Introduction (00:24) You're listening to KBkast, Cyber Security podcast for all executives cutting through the jargon and height. Do you understand the landscape where risk and technology meet? Now, here's your host, Karissa Breen. Karissa (00:38) Joining me today is Jake Moore, global cyber security adviser for ESET. Today we'll be discussing what happens when Cyber Security criminal gets caught. Jake, thanks for joining, it's wonderful to have you here. Jake Moore (00:50) Thank you for having me today. Karissa (00:52) I'm super excited to get into this topic because when you and I spoke originally, we were talking about what angle we wanted to cover and so you sort of talked about your background, which will get into and then you sort of said, like, what happens after Cyber Security criminal gets caught? And no one actually really knows that answer. So I'm really keen with your background, your experience, to dive on into this. So maybe let's start with you've got that interesting background. You've got 14 years in the police force, plus an extra four that you've got an Eset, which is probably why you're as curious as much as I am about what happens to cyber security once they get caught. So I'm just curious to start, what is the deal? What happens? Jake Moore (01:38) Right, well, the first thing you've got to mention is if they get caught, this is hard. This is one of the toughest of offences for the police. It's about forensics after the crime has happened, but also you've got to try and find where the person is before you even get into the digital forensics. You've got to go through cyber forensics, which is online. There's so much to go through. It's like looking for a needle in a haystack. But someone once said to me was actually like looking for a needle in a haystack, not even knowing there is a needle to find. And I thought, wow, it really is like that. It's so difficult. It's a long old process and the money just simply isn't there. If I'm honest, especially with the police in the UK, we haven't got the people, the training, the money behind it that it actually warrants. You're looking at around 50% of crime, particularly in the UK, that it's related to cyber and fraud offences, but it just doesn't get the same amount that you would expect if you compare it to, say, a murder. Of course we're going to throw all of our resources as a murder, but cybercrime seems to just be forgotten about. Jake Moore (02:49) But if we can delve into those forensics, those breadcrumbs of little pieces of evidence, then, yes, it can be done. But it's so difficult. First of all, once you've chosen your suspect, you've then got to look at what drives you've got to go through. And this is again a long process. You've got policies and processes to go through. You can't cut corners. In the old days we did, by the way, we really did just pick out a drive that we were pretty sure it was, and we'd go, right, let's play with this before doing things like making an image of it. It was crazy ties. But now those processes have come in correctly. It takes even longer, but we hear about lots of big stings and arrests. I think the PR teams of the police force love to talk about those arrests, but we rarely hear about the outcome. And that's because some don't go to trial, because I talk about the evidence and if the evidence isn't there thereafter, then it won't even make it to trial. We actually end up giving those computers and other devices back, which is frustrating, and they might be on bail for two years and by then the press just forgotten about it and they get back on their merry way. Karissa (03:57) Well, okay, so there's a lot of things going on there. So first and foremost, when you said, is there a needle to find? Great point. Do you think that's how people would view cyber criminals? Like, is there that needle? Are we still at that stage? Jake Moore (04:12) Yes and no. So I think we're still catching the low hanging fruit. And when I mentioned that, I'm talking the people that make mistakes, and there will be people that make mistakes. Maybe we're after a criminal. He forgets to turn on his VPN that day, or he's just so happened using old email address. I've seen lots of Netflix shows, I'm sure listeners have as well, where someone has made a simple mistake because they just use an old email address that happens to be connected to an IP address, which is their home or their work address. And that's the thing that will link that back to a suspect. And then you can go on and carry on with your say what? I'd go with a normal police investigation. But yeah, looking for that needle, which might not even exist, it's difficult. The Internet offers the availability to criminals to completely hide, hide in digital shadows, don't leave any breadcrumbs at all in their wake, or point the police on a red herring, on a wild goose chase somewhere else completely. It's impressive what they can do. And this actually upsets the public. They go, that shouldn't be the way for the police. Jake Moore (05:18) There should be a backdoor. I mean, looking into backdoor entries to break encryption, that's for another podcast altogether. But it's like the public want to find a way of catching these bad guys. Of course it sounds good, but it's not the same as a physical crime, a burglary robbery or a murder, for example. There's going to be other forensics involved. This is cyber and digital forensics very difficult. And with the way that the internet