The UK is uniquely placed to spearhead the global response to cybercrime, according to Andy Archibald, Head of the National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU). But does the UK have it’s cyber-ducks inline? There are many areas to consider as we push forward to promote a global response to cyberthreat.
The UK is affiliated with all the right people to help move the global response forward such as Five Eyes Alliance, the EU, G8 cybercrime working groups, Europol and Interpol. The UK has also introduced initiatives such as Cyber Streetwise, designed to highlight and educate people in the risks to security and privacy online, both at home and at work. This is much needed as our culture has changed so much, with flexible working seeing more of the workforce mobile and using their own devices (BYOD). Consequently, the line between these two life areas has blurred. Additionally, there has been the introduction of the new cyber information sharing platform, part of the new Cert UK. But what do we really need to grasp in order for standards of cybercrime detection and prevention to be improved?
However, according to a recent BT report1, UK plc is not as concerned as the rest of the world about some key cyber topics. The UK under-indexed in perceived threat from malicious and non-malicious insider threat, organised crime, nation state and terrorism. Add to that the same research revealed that the UK lags behind Brazil, US, Singapore, France, Hong Kong and Germany in the percentage of businesses that see cyber security as a major priority. Raising levels of concern and C-Suite engagement must surely form a key part of the battle against cybercrime.
Under reporting of cyber dependent and cyber enabled crime is a significant issue. In business the report rate is around 2% and 1% from private individuals3. This is for a variety of reasons including: not realising it is a crime, thinking it has been dealt with internally, reputational damage (in business) and not knowing where to report such matters. Add to this the fact that cybercrime is not broken out in police statistics, as these crimes are recorded as the individual law they have broken, such as fraud. So a phisher for instance may have not have physically taken a credit card and fraudulently used it; it may all have been done electronically. However, they are more likely to be tried for Fraud than under the Computer Misuse Act. This makes it very hard to measure and therefore benchmark, making improvement or dis-improvement hard to quantify.
Less than a quarter of UK employees do not know what phishing2 is yet this is one of the most common cybercrimes. In 2009 there were 51,000 “Bank” phishing websites, this increased fivefold to 256,641 in 2012. Add to this the fact that we cannot accurately attribute all fraudulent activity and financial loss experienced due to phishing as it is often hard to identify. However, given the growth in these specific bank-related phishing sites, we can be fairly certain that this too is spectacularly under-reported. Action Fraud suggest that one third of reported frauds during January to December 2012 were cyber enabled. That is basically 48,000 frauds in one year. Yet these frauds will not have been reported or recorded as cybercrimes.
Taking all of this into consideration then, estimating the cost of cybercrime is very hard. This is recognised by The Cabinet Office in the UK Cyber Security Strategy, “A truly robust estimate will probably never be established but it is clear the costs are high and that they are rising.” The general consensus informally is that we are talking billions of pounds.
It will be challenging to gauge our response If we don’t know how cybercrime is evolving based on an accurate assessment of reporting and UK plc cyber preparedness. Placing the UK at the forefront of the fight means the UK needs to significantly up its cyber-game.
Source: 1BT Cyber Readiness Survey 2014; 2Onepoll survey for Phishme; 3Home Office “Cyber Crime: A review of the Evidence