When Good Hacks Go Bad

Written by

The past year brought greater mainstream press interest in cybersecurity matters than ever before. But despite the wider profile of security issues, the important messages still aren’t getting across, Mike Hine discovers

The mainstream news media is facing transitional, and to some extent troubling, times – with falling print circulation, and the erosion of traditional revenue streams offset against positives like global reach and the vast possibilities of the digital age. Although the internet has changed how we consume news, mainstream press outlets on both sides of the Atlantic still wield a lot of power when it comes to disseminating information and influencing public opinion.

Cybersecurity stories are proliferating in the mainstream press at an unprecedented rate, with recent research from Deloitte reporting that the first ten months of 2014 produced 24,105 data breach news stories, a huge 340% increase from 5474 in the corresponding period a year earlier.

Whether or not this is having a positive effect beyond a vague sense of raising awareness, however, is far from self-evident. Certainly within the security industry, there are mixed feelings about the nature of this widespread reporting, and what its impact might be.

Fear and Loathing on Fleet Street

The problem, says Maire Byrne-Evans, web science researcher at the University of Southampton, is that “even the reputable newspapers have to sell through fear.” She adds that, “Although it’s easy to be dismissive and roll out clichés about the media being driven by sales and by having to sell ads, this is the economic bottom line for them – without sales and clicks they cease to exist.”

Alarmist headlines and sensational stories undoubtedly grab attention and garner clicks, sales and eyes on the page. A November 2014 print edition of London’s free Evening Standard daily newspaper,  which has a circulation of around 850,000, bore the front-page headline ‘Met War on 200 Cyber Crime Gangs’. Emotive language like ‘war’ and ‘gangs’ – with connotations of intimidation and violent street crime – make this headline stand out, and a sanitized version wouldn’t read, or sell, nearly as well. This is nothing new – but should we just be satisfied that cybersecurity is able to make the front page at all?

“It’s great to see cybersecurity incidents and issues featuring more prominently in the media,” offers independent cybersecurity consultant, Dr Jessica Barker. “However, the way threats are reported is not always constructive. Research into the psychology of fear suggests that for ‘a fear appeal’ (a message arousing fear) to change behavior, it needs to show that a threat is real, that individuals are susceptible to it, and that there are effective mitigations.”

Far from having a positive effect, news stories in the mainstream media can do more harm than good if they peddle fear over effectual response. Dr Barker argues that, “If the media just communicates the threats, people will engage in controlling the fear rather than the danger, so they will go into denial or reactance, believing that they are simply being manipulated by the media.”

‘Computer Apocalypse’

Sensationalism is engaging, and people don’t necessarily look to newspapers for advice on how to lead their lives. Nonetheless, the effect of negativity and sensation on readers is not limited to denial only. “Without the right messaging, there is a danger that people will not be motivated to find out how to be safer online or that they will be put off using the internet out of fear,” says Dr Barker.

With Forrester research predicting that online retail sales are set to rise to $370bn by 2017, the risk that hysteria around cybercrime could impact the economy by driving people away from the internet is not to be taken lightly. 

“Without the right messaging, people will not be motivated to be safer online"Dr Jessica Barker

The reality of cybercrime’s economic threat is illustrated by the significant effect Sony’s decision to initially withdraw The Interview from cinemas had on box office earnings. As this story unfolded, media outlets pushed the ‘cyberterrorism’ angle as hackers threatened more and more repercussions for Sony throughout the holiday season. Once again, the language of warfare permeated such coverage. There is little doubt that this is bad for public perception of cybersecurity matters. If hackers become synonymous with terrorists in readers’ imaginations, hysteria begins to overshadow the reality of the threat and the messages about how to take simple measures to be more secure online.

Writing on Norse Corporation’s Darkmatters blog, Edwin Covert says that “By using terms such as cyber-attack, terrorist, 9/11, computers, tragedy, and the like, unwary readers get the sense that a computer apocalypse is nigh.”

Some commentators, however, take a less critical view of such doom-mongering. Barry Scott, chief technology officer EMEA for Centrify argues that “sensationalizing these events, and using overly emotive language can be beneficial, particularly in situations where consumers may not recognize the company that has been breached, and cannot relate as well as they might to a familiar name such as eBay.”

Getting the Message Across

Whatever the drawbacks of sensationalism and fear-peddling in the media, the increased profile of cybersecurity no doubt represents an opportunity for industry advocates to spread the gospel and actually influence positive behavioral change. The key is making sure that impartial, educational commentators are given their fair share of column inches. However, for a variety of reasons, this is not yet happening.

