For the first time, the UK Office of National Statistics included cyber crime in their quarterly report, which had a profound impact on the numbers, resulting in a 107% increase in crime statistics since last year when cyber crime was not taken into account. According to the official numbers, there were 5.1 million cyber crimes and frauds last year, plus 2.5 million offences under the Computer Misuse Act. Of course, these statistics are only known, reported and recorded crimes so they are far from telling the whole picture.
A week before the crime stats were released, Cardiff University published a report on the challenges of policing economic cyber crime, authored by Professor Michael Levi for City of London Police. The report has garnered some controversy in the press for raising the question of whether victims of cyber crimes who have failed to put in place measures to protect themselves should be a lower priority for police resources. In fact, the authors do not state that some individuals should not receive police attention, as claimed by the Daily Mail for example, who reference an edited a quote from the report. The authors do, however, raise the question for debate, stating:
“For some individuals, no Protect and Prepare efforts will work. It is also arguable that they should not receive scarce Pursue policing resources because they have not exercised due diligence on their own behalf” (p.72)
The report then goes on to highlight some complexities with this and concludes that more debate is needed with an honest recognition of actual and proper limits of police.
While I find the notion of victim culpability unhelpful to say the least, it’s a shame that the press have focused on, and exaggerated, this part of the report and overlooked the rest. The substance of the report is helpful in outlining key challenges facing the policing of cyber crime and recommending how we might make improvements. The key challenges it outlines (all too familiar) are:
- The complexity of cases
- The cross-territorial scale of crimes
- Rapidly changing tactics of offenders
- Volume of incidents
- The fact victims are often unaware of incidents
- Chronic under-reporting of cyber crimes
- A lack of information-sharing and intelligence-gathering on organised criminal gangs and their activity
With these challenges in mind, the report recommends a greater focus on protecting against and preparing for cyber crime, not just trying to pursue criminals after the event. The need for better education and greater awareness-raising of the threat is stressed, especially amongst business. The authors also suggest that more insights from behavioural economics are required, to ‘nudge’ people into better-informed use of ICT. I wholeheartedly support this, as I’m sure anyone who has ever seen my conference talks would testify. From my experience delivering exactly these kinds of messages both to organisations I work with and at corporate and industry speaking events, this is something the industry is crying out for more of. Most people recognise that information security is not simply a technical issue and that it must be tackled in conjunction with a better understanding of psychology and sociology.
A key theme in the report is the need for more help to protect and prepare SMEs. The authors argue:
“There has been less governmental and cross-sector investment in SME security as firms focus on those who are willing and able to pay for cyber security. This ‘willingness to pay’ model does not correspond to the impact of cybercrime as a ratio of profits, turnover or assets, which is likely to be more significant for smaller than larger businesses” (p.49)
Criminals are increasingly targeting SMEs, aware they often have less security in place compared to larger organisations, and the impact of such crime can be particularly catastrophic on a smaller organisation.
Referencing a (unpublished) Cyber Streetwise survey in which 22% of SMEs admitted they don’t know where to start with information security (from my experience, that number is likely a lot higher), the report highlights the challenges of government initiatives in an atmosphere where small businesses are suspicious of government. The authors argues that to better support SMEs requires someone who has across-the-board credibility. Another key issue is that support currently provided by the government (e.g. Cyber Essentials guides) is only useful if the organisation understands it is likely to be a victim and seeks guidance. From my experience, one issue the report overlooks is the lack of guidance and support for SMEs which are beyond the Cyber Essentials level but still want and need to develop their information security.
Taken together, the new statistics and the Cardiff University report highlight how much more work needs to be done in the fight against cyber crime. They reflect the scale and complexity of these crimes and the extent to which individuals and businesses (small and large) need more support. They show we need to do much more to deal with what has become the most common crime in the UK.