is working with forums and other places where you can learn so quickly, it's kind of offering the upper hand to criminals. Karissa (05:51) This is where it gets really interesting. So with your background, just say, I'm in Australia, I commit a crime in the UK, but I go, all right, see you guys, and going back to Australia. And somehow you figured out it's Chris of Range, she's dodgy what happens there. Now, I'm aware that obviously there's treaty, especially UK and Australia, that probably is, I would get extra data back to the UK, or probably get prosecuted or go to prison, but what happens if I flee to a random country and then you can't really get me back? Is that often what happens? And then it just falls on deaf ears and then by that stage is the murder that happens or something else goes on and everyone forgets about it. Jake Moore (06:28) So, working in my small force in Dorset, on the south coast, we didn't have many people that were particularly say, that clever, that might look for loopholes in the law, but from colleagues from other forces, like the Met, for example, in London, yes, that would happen and it would be very difficult. It just lengthens the process. None of these things get forgotten about. There's no simple way of knowing the tricks of the police, where if you do X or Y and if you go to a particular country, they'll forget about it. No, they don't want to be doing that, but they will just take longer to come down on those people. And it is difficult, I think, the way that laws have been created in countries over years and years and years, particularly in the UK, they just haven't caught up with modern times. We're talking about offences that are now on the internet online, which was nothing inconceivable back when they started writing laws of different lands. They never thought that there would be people doing an offence in another country. And then which law does it come under? We're still going with where the offence takes place, but if it's actually only online, it's very difficult. Jake Moore (07:41) This is a big grey area and it's really complicated for the justice system to really understand. And we've still got police officers that don't really get it because they've got to learn so much. I think training is 26 weeks. Well, 26 weeks, I'd say, is just on learning about cyber offences, let alone the whole rest of policing. So we've got a really difficult way of balancing all of this and that's why I think the police choose the easier offences. I mean, if you go and report a cyber offence, there's a good chance it won't get looked into. But if there is something that says, I know exactly who did it, I've definitely got the evidence, you might just catch the eye of the sergeant in the cybercrime team and digital forensics team and say, you know what, we do have to get these figures in, we need to get some arrests. Let's go for the best ones. Like I said, the low hanging fruit, the ones that leave the evidence behind. Karissa (08:41) So you think it's best that people should become their own sort of detectives in this case. That's why they're like, oh, low hair, hanging free, we're more inclined to catch this person. Jake Moore (08:53) That is a great point. And people do. We still, unfortunately, hear of stories where they go to the police with the evidence all packaged up with a nice bow on top and say, Right, here you go. I even got some CCTV if you want some physical evidence as well. And the police force go, you know what, we're a bit busy today, or we'll have someone look at that in a few weeks or months. And I know detectives that have got 30 jobs on at once they're looking into, and there'll be really serious offences as well. It's so damaging for the public when they start to realise this. And I don't think we can blame the police as much. This is a government thing, the government needs to put more money into it. But, yeah, you can definitely find as much evidence as possible and that will hopefully catch the eye of the person at the top of the unit sergeant that will say, this is the one we go for. But so often nothing happens because it goes into the too difficult trade. Karissa (09:49) I'm curious to know how difficult is it, though, to catch criminals? So you had touched on a little bit, but is it like, okay, when you're dealing with a physical murder or something, it's probably slightly easier because there's that human being that you can see when it comes to sight, you can't really see it as much, so it becomes inherently harder. So I'm curious to know how difficult is difficult here. Jake Moore (10:13) Yeah, so not every police force in the UK has its own dedicated cybercrime team that is looking particularly at offences that are occurring. They're quite reactive rather than proactive, but if they are able to know exactly where to look to know what might be happening, maybe they've got some really good intelligence, which is we are an intelligence led country in our policing, if that is the case, and there may well be something that lies within the offence online. We're looking for mistakes, though, like I said, someone using an old email address or someone that's just forgotten to use the dark web and their ISP has flagged something and these are the kind of tricks that we might be looking at. But of course, we know that criminals are so good at not making those mistakes that they are very clever at not leaving any evidence behind. So how difficult is it? Extremely