Introduce cybersecurity in schools, experts warn

Experts have called for cybersecurity lessons to be taught alongside English and maths in Scottish schools.

Speaking at Holyrood’s 2025 Public Sector Cyber Security Scotland event, held at Dynamic Earth in Edinburgh, David McKeand, sales manager for public sector Scotland and Wales at cyber solutions firm Fortnitet, outlined the key challenges standing in the way of building a cyber-resilient nation.

“I am a parent of two, and children are growing up in a vastly different world. Kids of the future need cyber skills,” he told delegates. “[And] the skills gap is one of the largest risks to cyber resilience.”

It comes amid poor performances across STEM subjects in Scottish schools. The Commission on School Reform described pass rates as “very worrying” after finding only four in 10 of all S4 pupils had passed mathematics at National 5 level, with the figure dropping to less than one in 10 for those taking computing science.

McKeand also urged for a “consistent level of training” within organisations, in a bid to tackle the growing threat posed by cybercrime.

Recent figures showed cybercrime had soared by 120 per cent over the last four years. In 2023/24 there was an estimate of 16,910 cybercrimes committed in Scotland, up from 7,710 in 2019/20.

“Employees must understand why they’re doing the training. They are the strongest line of defends against cyber-attacks”, he continued.

He also highlighted the importance of collaboration between the private and public sector, especially at a time when cybersecurity costs continue to be a barrier for the latter.

Public sector organisations have become a recurring target for cybercriminals, due to the vast amount of personal data they tend to hold. Last year, the attack on NHS Dumfries and Galloway saw patient data leaked on the dark web, after the health board refused to make a ransom payment.

However, they often can't compete with the high wages offered by private sector companies to cybersecurity professionals.

The plenary, which discussed the journey towards a cyber-resilient Scotland, also highlighted the importance of incident response plans – which allow IT professionals to know how to respond to an attack.

Jude McCorry, chief executive of the Cyber and Fraud Centre – Scotland, noted that there had been a rise in the number of organisations with a plan in place following the CrowdStrike outage last summer, which crashed millions of Windows devices worldwide, causing a disruption across many services and businesses. However, she suggested there was still room for progress, with cyberattacks being a case of “when and not if”.

“Every decision you make [following an attack] will come back to haunt you. You need to make sure you’re legally supported, and you have a good comms team,” she added.

McCorry highlighted plans should include testing protocols similar to those used for other systems, such as fire alarms. “There is no point in having good executive education if you don’t test it,” she said.