Police Scotland's technology department is understaffed and could lack appropriate safeguards against data breaches and IT disasters, the public spending watchdog has warned.

Audit Scotland has identified multiple challenges and services which "may be exposed to significant risk" in Police Scotland's ICT department.

The department has "a lack of available capacity and capability of suitably skilled resource" with "skill deficiencies in certain areas", it found.

Staff do not have "comprehensive knowledge" of all systems, meaning records could be deliberately or accidentally lost - an offence which carries the penalty of a £500,000 fine.

The force also has no system to track the cost of cyber attacks, it found.

Audit Scotland said the department delivers a "good quality service" but said "at a time of financial austerity there is both the necessity to rationalise and the challenge to invest in new technological solutions".

Management have agreed to develop an improvement plan to address these challenges.

Audit Scotland said: "There were approximately 50 vacancies within the structure and management were actively recruiting.

"However, the recruitment and retention of suitably skilled staff continues to be a challenge.

"This is attributed to public sector salary scales and the time taken for staff vetting."

The ICT department relies on contractors for key projects but this creates a risk of over-reliance on external parties, can add to cost, and limits the development of in-house knowledge, Audit Scotland said.

Police Scotland recently received Cabinet Office accreditation to access the Public Services Network which allows public bodies to share data throughout the UK.

Accreditation is reviewed annually to ensure organisations are protected from internal or external threats.

Audit Scotland said the ICT department may not have appropriate measures to prevent records being lost or removed.

It said: "The ICT department acknowledges that they do not currently have a comprehensive knowledge of all software, physical or information assets across the estate due to numerous historic records of varying degrees of accuracy.

"As a result, the ICT department may not be aware of all business critical information resources and may not have the most appropriate measures in place to protect them against deliberate or accidental loss."

Auditors found "no structured approach to increase and maintain staff awareness of good information security procedures and practices".

It added: "Data loss incidents in Scotland over the last few years have been shown to generate a lot of negative press coverage.

"Aside from the reputational damage this may cause, the powers of the Information Commissioner's Office which investigates data protection breaches have increased and this can result in significant fines of up to £500,000.

"It should be noted that SPA and Police Scotland have not had any fines."

Audit Scotland said the delivery of full disaster recovery plans is "a key challenge".

It said: "Legacy plans do not exist for all business critical systems. ICT contingency and disaster recovery plans are being developed by the IT resilience team with reference to appropriate international standards."

Police Scotland has dealt with a number of cyber attacks, including a disruption of its public websites and "a selection of client-based malware attacks".

Auditors found the ICT department is taking appropriate action to mitigate these risks but "cost does not seem to feature in the risk assessment".

It said: "As the threat from cyber security develops and attacks grow in magnitude and complexity, it is essential that the ICT department identifies and assesses the impact of the cost incurred and potential reputational damage that may occur when dealing with a cyber attack.

"The key challenges going forward are recognising the need to have a costing model that tracks costs incurred due to cyber-attacks and captures learning points for going forward."

The Police Scotland ICT Strategy is still in its draft stages following the cancellation of a £40 million i6 contract with Accenture, which is not considered in the report.

The report also does not address the call centre reforms instigated by the deaths of John Yuill and Lamara Bell in a crash on the M9 last July, auditors said.

Martin Leven, director of ICT at Police Scotland, said: "The overall conclusion of the whole report was that ICT provides a good level of support to the service and it has identified a number of areas which we are working on to ensure we can continue to demonstrate and deliver continual progress.

"We are absolutely committed to improving the ICT infrastructure across Police Scotland, moving away from a network of legacy systems to solutions which will allow officers and staff to more effectively carry out their duties and introducing innovation to streamline what we do and how we do it, to keep communities safe."