Christmas Eve 2020. Six in the morning. The Scottish Environment Protection Agency discovered its entire system had been encrypted overnight.
Every file. Every database. Every communication channel. Gone.
SEPA is a Category 1 responder. They issue flood warnings. They protect communities. And they could not access anything. Mark Gallagher was in the Gold Group response meeting by midday, helping work out how to get the organisation functional again. The Scottish Government had to issue senior management with personal email addresses so they could communicate with each other.
Then there is the detail that makes it personal. SEPA had paid their staff just before the attack. If they had not, the staff would not have been paid that month. There was no access to finance. No access to HR. They did not even know who their staff were.
The recovery cost around £5.5 million. Roughly £2 to £2.5 million of that was unclaimed billings from businesses that owed SEPA money, saw the story hit international news on Christmas Eve, and quietly decided to wait for a reminder that never came.
WHAT A BUSINESS OWNER EXPERIENCES
You arrive at work, or log in remotely, and nothing works. Files will not open. Systems will not load. A message appears demanding payment in cryptocurrency in exchange for a decryption key. There is a deadline. There is a threat.
WHAT IS REALLY HAPPENING
In almost every case, it started weeks earlier with a phishing email. Someone clicked a link or opened an attachment. Malware installed itself silently and spread through the network, mapping what was there, gaining access to more systems. Then, at a chosen moment-on a Friday night, a bank holiday, the morning of Christmas Eve-everything was encrypted simultaneously.
Many criminal groups also steal your data before encrypting it. This is called double extortion: they threaten to publish your client records publicly unless you pay. Paying does not guarantee you get your data back. And it funds the next attack on someone else.
The Scottish Association for Mental Health was hit in the same period. A charity worth around £10 million. Their carers, out in communities supporting people at the lowest points in their lives, could not communicate back to headquarters because everything had been encrypted. This is not an abstract financial risk. It is a human one.
THE 72-HOUR CLOCK
If personal data is involved – client records, staff information, anything covered by GDPR – you have 72 hours from the moment you become aware to notify the Information Commissioner’s Office. As Gordy McDonald put it in Aviemore, if you do not, they will come down on you like a ton of bricks. The clock starts when you know, not when you finish investigating. Set a reminder on your phone right now.
ACTION THIS DAY
1. Confirm you have three copies of your business data: one on your main network, one in the cloud, and one on an encrypted external device stored offline and away from your main systems. Then confirm that someone other than your primary IT contact knows where that external backup is and can physically restore from it. That last part is the step most businesses miss entirely.
2. Name your incident response deputy. You cannot rehearse in a crisis, and a single point of failure in your response plan is a vulnerability in itself. Gordy, who spent 22 years as a Police Scotland dive supervisor, put it clearly: he would never put a team into a dangerous environment without knowing that every person was fully versed in the response. The same logic applies to your business.
3. Write three phone numbers on paper right now: your IT provider or incident response contact, your cyber insurer, and the ICO reporting line. Put that paper somewhere physical. In a ransomware attack, your digital documents may also be encrypted.
CONVERSATION TO HAVE WITH YOUR TEAM
Ask: if we came in tomorrow and nothing worked, what are the first three calls we would make? The answers should include your IT provider, your cyber insurer and the ICO. If your team does not know those numbers, that is this week’s action. And if you cannot confirm that someone has physically restored a file from your backup in the last three months, you do not yet have a working backup – you have the idea of one.
This is Article 2 of the Cyber Resilience for Business Owners series, based on the Highlands and Moray Chambers Joint Cyber Resilience Event, Aviemore, February 2026. Speakers: Mark Gallagher (Police Scotland), Gordy McDonald (Police Scotland).
