IT Essentials: Who cares about cyber?
We’ve stopped caring about cyberattacks, and that’s dangerous.
It’s been a brutal few weeks for cybersecurity. Last week alone brought news of breaches at the Legal Aid Agency, Peter Green Chilled Foods, and serious vulnerabilities discovered in the My Volkswagen app. These aren’t isolated incidents — they’re part of an escalating pattern of cyber threats.
Meanwhile, we continue to get updates on major breaches already in progress. The ongoing cyberattack on M&S, for example, has reportedly cost the retailer over £300 million — and counting.
And yet… who really cares?
These companies are likely to have insurance. Reputations can be repaired — just ask Target or Nestlé. And let’s be honest, most of us have already given up on the idea of data privacy. If a corporate giant loses some money and a few thousand records get exposed, does it really matter?
Well, yes actually. As Graeme Stewart, Head of Public sector at Check Point said to Computing with reference to the Legal Aid Agency breach last week:
“We are now in a state of breach fatigue. Cyberattacks have become so frequent that they barely register. Today’s headlines are about Gary Lineker leaving the BBC, not the fact that criminal records, national insurance numbers, home addresses, and financial details have been stolen from a government organisation. That says it all.”
Cyberattacks are normalised. They’re background noise — treated as niche IT issues, rather than the deeply human, societal problems they truly are. Many individuals mistakenly assume their banks will cover any losses from scams. Others feel powerless or indifferent, believing it’s someone else’s problem.
This fatalism plays directly into the hands of cybercriminals. When security feels futile, people disengage.
The cybersecurity industry is partly responsible for fuelling this fatalism. The dominant narrative — “it’s not if you’ll be breached, but when” — couldn’t have been designed better if your goal was to breed apathy and fatalism.
Are there any other industries where products and services are marketed on the basis that their failure is inevitable? Or that ‘previous versions of this product haven’t worked so that’s why you should absolutely buy the new one.’?
The same cynicism makes administrators hesitant to apply updates or enforce best practices, fearing operational disruption with minimal perceived benefit. What’s the point in cybersecurity best practice if someone in another department clicks on a link they shouldn’t?
You’re only as strong as your weakest link.
But this logic is like a corrosive liquid which has now spilled into the public domain. The public is losing trust in the systems we rely in every day and that loss of trust in institutions feeds the worst possible political impulses and outcomes.
What can be done? Graeme Stewart emphasises the importance of presenting cybersecurity as a people issue, not a technical one. He says:
“We need to move beyond a culture of crisis response. Cybersecurity is not only a technical priority. It is a matter of public confidence, personal safety, and fundamental trust in the institutions we all rely on.”
Rebecca Taylor, a threat intelligence expert and author, echoes this, arguing that cybersecurity professionals have a role to play beyond the workplace. By educating the people around them — friends, family, communities — they can help foster a culture of good cyber hygiene.
That means shifting away from blame and shame. The less embarrassment people feel when they make a mistake, the faster they can respond — and the less time attackers have to exploit them.
Finally, companies and institutions must take responsibility. No, cybersecurity can’t offer 100% protection. But there’s a big difference between being unbreakable and being low-hanging fruit. The bare minimum shouldn’t be the default.
Rebuilding public trust starts with taking security seriously — and that means moving beyond platitudes. We’ve heard too many times that each new breach is a “wake-up call.”
It’s time to stop hitting the snooze button.