“Effective password creation and management, cyber liability insurance for the small business, and two-factor authentication (2FA) – these are all achievable actions. But such messages get thrown by the wayside in the scrum for a good story,” argues Pen Test Partners’ senior partner Ken Munro. “Take, for instance, Celebgate. That was a great opportunity to educate the public on 2FA and how to implement it, but the media was far more interested in promoting the salacious story of a naked Jennifer Lawrence.”

Dr Barker concurs that promoting solutions is essential if increased cybersecurity coverage is going to have any positive outcomes. “Explaining what mitigations there are and why they protect against threats is really important,” she told Infosecurity. “If you’re asking people to change their behavior, they will usually only be motivated to do so if they understand why they should do so and if the steps are broken down and made accessible.”

With 24/7 rolling news coverage around the world, there is an ongoing effort to raise the profile of cybersecurity
With 24/7 rolling news coverage around the world, there is an ongoing effort to raise the profile of cybersecurity

But while more and more security experts are quoted giving advice in news articles, there is still a suspicion among some commentators that others are not open enough when it comes to dispensing free advice.

“Obviously security companies sell through raising fear of crime, too,” says Byrne-Evans. “It’s in their interest to overstate the case.”

Munro concurs, suggesting that “much of the content in the media on security is based on PR put about by product vendors trying to sell their kit. That’s why it’s very light on practical advice.”

Specialist media outlets, like the plethora of security blogs and online magazines, are, of course, replete with the kind of constructive advice that would help consumers, SMEs and otherwise cyber-unaware parties improve their security with a few simple steps. But as these outlets generally cater to a tech-savvy audience of security professionals, their potential impact and ability to instigate positive behavioral changes is limited to this niche. It’s about time that messages such as these get more prominence in the mainstream media.

Power of the Press

Assessing the impact of negative news on the public psyche is difficult. Munro perceives “a state of apathy bordering on the catatonic,” adding that, “Joe Public has become so turned off by these stories that many now ignore them.”

Some recent surveys indicate that attitudes to cybersecurity do, indeed, tend to range from pessimistic to apathetic. Research from Deloitte suggested that 63% of 2000 people surveyed did not have ‘much or any’ confidence that firms could keep their personal data safe from harm. A LogRhythm paper, meanwhile, revealed that while 59% of 1000 UK citizens surveyed believed harsher penalties should be levied against organizations that suffer a data breach, 61% claimed they did not actually know of any businesses that had fallen victim. A third of those surveyed by LogRhythm had never heard of Heartbleed or Shellshock, while 42% believed that the threat of cyberwar or cyber-terrorism is real.

This kind of data paints a picture of a general public that is low in confidence when it comes to the security of their personal information, and has serious concerns about the potential impact of ‘cyberwar’. But it is also a general public that is not necessarily au fait with the details of the major incidents that security practitioners, by contrast, would rank as the most significant news stories within a calendar year. News coverage is leaving a general impression – but not a good one.

“I think the security industry has a huge role to play in this, in communicating with the media, explaining threats, and what can be done to mitigate them, in simple, accessible and understandable ways,” says Dr Barker.

Advice from retailers post-breach also needs to focus on the core issues rather than mere stop-gaps, argues Munro: “Retailers need to stop this knee-jerk reaction of issuing dictums that merely see one weak password replaced by another and begin offering concrete advice that improves password creation and management. It should then seldom be necessary to change passwords at all.”

Whether or not the mainstream media is currently interested in promoting cybersecurity best practice, injecting some constructive tips for mitigation into news stories is clearly a sensible tactic. As an angle, it might not be as eye-catching as the doom and gloom, but consumers will quickly tire of endless stories about breaches that are essentially very similar in nature.

And there is, as always, still a place for journalists to ask very trying questions of those companies who do fall short on their security, and help educate consumers about the demands that they should make of firms that hold their data.

“That’s where the power of the press comes into its own,” concludes Munro: “Demanding answers and bringing pressure to bear that improves disclosure and security advice.

Is Cybercrime Under-Reported?

Despite the escalating presence of cybersecurity in the media – with the risk of ‘breach fatigue’ that this brings – some experts raise the point that the true scale of the cybercrime problem is undoubtedly much vaster than we know.

“If anything, cybercrime is under-reported because of undetected breaches and reputational damage- particularly in the finance sector,” says Tony Marques, cybersecurity architect at Encode Group.

With the potential negative market effects, many companies – those that aren’t obliged to, at least – can cover up incidents they feel it would be detrimental to expose. Until we have greater transparency, assessing just how large a problem this is will be impossible, many security experts argue.

This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users

What’s hot on Infosecurity Magazine?