Ocean Kinetics - The Engineering Experts

Council / SIC must remain vigilant against threat of cyber attacks, councillors told

SHETLAND Islands Council (SIC) cannot be complacent and must remain vigilant to the threat of cyber attacks.

That is the view of corporate services director Christine Ferguson, who said it can sometimes take up to two years for an organisation to fully recover from a cyber attack.

It comes after debilitating cyber attacks on the Scottish Environment Protection Agency (SEPA) and the University of the Highlands and Islands (UHI).

An updated SIC ICT security policy was approved by councillors this week.

Speaking at a meeting of the policy and resources committee on Tuesday, ICT manager Susan Msalila said that the main change in the new policy was the addition of a paragraph on cyber security and awareness.

She said she was confident there is “sufficient flexibility” in the ICT department to respond to any potential attack, with a “reactive” team on hand to respond.

“I am not complacent about it,” Msalila said. “In the industry people speak about when not if, but I think that the team that we’ve got in place for reacting to stuff is really good and really resilient.”

One example given was the response to the recent UHI attack, which closed Shetland College.

“We were very, very quickly able to sever the links between us and them,” she said.

Ferguson said she was three quarters of the way through a training course run by the National Cyber Security Centre.

“One of the key messages…is that there is no room for complacency, and in actual fact in terms of the threat, there are so many factors that leave us vulnerable,” she said.

Ferguson said ICT is only one of them – “the rest is down to how we behave”, with this increasingly important as digital life becomes the norm.

She added it was “very sobering” to hear from people employed by SEPA and UHI.

“The length of time it would take for organisations to fully recover is eye watering,” Ferguson said.

“We’re not talking months…to recover fully can take anything up to two years. So we cannot be complacent, we must be vigilant.”

At a meeting of the full council on Wednesday both a digital strategy and an ICT strategy for the coming years were approved in addition to the security policy.