difficult. And this is why I think the figures of something like 1% of cybercriminals actually do any jail time, but like I say, if you even find who has done it, that's actually when the job really starts. And I remember I used to work on cases and digital forensics unit for over a year because that's how long some of these things would take. Jake Moore (11:42) It might actually not land on the investigator's desk for a while because, of course, you've got other more emergency jobs to look at and of course, risk to life jobs will get a higher priority, but if it's a simple fraud case, then it would be less priority. So it might take months before it lands on the desk. And then once they're then in that job, it can be extremely difficult to go and find anything that might be encrypted. You might have to then brute force through a password, but we all know a brute force password to say over six characters long is going to take an infinite amount of time. We used to use GCHQ to help us with breaking through encryption. They'd have some enormous computers that could brute force, I think up to ten characters, maybe even a few more within a week. And they would really hammer it for us within a week. They'd say yes, but they wouldn't ever stop. They would then keep those images of hard drives. If it takes longer than a week, give us a call and say, look, it's going to take a lot longer, we're never going to stop. Jake Moore (12:43) And I like that. I think criminals need to know that it's not a way of just file, let's have a 15 character password on this encrypted drive. They'll still continue because as technology increases, you might find in a few years time, you get the phone call from GCHQ and say, we've actually got back into this one from 15 years ago, we've got all the evidence you need. I mean, you've heard of crimes in the past where they've got new technology and now they've got better skills with DNA, for example. The same thing is going to happen in a digital world as well. Karissa (13:13) So if I was a criminal, which I'm not, what I'm hearing from what you're saying is if I were to commit a crime because I'm that way inclined, I'm probably more likely to commit a cybercrime, provided I have the capability to do so, versus murdering someone because I'm less likely to get caught percentage wise. If you're saying 1%, that's a huge surface now that we've got to deal with, which almost incentivizes these people, because they probably know they're not going to get caught. All they're going to find is some random country that they know they're not going to get extradited back to the UK, for example. Jake Moore (13:48) You've got a fantastic to do list now for anyone listening. Yeah, it's like the how to guide. Do you know what it is kind of like that, but you can just go and search the internet and find blogs like this, and they'll give you a step by step guide on how to cover your tracks. But I suppose the really sophisticated career cyber criminals out there, which I actually take my hat off too, because it is tough for them to keep on top of the changing technology as well, to continually update their own tactics, because you talk ten years ago, it's very different back then to what we are now, so they have to continue upskill themselves as well. But I just fall on the fact that they're human and I fall on the fact that they'll make mistakes and they do. And it could be anything. But it takes a very good investigator to know where that slip up might be. And that might be forensic on the computer or it might be on the internet. Or even a physical mistake by telling someone something just to ring the alarm bell. To make people just point the finger at a particular person or group of people. Jake Moore (14:58) I think that social element, the human element, we talk about it in business all the time, people being the weakest link. I know some people hate that, but it's kind of true, even with criminals, because they will slip up at some point. Karissa (15:12) So if we go back to that 1% for a second and just say the 1% was caught, a cyber criminal slipped up, made a mistake, you being you and you figured them out, how long would you say these people sort of go to jail for? Now, I know that depends on what they did and all that type of stuff, but are these crimes like, oh, okay, you go to jail for six months, or is it a quite lengthy sort of jail time or what sort of numbers are we talking here? Jake Moore (15:37) Well, it varies. We haven't got that much data. Actually, if we're talking about the 1%, it may even be lower than that. The cases that I know of, they varied. There's actually a section where you can if you don't provide a password to a device or a container, then you can be put away for two years. Okay, now this sounds fantastic. So you've got someone, you arrest them and go, right, what's the password? We can't get into it. And they say, no, I'm not telling you, or they just say, I've forgotten it. But in my time in the police. Although we tried to catch people out by saying. If you don't give it to us. We're going to give you two years in prison. We actually never did get anyone away for that offence because it's so easy for them to get off it or reduce the time. Or even if they get to trial and it's taken two years to get to that point. You might even find a judge, say, you've gone through all of this drama, your offence is not actually in prison, it's the last two years noncustodial. It's frustrating, that