Jude McCorry: Leading Scotland's efforts to tackle cybercrime
Jude McCorry grew up in Northern Ireland during the Troubles and had to learn how to be resilient from an early age. Even as a child, she was constantly aware of potential danger during a time where bombings and sectarian killings were a sad fact of life.
“We were always wary,” she says. “There were things we couldn’t do, things we could, and places to be wary of visiting at certain times.”
McCorry is now tasked with helping spot and respond to a different kind of threat. As chief executive of the Cyber and Fraud Centre Scotland, a role she took up in the first week of the pandemic, she plays a big role in supporting and promoting resilience to businesses and individuals in Scotland through what is generally considered the most dangerous period to be online.
It is not a secret that since the beginning of the pandemic cybercrime and fraud have become more prevalent and more sophisticated. According to the Scottish Government, in 2022-23 an estimated 14,890 cybercrimes were recorded by Police Scotland – almost double the pre-pandemic year of 2019-20, where 7,710 cybercrimes were recorded.
Some of these attacks have been very public, namely, the attack on the Scottish Environment Protection Agency (Sepa) in December 2020. There is a near inevitability that more attacks will happen to Scotland’s crucial organisations. McCorry warns that if there are multiple breaches at the same time, it would be impossible to respond to.
At times of high stress and raised emotion for businesses and individuals who feel under attack, McCorry’s warm demeanour must offer a certain level of calm and reassurance.
She says if I were to ask her peers and teachers at school, they would say she was always a happy child. Growing up in a small border town in Northern Ireland in the 1980s, she recalls early memories of sunny days with her grandmother, who lived with her mother and father until she was three or four. But it wasn’t lost on her then that she wasn’t experiencing an ordinary childhood.
“When we started going out across the border into Dublin and places like that you knew you had a very different childhood to other people,” she says. “It was bad news all the time. We’d sit down to eat breakfast and it was always about bombs, kneecappings, murder, or news about trials. It was a difficult time, north and south, and religion had a lot to do with it.”
McCorry recalls the signing of the Good Friday Agreement in 1998 and “feeling 10 stone lighter”, admittedly not knowing what it would mean for her, but knowing it signalled a new time for everyone in Northern Ireland.
McCorry describes her family as very arty. Her father encouraged her to play an instrument, but she admits that she was “awful at music”. After trying many instruments, the last her father tried her on was the banjo.
Although she hated it, she was entered into the county Fleadh Cheoil (a music festival) and won in her age group. She then qualified for the Ulster Fleadh Cheoil, at which point she tells me as she laughs: “This had to stop”. But she won that too and qualified for the All-Ireland competition.
She recalls the period before and after the Good Friday Agreement was signed and how money started to flow into the country offering new opportunities for her generation.
“There were a lot of cross-border initiatives, and I used to take every opportunity to go somewhere from our school. I don’t know if you’ve watched Derry Girls, but it was like that, none of us cared about the Catholic-Protestant thing. It was all about what we could get out of it because we were all friends and religion didn’t matter to us.
“We got funding to build sailing boats, went on sailing camps in County Down for two or three weeks, and I remember thinking was I lonely or homesick going away that often as a teenager – but no, I just loved it.”
The 1990s offered a new opportunity for businesses in Ireland – American tech companies began moving some of their operations across the Atlantic and McCorry was one of the early benefactors of that.
After studying French and Business at university, she started working with Dell, which had moved to Limerick in 1991. She describes the time she got the job as a “very strange era”.
“It was before the Celtic Tiger (a period of rapid real economic growth fuelled by foreign direct investment from the mid-90s to the late 2000s), that the Irish government was giving grants for these American companies to set up. At that time Apple had already set up and Gateway and Dell were in the process of doing so.
“When we were going for interviews, we didn’t even know the names of these companies. Only once you were told you got the job were yo told the name of the company.”
She was one of the first 100 employees at Dell in Ireland. McCorry recalls the amount of time and skilling that was being afforded to her and her new colleagues in the early days at Dell, and she says, “for kids that had just left university we earned a lot of money”.
And while she says she saw her peers making less than smart purchases with their earnings, her dad told her to “do something smart” with her money, warning that it wouldn’t last and it could “destroy” her.
She admits it was hard to see past where she was in her life at the time, having worked in hotels and shops previously, she described the work she was doing in that period as “a piece of cake”.
“We were getting these things called bonus bonds every month, which were tax-free incentives. I thought I was set for life.
“I stayed for five years, but after that, I felt like I wasn’t learning anymore. So I started looking for something that was more data-driven. I found a company in Ireland that could support that. It was a two-man setup up so very different from where I had been before and quite quickly I asked myself ‘what the hell are you doing Jude?’”
She says she “bawled her eyes out for the first week” after leaving Dell. It was all she had known and the stark contrast of her new office was foreign to her. The onus to make money was solely on her, there was no team behind her.
“I went from Dell who would call me up to say I hadn’t spent enough in corporate hospitality to getting called up and questioned about my phone bill. I did question for a while what I had done and knew there was always an option to go back but I knew I needed to give this a go.”
Within two to three years the company became successful and was one of the 50 fastest-growing companies in Ireland, opening offices in Belfast and London. But McCorry was dealt a setback when there was disagreement between people above her in the company which was quickly followed by the dotcom bubble bursting.
She recalls the day she came back from a holiday and the liquidators came in, but she knew the writing was on the wall long before that.
“I felt such loyalty to that company; I could have left and got another job months before, but I couldn’t leave the people working there. We hadn’t been paid our wages, and people were at your door asking for your laptop – it was a really scary time.
“That was probably the only time in my life that I had burnout. For the first time in my life, I didn’t have it in me to build back up again.”
It took her around three years to realise it was the “biggest learning curve” of her life.
