6 Dec 2022

“We Need to Treat Cyber-Crime as a Public Health Issue”

Why Professor Victoria Baines thinks everyone needs to be more savvy about cyber-crime.

Do you consider yourself a likely victim of cyber-crime? Human nature dictates most of us feel it will happen to someone else, not us… and yet there’s a very high chance your email address is already in the hands of people you’d rather it wasn’t.

According to Victoria Baines, Professor of Information Technology at Gresham College, our apathy on this topic is giving cyber criminals an easy ride. The issue, she thinks, is a lack of public education – a topic she discusses with great passion.

“My whole mission in life really is to get the powers that be to treat cyber threats as a public health issue”, she explains. “We need to engage much more with members of the public and businesses of all sizes so they are equipped to take charge of their own safety online and protect themselves”.

To illustrate the point, Baines points to the differences in public discussion of in-person crimes, versus online, cyber-crimes.

“Many of us will fall victim to a scam in our lifetime – in the same way many of us will have something stolen off our person or from our home. But we treat these things very differently”.

“Law enforcement agencies are perfectly happy to talk to members of the public and small businesses and tell them they need to lock their doors; that they need to have a burglar alarm fitted. That they shouldn’t leave their valuables out in plain sight in their car. But for some reason we don’t do the same talking to people about cyber-crime”.

Baines believes this underestimates the intelligence of the public – and that if more clear information were given about staying safe online it would do wonders for cyber-crime levels – which make up a growing percentage of all reported crime.

Baines also believes a more nuanced way of reporting cyber-crime would help the public take action.

“One of the problems with how cyber-crime is reported is it being sometimes overblown. There’s a lot of scaremongering at the moment – for example most of the time everything is referred to as ‘a hack’. Technically speaking that’s often inaccurate – and it scares people into thinking it’s something you can’t control”.

She likens this nuance to the difference between a burglar breaking into your house, and you leaving the door open.

“Most of the things that the press refer to as ‘hacks’ are data breaches because people have been careless. Quite often it’s that a user themselves has given consent to something that they didn’t understand all that well”.

Improving your online security is the equivalent of getting locks on your doors and setting a burglar alarm.

But organisations, she says, also need to play a role in this.

“Transparency and accountability from the companies that process all of our data is really important. Once we have the information in a clear way, we as users can make an informed decision about who gets our data. The better the information we have the better that we can protect ourselves”.

This, she states, is the missing link in what she describes as the “Holy Trinity of how to keep people safe online – that’s people, processes and technology”.

In a career that, prior to academia, spanned the Surrey Police, Europol and Facebook, Baines states this is a continuous theme.

“Over the last 20 years that I’ve been investigating and analysing cyber-crime, I’ve observed that we’ve spent billions of dollars on technical solutions to protect people, businesses, assets. We’ve spent a lot of time and effort on things like the General Data Protection Regulation. But we haven’t spent quite so much effort on people”.

Treating the issue of public education seriously she believes would make a huge different.

“We know that the vast majority of cyber threats can be countered by doing basic security work. Even things that seem really sophisticated like the ransomware attacks that affected the NHS a couple of years ago, were only a problem because some hospitals hadn’t patched their Windows machines properly”.

The missing link is simply us.

“Despite all this good stuff in place, people are still vulnerable to social engineering and phishing attacks. We really need to give people better information so they can protect themselves, their businesses and – I would even say – their country”.