work. Jake Moore (16:43) And you think, Great, we haven't even changed this guy, okay, he's got an offence, but he might actually have just been carrying on the last two years under another completely different name. It's so frustrating, the big, big cases, maybe you might get four to six years, but you need so much time and effort on those big cases. They usually take lots of forces, different countries, Europol, everyone getting together, and you still might only get a couple of years, if that. But unfortunately, if they go to prison, we always used to kind of joke about this with a bit of a Rise smile, that, well, if they go to prison, they all talk about how they got caught. They're going to learn how not to get caught in the future. This particularly happened with physical crime offenders. They would say, what are you doing not wearing gloves? No wonder you cut yourself from the window as you broke into that house. You left your deer there. Next time, wear gloves. Of course, mate. That's the kind of thing that happens. It's like school. And so they can all learn. But of course, now we've got the internet that does the majority of that for them, so it does come down to the offence and the impact and particularly risk to life. Jake Moore (17:53) And that's an important point, because a lot of these offences don't attach directly to the risk to life element and therefore the jail time is considerably less. Karissa (18:05) Yeah, I know what you're saying. I say this because my stepfather is a criminal judge here in Australia, so I can relate on that legal side of things. So then do you think this is just going to spiral out of control now? Because we're always talking about the Cybercriminals, there's so much ahead of us and we've got to buy more tech and more people. And then you're sort of saying on the other end, which is like, hey, I'm flat you've been catching these guys. What do you think is going to happen if you had to sort of hypothesise? Jake Moore (18:36) I think we're already seeing it sparrow out of control, but I think it's been a long time coming for particularly in the UK, to realise that they've got to spend more money in these areas of policing. It is coming. But you know what? I really think that when Wanna Cry happened. What was it, 2017, years ago now? I thought at the time, I was in the Cybercrime team at the time, thinking, right, this is so big, we are going to get so much money for this. This is actually what I have been waiting for. I sat back thinking, okay, it'll take a couple of years, but the government are just going to inundate these departments with a lot of cash and it never came. I then left a year and a half after that to join the private world, partly because I was a bit frustrated that the police wasn't getting the attention that I thought it deserved. So I've been sitting on the sidelines watching and even hearing from inside my old teammates and it's just getting harder and worse for them. And this is the frustration. I talk about the cat and mouse game and the gap between them. Jake Moore (19:44) I just felt like the mouse is running way ahead there and the cats there going, I don't even know what direction this mouse runs. Karissa (19:50) Well, yeah, so true. Everyone's sort of sitting there, oh, this breach will get more money, more funding. But, yeah, I guess it is coming, but I guess it's sort of incremental. But then I guess the other thing is as well, speaking about the media, is that we often do hear in the news, like, so and so got breached, but then it sort of dies down and then we don't really hear much after that in terms of what happened to the group or who was involved. Why do you think that's the case? You think the story is out from a media perspective? It's ironic because I work in media and then no one cares after that. I mean, more focus that mainstream media, I would say. Jake Moore (20:25) Yeah. Thinking of that, I think the public have this maybe this idea that it's completely faceless from the criminal group and it's victimless as well, because we hear about it targeting a company, but of course it's not because the company owns customer data. But people still don't care about privacy, which is so heavily linked with security. I do a lot of work with privacy specialists who go, how on earth are we going to make people care about their data? But when a breach happens, of course it's a security and privacy risk. But if they do still believe it's victimless, I think we've come to the assessment that we won't ever know who's behind these crimes. I don't think people actually care. Murders get endless amounts of money, particularly in the UK. They're not funded by the local police force, they are funded by our Home Office. So the government will just give endless money to do overtime and more resources, maybe even staff and police officers from other forces as well. They all come together to work on it because that's great. We've got a fantastic hit rate on putting murderers behind bars in the UK. Jake Moore (21:39) We're in the 90%, I believe, but when it comes to cybercrime, of course, it's so low down. This comes back to the whole, is there a risk to life? It's only data, it just got duplicated, they're just not caring about it. So it might be a big story at the time that they got breached, and then months later it's forgotten about, which is probably what these companies want. These companies don't want it talked about all the time. But what