“Without business, we are dead in the water, because what our sources can tell us about what is happening is a fraction of the intelligence businesses can provide,” said chief constable Peter Goodman, NPCC lead for cyber crime.
“But with input from business, we are really data rich in a much more strategic way than what we have got so far, and we are doing all we can to build relationships with different sectors at all levels of law enforcement so that we can be in a really healthy position in future,” he said.
Of an estimated 1.8 million cyber crimes in the UK in the past year, only 30,000 were reported to the police, which makes it extremely difficult to gather the intelligence required to pursue criminals and put them behind bars, according to Oliver Gower, deputy director of the NCA and head of the NCA’s National Cyber Crime Unit (NCCU).
“We need businesses to report more because we depend on industry talking to us, but we have section 7 under the Crime & Courts Act which enables them to share information confidentially without having to trigger a formal crime report.
“However, our emphasis is on formally reporting any cyber crime because it is a reality of modern business, there needs to be more openness around this issue and it enables is to carry out a full investigation,” he said.
There is a large gap between the number of crimes taking place and those being reported, said Goodman. “This is why we are encouraging people to report crimes and make it feel like a much more balanced picture.
“But many people still fear that if they report their business’s reputation will be destroyed and that they will be dragged through the courts and have their vulnerabilities exposed.
“We would never do that because we recognise that if we are going to have a relationship with commercial organisations, we are going to have to respect their business and commercial requirements. We would never do anything against the will of a business,” he said.
Action Fraud is the main facility for reporting cyber crime, and Gower said this is continually being improved.
“We are also talking more about our successes in criminal investigations to give businesses more confidence to report cyber crime,” he said.
Gower said that across UK law enforcement, more than 200 arrests were made in connection with cyber crime in 2016, while 20 people were arrested in connection with the biggest cyber incidents between October 2016 and April 2017.
“This shows that the perception that the people behind these cyber attacks are unreachable, is not accurate,” he said.
The reason people report car crime, said Gower, is often because they need a case number for an insurance claim. “Perhaps we need to think more strategically about how drive up the cyber crime reporting figure,” he said.
Sharing threat intelligence
Gower also emphasised that sharing threat intelligence across industry sectors is important. “I believe the threat will drive that culture change, which we have already seen in the banking industry through initiatives such as the Cyber Defence Alliance and the government’s Cybersecurity Information Sharing Partnership (Cisp),” he said. “Banks are sharing threat intelligence to warn each other when these things are happening.”
At the same time, Gower said more needs to be done across business to ensure that systems are not unnecessarily vulnerable.
“Businesses have a responsibility to take more care to protect their valuable data, and to think about how well those in their supply chain is defending their data, which is why we are increasingly reaching out to local businesses,” he said.
With the compliance deadline for the EU’s General Data Protection Regulation (GDPR) just over six months away, Goodman said it will be interesting to see what effect this will have on businesses’ attitude to data protection.
“The GDPR bring with it a requirement to report data breaches, and I wonder if we will see an increase in reporting,” he said.