Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Scottish businesses need to act on Log4j vulnerability to avoid ‘catastrophe’

Scottish Business Resilience Centre chief executive Junde McCorry.
Scottish Business Resilience Centre chief executive Junde McCorry.

The Scottish Business Resilience Centre (SBRC) is urging all organisations to ensure computer systems and devices are updated to mitigate the impact of a newly detected global vulnerability.

A free piece of software on the Apache open-source platform, reported the risk.

The software, called Log4j, is often used on applications and servers to record or log activity by developers and IT professionals,

Dubbed log4shell, the vulnerability could allow hackers and cybercriminals to send malicious code to Log4j – potentially resulting in irreparable harm to devices globally.

SBRC, which combines emergency services, businesses and the Scottish Government, has also published guidance on what log4shell is, what it can do and the steps individuals and organisations should take to mitigate the fallout.

There is no time to waste here; the SBRC is calling on all businesses to take action now to avoid potentially catastrophic results.”

Jude McCorry, chief executive, Scottish Business Resilience Centre.

In a year where the National Cyber Security Centre (NCSC) has reported more cyber incidents than ever before, SBRC is monitoring the situation and recommending immediate action from organisations, irrespective of sector.

As well as following this advice, businesses are being urged to download the SBRC app in order to further mitigate business and cyber risk.

This will ensure firms get the latest updates on Log4j as they come out.

The app is available to download from the Android and Apple app stores.

‘All organisations must consider themselves at risk’

SBRC chief executive Jude McCorry said: “While the impact of log4shell is yet undetermined, organisations could still be in the dark if they even use Log4j in their systems.

“All organisations must consider themselves at risk of this global vulnerability until it has been confirmed that they are not.

“There is no time to waste here; the SBRC is calling on all businesses to take action now to avoid potentially catastrophic results.”

‘Personal devices are also at risk’

Ms McCorry added: “It is not just work devices that are on the line – personal devices are also at risk and so must be part of the updating process.

“Acting now and looking into other services that are used, including third-party software, will help to provide peace of mind.

“Given the meteoric rise in cyber incidents this year, individuals and organisations must turn to trusted sources to keep up to date on credible threats to operations like this.

“The SBRC app provides push notifications within minutes of the insight being received, covering cyber threats with accurate guidance.”

Microsoft investigation

Microsoft says on its website it has not identified any “exploitation of our enterprise services as a result of the Log4j vulnerability at this time”.

The software giant adds: “Our security teams have been analysing our products and services to understand where Apache Log4j might be in use.

“As our investigation continues, if we identify any impact to our services or action required by customers, we will provide additional communications.”

Incident response line

Organisations concerned they have been the victim of a log4shell can contact the SBRC incident response line on 01786 437 472.

SBRC is a non-profit organisation that exists to support and help protect Scottish businesses.

Its links to Police Scotland, the Scottish Fire and Rescue Service and Scottish Government gives it exclusive access to the latest information to advise citizens and businesses how to digitally interact in safety.


Log4Shell explained in simple terms

What is Log4j?

Log4j is a small piece of free software often used on apps and servers to record or log activity.

These logs can be used by developers and IT professionals to identify issues on apps and servers.

Logs are very important and so this means Log4j is very popular due to it being freely available and easy to set up.

What’s the problem?

A major vulnerability in Log4j has recently been discovered – dubbed log4shell.

It allows hackers and cybercriminals, with very little expertise, to send malicious code to Log4j that can do harmful things to the affected device.

This ranges from giving a hacker unwanted access to stealing sensitive data, and spreading the vulnerability to other devices on the same network.

How bad is it?

Many media outlets are reporting “the internet is on fire” over this vulnerability.

Whilst nothing is actually on fire, it is not an exaggeration to say this is one of the most serious and most dangerous vulnerabilities of the past decade.

Huge numbers of devices and services are affected, including many popular software applications and online service providers.

Am I affected?

It is difficult to determine the extent of who is affected by this vulnerability, so you should assume you are vulnerable until you have verified you are not.

Most of the apps people use on their phones and computers have a risk of being affected.

If you or your organisation has a website, there is also a high chance the webserver is affected.

What can I do?

The first thing you should do is make sure all updates are completed as soon as possible.

The best way to mitigate log4shell is to ensure any device that could potentially use log4j is running the latest version of the software.

Even if you are unsure if you have an app or service that uses log4j, doing updates routinely ensures the app or device has enhanced protection against cyber attacks.

Secondly, you should contact your IT provider and ask them to make sure all your devices and servers are up to date – especially servers that are used by your website.

If they are unsure about the vulnerability, you can direct them to technical notices from the SBRC and the NCSC.

Thirdly, check your third-party software and service providers for their advisories on the vulnerability.

Major vendors like Microsoft and Google have all released advisories on mitigating the damage from this vulnerability.

Video games vulnerable too

Finally, update personal devices. This vulnerability affects all devices, not just those used for work.

The vulnerability can even affect video games, so make sure any family members devices are updated.

For updates on the situation as it unfolds, download the SBRC app – available on iOS and Android – and check out SBRC’s website blog on the topic at www.sbrcentre.co.uk/log4shell-vulnerability


Be careful you don’t fall victim to a cryptocurrency scam