I have noticed in the last particular last two years is there a huge huge offences, millions, if not billions of lines of data, personal, private information where you live, names, dates of birth, even financial information. It doesn't even get any time in the press. I look around for it, I might find it on Twitter, but the mainstream press doesn't even care because maybe the public doesn't care. They just see it as a number and they expect it. Which brings it back to the whole Faceless site. Karissa (22:31) Okay, so you're so right. In media, it's about numbers, it's about eyeballs who's reading what, who's on the site. That's how they get money for advertising dollars. That's a bit of a controversial point, but do you think they don't give it any time because no one cares? So if no one cares and no one's reading it, which means that their advertising dollars go down, do you think it's that in there? Is it that cynical? Jake Moore (22:52) It could be, but then I still believe that the press are able to control what we are reading rather than knowing what we want to read ourselves. I think especially when COVID hit COVID, cyber security kind of went together. There was this link, strangely, that I noticed, particularly with security data and people using the internet, obviously more than ever, to contact, to do everything, people that had never done online banking, suddenly doing online banking, so it up to everyone's security and it ups the amount of offences, I think, that were occurring. But when he ran it down people's throats for particularly a year, and even the last year as well, I think now people are just thinking it's a definite, it's going to happen, they expect it and they accept it. And that's crazy. I'm thinking, no, we shouldn't ever accept a data breach. No, we need to be going after those people. We need to be looking at their policies, their procedures, making sure this doesn't happen again. It's up security awareness within staff, but it's just falling on deaf ears. And it's a real shame, because particularly my job is to make people extremely aware of the latest techniques. Jake Moore (24:04) And if you're looking at the latest technique, which is really clever and sophisticated, but it's falling on their ears with the whole it's never going to happen to me attitude, then we've got a real problem. So there is that balance about maybe not scaring them, but making people at least aware of what's coming. And that's where I think the press have a big part to play. Karissa (24:23) Yeah, you're so true. Do you think. As well. I think we spoke on this sorry. Touched on this when we spoke last. Is when it comes to cyber. Like you said. It's Faceless. You can't really see anyone. But like. When it comes to a murder. And I think I used there was a case in the US where we went global because there was a couple. They doing some trouble blogging or something. And she went missing and then they're like. Oh. He murdered her. And it was this whole story, the parents that came on and they spoke about their daughter and then what he was doing, and they had built this whole narrative, which was completely devastating. But we're not really doing that in our space because you don't really know who these people are. Right? And so I think that people can attach some level of empathy because they can see, oh, that's terrible. It was the husband that killed the wife. That's more of a sad story versus like, oh, well, the bank here in Australia got like a million dollars stolen. Who cares? Because banks are awful anyway. There's always that narrative. So I think, how do we change that? Karissa (25:25) We obviously don't want people to start getting murdered in the cyberspace for anyone to care, but it feels that that's only people what they care about. So what's your sort of thoughts? What's your advice? Jake Moore (25:36) You never know with the metadata coming. I'm sure we'll see some madness happen there, but I think it's so difficult to make people really understand now. Years ago, I actually thought, I wonder if the banks turned off any sort of giving the money back. Imagine that. You get £20,000 swiped away from you from a credit card. They're not in real cash. The credit card has been taken out in your name because your identity has been stolen. It's pretty easy to go and do this. And cleverly, they've got this card out in your name and it's got a 20,000 limit on it, for example. They just want to spend it everywhere and they don't know who's done it. What if the bank said, you know what? You actually now owe us £20,000, that we're not going to write that off. I mean, they would be uproar and I remember thinking, this is the way to do it, but then at the same time thinking, well, that could really affect people's livelihoods. And whose fault is it? Is it their fault that they put their information on a website and it got stolen because the website had poor security or just had a clever phishing attack or social engineering attack on inside a threat, you name it. Jake Moore (26:47) The list is endless of how that data might have gone out. Who's at fault? Well, someone's got to pay. Is it the company? These companies aren't really paying, they're just getting a slap on the wrist and the banks are saying, oh, come on, it's not really our fault either. It's a real issue. And as I think we're going round in circles, I think the public are kind of getting away with it and therefore they don't attach that emotion to it