McCorry’s Irish identity is as apparent as her accent, as is her pride in it. But she has become one of the key characters in Scotland’s burgeoning technology community. And that began 20 years ago when she visited her friend in Scotland for her 30th birthday, where she also met her husband, Robert.
After living in a long-distance relationship for a year, it became a question of who made the move, and it being the period where she was recovering from burnout, McCorry made the jump, realising she could do consulting wherever she was, as well as understanding “the Celtic Tiger was about to go”.
In the years that followed they had their first child, but shortly afterwards Robert had a very bad cycling accident that left him in intensive care for around four weeks with six cracked ribs, damage to his spleen, a broken cheekbone and a punctured lung. He had to learn to walk again.
“I had nobody to support me. I would put our child into nursery, then go to work, be in the Royal Infirmary in Edinburgh for lunchtime, go back to work in the afternoon, pick up my child, and go to the hospital again.
“I had that mother’s guilt with no support. I remember getting a call from the nursery to tell me my daughter was sick, and I thought, I can’t do this.”
She decided to put a pause on her career to look after her daughter and her husband while working one day a week at Edinburgh Napier University. McCorry then worked at Business Stream and the Data Lab. For her next step, she wanted a chief executive role at a smaller company. She was appointed chief executive of the Cyber and Fraud Centre Scotland at the very beginning of the pandemic. It was during that period she realised how beneficial flexibility was for mothers who were struggling like she had.
“There were women that were getting up early and doing schoolwork with their kids, then logging on, finishing, and then doing more schoolwork. I know physically I couldn’t have done that with the amount of work we had to do.
“I knew this had to change, the narrative of eight am until five pm, and a lot of companies, including ourselves, have changed to make sure we are supporting working mums. Whether that’s staggered start times or a half day on a Friday – like we implemented.
“After I saw how much more I was getting out of people, we trialled four days for six months. It is one day extra, and I don’t think any of us would go back to five days.”
It’s clear that strong community bonds have been a common thread throughout McCorry’s life. I ask her what the technology community is like in Scotland. She speaks separately and highly of both the data community and the cyber community. However, on the latter, she feels it has become too insular.
“What I think is missing is that, while Scottish Development International is very strong and was showing off what Scotland was about pre-Covid, we have become very insular in the community. We should be showcasing our community to the world.
“We used to go over to New York for Strata conferences for data and you would meet so many amazing people who would realise Scotland is doing many amazing things. The community is good, we just need to open it up. I think we have got too comfortable, and we need to give ourselves a good push.”
McCorry tells me Scotland needs to get better at selling itself, similar to how Ireland can. She points out Scotland has a great history of founding and inventing but not selling it well enough.
“We have always looked to the next unicorn company...Why not look at bringing big companies into Scotland as well as growing our own?
“But also, in Scotland we set up so many initiatives, like the Logan Review, for example, all these things that have had money thrown at them. Can we just follow something through? The innovation centres that we set up for example, some of them have got funding this time, some haven’t, and there was also talk of having them be self-sustaining, but where is the help to let them do that?
“They’ve achieved really great things, yet some of them just didn’t get funded this year. The 5G Centre is still waiting to see if they are going to get funding or not and that’s due next month. We need someone at the Scottish Government to look and see what is working and what is not. They are not looking in a strategic way of how we keep the things that are working and that we need for the future here.”
It’s well understood that cybercrime is more rampant than ever and McCorry paints a worrying picture as she reflects on the attack on Sepa. At first, she questioned whether it was a wider attack on other government agencies. She describes it as “lucky” that it was only Sepa.
“If it had been two or three more agencies, we wouldn’t have been able to cope. And we are still in a position where we would not be able to cope with it.”
McCorry is very clear – there is no money for investment to prepare against these attacks better than we already are, she tells me. She also questions if at a board level threat is taken seriously enough.
“There should be a proper cyber strategy for these organisations, and I don’t see enough of that.”
She commends the Scottish Government for setting up the Scottish Cyber Co-ordination Centre (SC3), which pools resources and expertise for public sector bodies, yet she worries that pooled expertise is only effective “if people are taking it up”.
“You often hear people that have been attacked saying they never thought it would happen to them. The message we are sending is, that it will happen – it is when, not if.”
The effect of the attacks is not just being felt financially, in some of the starkest cases people have taken their own lives. McCorry equates the effect it has on people to growing up in Ireland during the Troubles.
“There were a lot of bank robberies by organised crime groups. When they happened, the bank was closed down, people got support and counselling, and then an investigation would take place behind closed doors.
“If there is a cyber-attack you don’t get that support, the business doesn’t close. You have to try and keep the show on the road or get it back on the road. You are working all around the clock, sometimes during Christmas and New Year. The thing we are good at in Scotland is finding the right people to plug in and help you rebuild, but these things are never easy.
“Where we are failing victims is on the fraud response, things like business email compromise, CEO fraud, investment fraud. I have had two calls in the last two years where people have said they felt like committing suicide because of the amount of money they had lost.”
In response to this, McCorry and her team have trialled a multi-agency triage hub with the banks and cybersecurity partners to try to speed up the process and to collaborate with the banks to try to recover the money, and it has shown positive results.
“We had a gold investment scam, and within an hour we had two banks on a multi-agency call; we had all the evidence sent over to the police and within three weeks, six people were arrested who are now awaiting trial in Scotland.
“Before the triage hub that would have never happened. We need to catch these gangs because they are not just into that, that money could have financed other crimes like people trafficking and people don’t believe me that there are trafficked people, sometimes kids, in Scotland, living in squalor.
“Cybercrime is usually caused by Russian or Chinese groups, but it is the fraud that is running amok.”
Holyrood Newsletters
Holyrood provides comprehensive coverage of Scottish politics, offering award-winning reporting and analysis: Subscribe