An interview with Joe Tidy, BBC Cyber Security Correspondent
Cyber crime has infiltrated every aspect of our lives. Whether its phishing scams and spam emails or organised crime demanding millions in exchange for sensitive data, the threat is real and present. And, as more people work from home, our vulnerability has been heightened.
Joe Tidy is the BBC’s first dedicated cyber security reporter and works on investigations for international and domestic news outlets. He spoke to The European to offer insight and advice about coping with this highly sophisticated threat.
What is the biggest challenge that organisations currently face in terms of managing cyber security?
Joe Tidy: Ransomware. It’s built up over the last few years to become, for many, the number one threat in cyber security for business worldwide. These cyber criminals are ruthless, and patient and I’ve seen for myself just how tough they are to negotiate with.
Last June, I was tipped off that a ransomware group called Netwalker had infiltrated the University of California San Francisco IT system and encrypted their network. The hackers were trying to extort the university for millions despite the institution working hard to develop a Covid-19 vaccine. I got hold of the Netwalker dark web portal and watched over weeks as the university pleaded with the hackers but were still forced to pay $1.14m to get access to their data back.
Ransomware is truly debilitating, and these well-funded and well-organised hackers are going after bigger targets and demanding bigger pay-outs. They’ve also started charging businesses and organisations twice – one to hand over the decryption key to unlock data and another to “promise” to delete the data the criminals have stolen. They don’t always keep their promises of course.
Cyber security company Emsisoft estimates that the burgeoning form of cyber crime earned criminals $25bn in 2020. Sadly in 2021 we’ve already seen a steady stream of attacks reported and it doesn’t seem to be slowing down.
Has the pandemic hindered the ability of businesses to secure their networks and data?
There’s no doubt that IT teams around the world are having a tough time with the pandemic and remote working. When mass lockdowns began being enforced around the UK and Europe, I got a predictable flood of press releases from cyber security companies about how the dangers to data had increased but to be honest I was sceptical it was actually a problem.
Then we had a massive hack that was directly linked to the rapid move to remote working. The Great Twitter hack happened in July and saw 130 accounts attacked, many of them owned by high profile people like Kanye West, Elon Musk, and Jeff Bezos. The hackers took charge of the accounts using Twitter’s powerful back-end website tool and tweeted out a Bitcoin scam.
It was extraordinary to watch, but what was fascinating, is how the now-arrested alleged hackers used the chaos of home working to trick Twitter staff into handing over high-level login details.
They found out that the system being used by staff to log into the internal Twitter network (the VPN) was on the blink and used that confusion to masquerade as newly hired IT workers to successfully coax the details out of Twitter personnel. I’m certain these sorts of problems are happening across the board during the pandemic but without us ever knowing about them.
What can organisations do to mitigate the problems caused by an increase in remote working?
Luckily we are now coming up to a year since many countries began lockdowns and I’d like to think that IT teams have a much stronger grip on the perils of remote working.
There are a few fundamentals that people who are much smarter than me have written about in the last six months, and these include ensuring all staff have their own company devices to work on that have been set up with the same security and software as all other devices company-wide.
Using a company VPN is always a good idea, too, but it does of course add another layer of cost and complexity. One of the most powerful steps businesses can take, which costs nothing (except maybe a little bit training) is to install 2-factor authentication into any staff systems that contain sensitive data.
This just means that staff have to input a code that is sent to them whenever they want to log-in. This one measure will stop chancers who come across a username and password dead in their tracks. There’s loads of places that businesses can get great advice on this, for example, the UK’s National Cyber Security Centre website.
It looks like cyber crime is here to stay. How can we stay one step ahead?
I think of cyber security like physical security. Imagine a castle with the Crown Jewels locked inside. You can do the basics – locks on doors and employ a guard. But if the attacker is resourceful enough, they will get around that. So you build a moat. They get a boat. So you put up barbed-wire. They attack from the sky. And so it goes.
The thing experts always tell me is that you will never be “unhackable” but it’s about taking your organisation out of the “low hanging fruit” category. Which is why installing 2-factor authentication is such a good step – you won’t be immune to attack but the low-level hackers will be more likely to give up and try easier targets.
Overall I think there is a massive problem in the industry. More and more money is being spent by IT teams on cyber security tools and software, but the risk of cyber attack isn’t actually going down.
Probably the biggest thing that can be done for free is educate employees into the risk of cyber attack. They always say the weakest link in security is the human and with a small amount of training about how to spot a dodgy email for example, it could make a big difference.
But it’s not just businesses that are vulnerable. Any advice for people during everyday life?
I think for the masses it’s the humble password manager. Whether it’s Last Pass, Dashlane or 1Password (there are loads!) these little apps are a powerful tool for everyone from general members of the public to the CEOs of major firms.
The reason being it’s really dangerous to use the same password across multiple internet services as it makes you easy pickings for hackers. Password Managers have been around for a few years but they are brilliant. They are like secure digital vaults that allow us to store all our passwords in one secure place.
So you can have as many super-long super-complex passwords as you like for your Facebook, eBay and Spotify and as long as you can remember the one password for your locker, you’ll always be able to login.
About the author
Joe Tidy is the BBC’s first dedicated Cyber-security Reporter working on investigations for international and home news outlets. Appointed in 2018, he covers cyber crime, hacking, privacy, data security, online safety, gaming and pretty much everything internet.