How do we convince people that cyber security matters?

Joe Tidy, presenter, event moderator, keynote speaker Joe Tidy – the BBC’s Cyber-security Correspondent reports on the human cost of cyber crime.

I’ve known Alan for more than 20 years but never seen him like this.

Alan is the dad of one of my oldest mates and affectionately known as ‘Big Al’ by our friendship group.

He’s known for his jovial and chatty personality but on the morning of 7th September 2018 he was not himself. In fact he was beside himself with worry and stress.

We were meant to be playing in our annual charity golf day but Alan’s day was quickly turning into a whirlwind of anxious phone calls and doom scrolling on news apps. Alan was one of the 400,000 victims of the British Airways hack.

British Airways plane taking off

British Airways was the victim of a cyber attack that affected 400,000 victims.

Watching Alan struggle to understand the implications of the cyber attack and go through the stress of worrying if the criminals had access to finances or if his identity was being forged was a seminal moment for me.

At that time I was just finishing up my time at Sky News and about to join the BBC in a few weeks, as the corporation’s first ever dedicated Cyber Security Reporter. I’d covered cyber crime and hacking before, but watching Alan made me appreciate the human impact of these massive breaches.

Fast forward to today – in fact last month – and British Airways finally faced the music for its poor security practices in the shape of a £20m fine from the Information Commissioner’s Office.

Commissioner Elizabeth Denham’s statement was particularly poignant for me:

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Since that morning with ‘Big Al’ I’ve always tried to bring out the human cost of cyber crime in my reporting for the BBC. It’s the hardest part of the job and I regularly fail.

Finding and persuading people to tell me their stories of what it’s like to be a victim of these big hacks is extremely hard. It doesn’t make sense does it? Look at the numbers – some of the big breaches contain hundreds of thousands or even millions of victims.

How about this for an example – I’m currently working on a story about Business Email Compromise hacking – probably the second biggest problem in cyber security after ransomware. It’s nasty and involved hackers either faking corporate emails or getting inside them to trick finance directors into sending large amounts of cash to the wrong bank account. In 2019, the FBI dealt with 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses. And that’s only the ones that were properly reported to police!

I’ve covered this threat before and tried to find a victim to discuss what it’s like being tricked into sending money to the wrong place. Can you imagine the horror when you realise that your big business deal has been surveilled and curtailed from inside your own email account? It must be horrifying. I know of many companies that this very thing has happened to including a top flight Premier League football club. But will they tell me their story? No.

Herein lies the problem with cyber security reporting, which may explain why the public and law makers aren’t taking it seriously enough. The true human costs of cyber crime are not being understood.

The other issue is that let’s face it, cyber security, although one of the major challenges of modern life, is pretty boring to look at. Just try image searching for ‘cyber security’ and you’ll be bombarded with the same pics over and over of padlocks, computer code or even men in hoodies. Finding pictures of real people affected by hacking is even harder than finding their stories.

A Google image search on cyber security rarely returns images of people affected

google search on cyber crime

All of this isn’t to say ‘woe is me’ of course. I’m extremely lucky to be covering a beat that I find personally fascinating but luckily for me I have good editors who are always pushing me to get out there and keep trying to find those personal victim stories.

Occasionally perseverance pays off like when I found an amazing and brave woman who had been the victim of ‘stalkerware’. Stalkerware is a growing problem that disproportionately affects women who are in toxic or abusive relationships. Husbands and boyfriends secretly install malicious spyware onto phones or computers to cyber stalk their partners.

It’s a horrible piece of modern technology. I installed some onto my work phone and allowed a colleague to ‘stalk’ me for a video report. Then I spent literally weeks finding someone who this has happened to who would talk and finally found ‘Jessica’ who was willing to tell me how it had affected her. Hearing ‘Jessica’s’ terrifying tale of how her ex-husband knew exactly where she was and who she was with at all times once again brought home to me just how serious cyber security is.

It makes a big difference and since the report went out, coincidentally, a coalition of cyber security companies has formed to try to combat stalkerware. There is hope!

There’s no doubt that things are getting better and people are thinking about and taking cyber security more seriously since I started reporting on it in 2018, but sadly I think we will always need the Jessicas and Alans of the world to show us the true human cost when things go wrong.