Don’t ‘bombard’ victims of cybercrime, says Jude McCorry 

The boss of Scotland’s national cybersecurity resilience centre has revealed she received 150 messages on LinkedIn from organisations keen to help a mental health charity which was hit by a cyberattack in March.

Jude McCorry, chief executive of the Scottish Business Resilience Centre (SBRC), has called on companies who provide cybersecurity products and services to “stay at arm’s length” and “don’t bombard” recent victims of cybercrime.

Speaking at CyberUK – the UK Government’s flagship cybersecurity event hosted by the National Cyber Security Centre (NCSC) – in Wales on Tuesday, she urged the leaders of organisations targeted by online hackers to “choose your help really wisely”.

McCorry’s comments come after the Scottish Association for Mental Health (SAMH) experienced a “devastating” cyberattack on 17 March, which crippled its systems and communications channels.

Speaking about the incident, she said: “I had 150 LinkedIn messages in the first day going ‘Tell SAMH we can help them’, and I was like, ‘Woah, give them the space. Give them the respect to try and figure out exactly what they need and what they need to do and then I’ll come back to you, or we’ll have a call with you, but don’t bombard these organisations.’

“‘It’s great that you want to help, but stay at arm’s length and [avoid saying] your products will help fix this, or that if they had bought your product it never would have happened.'”

McCorry, who spoke on an expert panel chaired by Paul Maddinson, director of the NCSC, also spoke about the need to improve victim support.

She said: “We all talk about victim support, [but] I don’t see much of it. And I think why we now have got some more strong females in cyber is because of that maternal thing.

“I go home and I worry about all these people that have called in.”

Recalling her thoughts in the immediate aftermath of the cyberattack against the Scottish Environment Protection Agency (SEPA), whose systems went down on Christmas Eve in 2020, she said: “How are they going to enjoy their Christmas? These poor people.”

She said: “If it was a bank robbery in the 80s of the 90s, then that bank would be closed for a few weeks, there’s an investigation going on, the staff are treated with counselling and they’ve got all this pastoral support”.

McCorry also warned against “victim blaming” in the cyber sphere.

She said: “I also see victim blaming. If it’s a small organisation, somebody goes, ‘I bet it was him that did this’ or ‘Who clicked on the email?’ and stuff.

“I think we need to be very, very careful and very supportive to these organisations. Because we want the next generation of cyber people, we don’t want people thinking they’re coming in to work in an industry that people are going to blame them if we do have these attacks.

“So we need to build in this pastoral support just in case anything happens.”

She said that “supporting the victims” was “more important” than anything else being discussed by cyber leaders, including education.

McCorry was joined on the panel by Nelson Ody, product manager – cybersecurity at software company RM, Siwan Rees, senior programme manager at business support programme Impact Innovation, and Rob Jones, interim director general of the National Economic Crime Centre.

CyberUK, which was held at the International Conference Centre Wales in Newport from 10-11 May, also heard from Rob Joyce, director of cybersecurity, US National Security Agency (NSA), Jen Easterly, director of US Cybersecurity & Infrastructure Security Agency (CISA) and Lindy Cameron, chief executive of NCSC.

The government keynote was delivered by Steve Barclay, Downing Street chief of staff and chancellor of the Duchy of Lancaster, where he warned of the evolving threat of cyber attacks following Russia’s illegal invasion of Ukraine, and committed to boost cyber defence skills across the UK.

The event was joined by over 1,500 delegates from the cyber community, both in-person and online.