The Scottish Cyber Coordination Centre (SC3) has published an inaugural Scottish Cyber Activity Report (SCAR), as a picture of cyber activity within the countryโs public sector.
The SCAR combines findings from the Cyber Resilience Assessment of Scotlandโs public sector cyber posture with the SC3โs own incident data, threat intelligence and findings from its exercising activity. Headline findingsย include:
- Lessons are not being shared or happening fast enough across the public sector. The same gaps identified following the SEPA (Scottish Environment Protection Agency) ransomware attack in 2020, and again after the Comhairle nan Eilean Siar (Western Isles Council) attack in 2023, are identified by the SCAR as remaining.
- Business continuity plans across the sector are not aligned to modern cyber realities and scenarios, particularly the possibility of longโduration digital outages. And;
- Leadership and governance are the primary drivers of resilience outcomes: organisations that recover well are those with ownership of cyber risk at board level.
Other themes in the report include the growing importance of communications planning during incidents; uneven access to specialist incident response support; rising data theft and extortion tactics; supply chain risk; and specific concerns around education networks in local authorities.
Alan Gray, Head of the SC3 and Deputy Director of the Scottish Governmentโs National Cyber Security and Resilience Division said: โOur public sector delivers the services on which millions of people depend daily and holds vast quantities of sensitive data. It also operates in a threat environment thatโs growing more sophisticated by the month โ cyber risk is a truly systemic issue, cutting across all public sector organisations.
โRather than isolated action, we need collaboration, shared intelligence, and coordinated response. The lessons in this report are clear: business continuity plans must be reviewed and routinely tested against real cyber scenarios; communications resilience must be treated as a core capability, not an after-thought.
โWhen the same lessons recur across incidents separated by years, we are not failing to learn; we are failing to implement. The cyber threat to Scotlandโs public sector is real, it is growing, and it demands our collective attention.โ
The SCAR reports that near all, 97 per cent of Scottish public sector bodies now receive actionable threat intelligence; the vast majority have incident response plans in place and are investing in cyber resilience training; and the quality of preparedness across the sector is measurably improving.
Alan Gray added: โThese are not small achievements. They reflect years of sustained effort by dedicated professionals across every part of the public sector.โ
Since 2018, SC3 and the Scottish Government have coordinated the response to 183 cyber incidents across the public sector. That included 43 incidents in 2025 alone, almost a quarter (23.5pc) of the total over the seven-year period. Ransomware was identified as the most common cause of public sector cyber incidents by a significant margin, which reflects broader UK incident reporting.
The SCAR provides a baseline for measuring progress against the refreshed Strategic Framework for a Cyber Resilient Scotland 2025-2030, presenting cyber resilience as a collective challenge. The publication follows the eighth annual awareness-raising CyberScotland Week in February; and comes ahead of the national UK official CYBERUK conference, this year in Glasgow between April 21 and 23.
