the Observer has been contacted by a number of customers claiming that they had received scam emails from within the Booking.com system.
In each case the customer has either checked in, or was due to check in, to a hotel they had reserved using Booking.com. The email – sent from [email protected] – claims their stay may have to be cancelled unless they hand over their bank card details via an embedded link.
Read the full article here
Double-edged sword: cyber security as blocker and enabler
As Web4.0 – the symbiotic web – continues to usher in increasingly sophisticated cyber threats, including supply chain attacks, UGC-enabled fraud and AI-generated BEC attacks, the UK Cyber Security Council explores the importance of a conceptual shift in what cyber security means for non-expert users.
With threats growing in severity and complexity, it is time to see cyber security as an ally rather than a blocker. IBM estimates that human error accounts for 95% of all data breaches, which cost UK companies an average of £3.4 million in losses.
Cyber security concerns are not just for the IT Department. It pays for the whole team to see cyber security as essential to good business practice. Across organisations, there are several ways cyber security acts as an enabler, facilitates best practice and helps deliver value at a strategic level, going way beyond ticking compliance boxes.
Read the full piece here
Newsletters/Campaigns
DigiKen?
Rereleased during Cyber Security Awareness Month CyberScotland’s DIGI Ken adverts offer a valuable resource that aims to promote awareness of steps that users can take to ensure that they stay secure online.
These adverts are based on the NCSC’s Cyber Aware key actions of choosing strong passwords consisting of 3 random words, turning on 2-Step Verification and updating your devices, the advice is easy to follow and will help improve your online security.
Read more about the DigiKen campaign here
Watch the videos on the official CyberScotland YouTube page here
Charity Cyber Essentials Awareness Fortnight
Between the 6th and the 17th of November 2023, IASME will be working closely with the NCSC, partners and Certification Bodies to educate charities about the cyber threat they face and to inform them about the benefits of Cyber Essentials.
A package of support, advice and guidance will be offered to charities, along with a discount to the price of Cyber Essentials certification for registered charities to help them achieve Cyber Essentials.
Find out more about it here
Scottish Careers Week
Save the date for Scottish Careers Week as the annual campaign returns from 13-17 November 2023.
Delivered by CyberScotland partner Skills Development Scotland (SDS), the national skills agency, along with a wide range of local and national partners, Scottish Careers Week will feature events and activities to help people of all ages explore, understand and manage their career choices, and the services and resources available to support them.
Although the focus of the week is more general, the wide range of events and activities can still certainly help guide you toward being better prepared if you choose to pursue a career in cyber.
See a list of the events here
IASME Launch International Baseline Cyber Security Certification
The IASME Consortium launched IASME Cyber Baseline, a new cyber security certification for organisations outside the UK. The standard leads the way to offer global supply chains a standardised and respected certification to show that organisations have the basic but critical cyber hygiene measures in place.
IASME Cyber Baseline maps to a number of international cyber hygiene standards and best practices, to which there has formerly been no way of demonstrating compliance because they do not have assessments and certification associated with them.
The scheme is an important first step for many organisations in proving that they are serious about cyber security. It is one pre-requisite to the next step of certifying to the comprehensive risk based and policy driven standard, IASME Cyber Assurance.
Find out more about it here
Trading Standards Scotland, Scam Share Newsletter
Other scams to be aware of are identified in the latest Trading Standards Scotland Scam Share newsletter. You can sign up for the newsletter here.
Check out their #ScamShare Spotlight PDFs focusing on frequently reported email, phone, text and cyber scams in Scotland.
Neighbourhood Watch Scotland
Sign up for the Neighbourhood Watch Alert system to receive timely alerts about local crime prevention and safety issues from partners such as Police Scotland.
Training and Webinars/Events
CyberScotland Week 2024
With instances of cyber crime and fraud on the rise, the CyberScotland Partnership is preparing to launch a week of events aimed at engaging the country’s businesses, organisations and individuals with cyber security and awareness.
Read more about it here
Visit the official page to learn more or register an event here
Safer Internet Day Planning Event Scotland
The Safer Internet Day 2024 theme is ‘Inspiring change? Making a difference, managing influence and navigating change online’. At this exclusive event, you’ll hear from Scottish Government, Ofcom, Internet Watch Foundation and others about online safety in Scotland and the changing online world. We’ll walk you through the 2024 Safer Internet Day campaign and free educational materials.
Date: 20 Nov 2023 14:00 – 16:30
Location: Ofcom Scotland, Floor 6, Quartermile One 15 Lauriston Place Edinburgh EH3 9EH
Book your ticket to attend on 20th November here
Public and Third Sector Cyber Roadshow: Aberdeen
The Cyber and Fraud Centre is hitting the road and will deliver a series of events for Public and Third sector organisations across the country. These events will focus on discussing some key cyber security topics you and your organisation or charity should be considering for 2023.
Everything discussed will tie in with additional resources available and help you fully utilise these within your own organisation or charity. There will be guest speakers at each event, but the overall topics will be the same across the board. Each event will be in person giving everyone an excellent chance to network with others working within the Public and Third Sectors interested in cyber security.
Date: 9 November 2023
Location: One Tech Hub, Schoolhill, Aberdeen, AB10 1JQ
Find out more or register here
Digital Scotland 2023
DigitalScotland is the largest annual gathering of public sector technology professionals, where global govtech leaders share technology insights and lessons in digital transformation, leadership, skills, cultural change and data-driven innovation.
The full-day conference features a fantastic line-up of globally accredited speakers on topics as diverse as service design, ethics in AI, the internet of things, cybersecurity, 5G and much more.
Date: 21 November 2023 – 08:30 – 17:30
Location: Edinburgh International Conference Centre
Find out more and register here
Scottish Cyber Awards 2023
The Scottish Cyber Awards not only honours the outstanding talent in Scotland but also unites the cyber community for an enjoyable evening of networking.
Now entering its 7th year the Scottish Cyber Awards has become the go to event in the cyber calendar. The event will also be hosted by comedian Fred MacAulay.
Date: 30 November 2023
Location: Assembly Rooms, Edinburgh
Find out more and book your tickets here
DigitExpo 2023
DIGIT Expo is the largest annual technology event in Scotland. Attendees will experience live keynotes, interactive workshops, a bustling exhibition hall and a networking area. It is a must-attend for senior technologists, digital innovators and IT leaders.
The event will be held 100% live. Attendees will have the chance to network with over 1000 attendees, explore 40+ exhibitions, and hear from 50+ speakers. Speakers from 2022 included: Google, IBM, HSBC, Experian and many more.
Date: 23 November: 9am – 5pm
Location: Edinburgh’s International Conference Centre
Tickets are free and everyone is welcome! Book your ticket here
Exercise in a Box ‘Micro Exercises’ and Train the Trainer
Exercise in a Box is an online tool from the NCSC which helps organisations test and practise their response to a cyber attack. It is completely free, and you don’t have to be an expert to use it. The service provides exercises, based around the main cyber threats, which your organisation can do in your own time, in a safe environment, as many times as you want.
The Cyber and Fraud Centre have been facilitating sessions over the past few years, which has seen hundreds of organisations learn about it and how it can benefit their organisation
The micro exercise introductory session combines several fundamental aspects of cyber security with additional, broader cyber security learnings to ensure all organisations, regardless of their sector or level of cyber knowledge, can benefit and enjoy.
The Train the Trainer sessions will take a different approach to the main EiB sessions. Instead of running through a practical scenario, they will be showcasing how you can facilitate a session in your own organisation