because they just say, I'm going to have my money back. Of course, it's not the same as a burglary. I mean, if you ever imagine coming home one night and there's someone in your house, okay, it's going to be horrendous then. But. It's going to be horrendous thereafter. You're going to be scared in your own home for the foreseeable future. You might not be to sleep at night. All those horrible things and worries that could affect you. Whereas when your money is taken with the faceless aside to this, people get over it, especially when they get reimbursed by the bank. Karissa (27:45) Yeah, that's so true. And I know because I used to work in a bank as well. I remember having this discussion, I remember explicitly in 2017, and they're like, what happens if we just decided to not give people their money back? And I was like, Look, I get exactly where you're coming from. It would force people to care more, but then I think we'd have more criminal activity because people like, all my money is gone, or What I'm going to do. And then people would start murdering and all sorts of things that start going on. Right. So I think it's a hard one, but then I think if I zoom out and it's like, okay, if we've got critical infrastructure, take a power plant and that gets breached and all of a sudden the thing melts down and it kills 50 people, do you think then we would have a lot more people feeling empathetic because it's a cyberatta breach? I still don't think it will, because it's going to turn into, oh, the power plant blew up. It's not going to start from, oh, it was a cyber breach which caused the power plant to blow up. Jake Moore (28:38) Yeah, and you're right. I mean, they've tried to connect cyber offences to people dying in hospital and theatre beds, but it's very difficult. It's still an indirect hit. It might be directly attacked at the hospital with ransomware. I mean, the press desperately tried to link it to see if it actually could have a physical change on someone's health and maybe even impact with a death, but it's very difficult to actually associate that. Your example there is a great one and I think it could definitely increase people's awareness and make them realise that we are talking about the physicalities and the connections. But until then, of course, I hope that never happens, but until something massive and I thought Wanna Cry was massive, then I think people just seem to put it to the back of their minds and think, maybe the police has got it. But that's not to say the police should take their foot off the gas. And if anything come into my first place, they really need to be putting even more emphasis on there, because we need to be telling criminals that it doesn't pay. Because at the moment that we've alluded to earlier, it sounds like it does and it sounds quite lucrative. Jake Moore (29:47) If you hear of the amounts of money these groups are making in a day from doing a few scams here and there, they might only get a 3% hit rate on a phishing email, for example. But that 3% works more than I am making a day. Karissa (30:03) Yeah. If I'm sitting in your home and not having to speak to anyone remotely, I think it's not too bad. Right, so I've got an interesting one. So we spoke before about, again, if I was in the UK, I committed a crime that's the United Kingdom, what your rules and regulations are, what the laws are in Australia, the same things. And I mean, there is stuff in the media about this, but I don't know how it's going to go. Like, are we going to create like a universal law of the internet? Because it's like, okay, well, you can't do that on the internet, but because we are in different parts of the world, you may not get prosecuted or it may not be part of the law, or no one cares by that point, because technically you're not committing the crime. Because I sort of look at it from online bullying. I'm so happy that you and I went to school. Like, all of Facebook was just emerging when I was in year twelve, and now I think another 15 years or whatever has gone by and I'm thinking, look at what kids have to deal with today. Karissa (31:04) And it's like, well, how do you sort of put any emphasis on, I can't go out in the street now and just punch someone. That's not the law. But technically, online you're punching people in the face because you're trolling them, you're bulling them. So are we going into a stage where we've got this sort of universal, I don't know, future of the incident, I think it's called in the media, I've spoken about it before, so that way we can try to reduce this, but then it just feels going to be hard to enforce because there is things like using VPNs or whatever it may be. I don't know. What are your thoughts on that? Jake Moore (31:37) Yeah, I think this is the difficult way of where we're going. It sounds perfect to have a universal law, but you're going to have countries that just don't abide by it or don't sign the agreement. And then you'll have what I call cyber havens, just like tax havens. You've got countries in the world that people know that they get a better tax rate, might have your money in Monaco, for example. This is the kind of thing we'll see. There'll be particular countries, I don't know, the Cayman Islands might be the place that all cyber criminals like to go because they're completely evading the rest of the world's laws. And then people pretend to be in the Caymans, do their VPN, you name it. Cybercriminals are so good at circumnavigating any sort of rule. I think that's what's so impressive. You give them a law or a rule. I remember in the UK it takes years for that to come into use as well. So they've got a couple of years to get ready for it as well. They all talk about it themselves and some bright spark will work out a way of getting round it and they all go and do it. Jake Moore (32:44) But I think it's so horrible if you're talking about cyberbullying, yes, of course, and that needs to be seen as a local aspect as well. But the more the internet grows, the cleverer that young people are getting, the easier it becomes for them and they're hiding behind it. Karissa (33:03) Yeah, I guess that's just the issue, because I'm just hearing speaking to friends and they've got children and they're like, oh, my gosh, that's happened to my kid. And I'm like, oh, my gosh, these kids are, like, ruthless. I was never like that at school, so I guess I was surprised. And so it's hard. It's not like there's an easy answer, I guess, having the conversations, people like yourself to just we don't have all the answers, but it's having these discussions to get people to think, because I do think it does need to fall back on the government, but they're probably thinking, what do you want us to do? We couldn't even tell people in Australia to put masks on at one point, let alone let's try to control people on the internet. So I don't know. I don't have all the answers. I'm just curious to know, what are we going to do? Because as you sort of alluded to multiple times in today's interview is it is spiralling out of control. It is getting worse. And so I guess if it's getting worse and it's finally out of control and there have these solutions, where are we going to end up? Jake Moore (33:57) Well, I do think it's going to get better. In terms of cyber bullying, one of the things I think about is, let's say you take an average young teenager, like a 13 year old who's just got a mobile phone on social media and starts with the typical classic bullying, which, well, like you, I never saw it, luckily, but it must be horrendous. I've seen some horrendous things. They don't know where to turn because their parents are potentially completely away from it. A couple of generations older, didn't have phones when they were younger, don't really get technology. And I see that the typical mom or dad won't understand a lot of these apps, but although we're in a bit of a difficult time right now for these teenagers, when they become parents themselves, I think they'll understand the technology a little bit better. Okay, they'll still be two generations older than the next level of teenager, but they will understand cyberbullying because they would have experienced it. I've got kids, I've never experienced cyberbullying. My daughter is ten years old, hasn't got a phone yet. Once she does, it's going to be very tough. And I understand technology and I work inside this environment, but it's going to be tough. Jake Moore (35:16) How I learn through her, what it's really like, but when I think when she's going to be a parent to a ten year old in 30 years time, she'll kind of get it a little bit better. Although there will still be a huge age gap. I think there might be that way of understanding, which say you and I don't have. Karissa (35:37) Yeah, no, that's a good point. I think you're absolutely right. I guess we don't have a crystal ball, we don't know what's going to happen. I think it's just getting parents to be equipped with knowledge and the insights and saying, okay, you can only have X amount of phone time, like, you can't be on the phone twenty four, seven, and then how you educate your own children through that. But do you also believe that there are other people out there who do care about knowing who cybercriminals are? Like, just outside of you and me? Jake Moore (36:11) Yeah, of course. I mean, crime shouldn't pay, we need to catch all these criminals and I don't think the police want to take a blind eye to a lot of these things, but it is too difficult for law enforcement currently. But unfortunately perpetrators are getting away. But I do think it's going to change. Like I said, it comes back down to resources, pumping that money into it and working with technology companies as well. Working with the technology and these firms to make it easier. I've always felt that law enforcement schools, parents and companies don't work together. Some people have tried, it's difficult, but I do think we can do it. Criminals, they're running away with it, whether they're cyberbullying or breaching massive banks for data, it's all kind of a connection. But working together, I do think it is the way forward and raising that awareness for all ages and bringing it more into schools as well. So not just about cyber safety, it's cyber security. I know that most schools don't touch on those kind of things. They tend to work more on the bullying or maybe grooming side of things, which is right, but I think we need to be focusing more on the future. Jake Moore (37:22) Maybe the curriculum hasn't really seen the future yet, but again, that takes a long time to change. So we are getting there, we are moving in the right direction, just a little bit slower than we'd all hope at the moment, but we will get there. Karissa (37:35) And do you think over time as well, go back to that 1%, they get caught, do you think that that will increase over time? Because we are going to get better, we got better technology, get better people. Jake Moore (37:45) Yeah, I really do. I can't ever see it turning into the majority. Maybe it will go up slowly and maybe it will never go above 10%, but we need to be working on that. It's not giving faith to the public. It's funny because in the UK we always have these stats that come out every year that say, how safe do you feel? And how much faith have you got in your police force? And it's damaging when you look at the statistics of who really trusts or believes in the police force. But that probably comes down to the fact that they're not catching all criminals and to those people are thinking, well, they never found that person that hacked into my Instagram account. They are spending time on catching murderers. Brilliant. And people that are driving too fast, which could cause a horrendous accident, but at the same time, they need to be spending the time on the local things, the hacking of people's personal accounts, the bigger breaches, those kinds of things, that's what gives the faith back to the public and then they feel safe and then everything can then grow from that position. Karissa (38:54) Yeah. And I think sometimes as well, when I've met people just randomly like, oh, what do you do when you start telling them? They're like, oh, well, I had this story and then my Instagram got hacked or my Facebook got reached or something. And then straight away there's that point of that they can relate on that consumer level because I would say everyone out there has had something that's been close to that or it's like, oh, someone's trying to log into your Gmail or whatever it may be, there's an alert, but because you've got two factor, they can't log in. So I think that even speaking to people who don't know anything about me, and you start saying I'm in cyber and this is what I do, and then straight away they start to open up these conversations about their own personal experiences, which isn't like, oh, here's me implementing some enterprise level solution. It's more so. It's something that they can relate to on the consumer level. So I think, unfortunately, what I've seen, even speaking to people because they have been hurt before by something that's happened on this front a little bit more vigilant moving forward, and they're more cognizant of it because they have been burnt and it does hurt and it is upsetting, especially when it's their own personal life on the line and their own reputation. Karissa (40:00) And unfortunately, we don't want that to happen to everyone. But sometimes, even when you're a kid and your mum's like, oh, you guys call it is it a hobby in the UK? Don't touch the hob and you touch it in advance and you stop doing it again. And I don't want that to be a thing that happens to everyday people, but maybe it has to be on some level like that for people to have that level of cybersecurity awareness a bit more. Jake Moore (40:26) You're absolutely right. And the people that I've spoken to that has happened to, they mentioned that feeling in their stomach that, oh, I felt terrible, I lost all my data or I've lost my Instagram business account and there's only so much you can say I told you so to those people. They don't want to hear that, but they learn and they really do go forward. And then when you say, oh, have you set up you're a good authenticator yet? They go, oh, yeah, I did it. Straight away, when you ask, wow, you say the same thing to someone else who hasn't had that happen to them? Yeah, Jake's just talking about cyber security again, going on about that rubbish. That tends to be the way I know that particularly. I do a lot of talks and training with companies. I try and get them to have that feeling in their stomach, which is really difficult, but I try and do it in a way that they at least then think about it. Should they then go back to their accounts and go, you know what? I shouldn't have the same password for absolutely everything. You'll have it in your companies. Jake Moore (41:24) All over the world, people are using the same password still to get into their Instagram as they do to log on to their Windows machine. It's just human nature for the majority, and it's unfortunate, but if you can get them to have that feeling of an attack, that's a strong word, but it is. They then remember it later on. And so, yeah, your hob example is absolutely right, because as soon as someone touches it, they're going to know forever. That actually hurts when touching it. Karissa (41:53) Well, we call it a stove here in Australia, but I did remember that you guys call it a hobby because you'd be like, what is that? But look, this has been awesome. Jake really appreciate your thoughts inside. This is an interesting topic because it's something I've never covered before, I think. Something that when you raise it, I was like, yeah, that's so true. It's something I've often thought about, like, who are these criminals? Bring them to the media. I want to look at what they look like. So, yeah, I think this has been an exceptional interview and I really appreciate your time and thanks for coming on the show. Jake Moore (42:24) Thank you. It's been absolutely lovely talking to you. Karissa (42:27) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercksec.com to connect today. If you'd like to find out how KB can help grow your cyber business, then please head over to KBI.Digital. This podcast was brought to you by KBI.Media, the voice of cyber.