Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Criminal Capability Outpacing Ability to Defend Attacks in UK: Report

Education and Information Sharing are Central to the NCA Cyber Crime Assessment

Education and Information Sharing are Central to the NCA Cyber Crime Assessment

The UK’s National Crime Agency (NCA) released its Cyber Crime Assessment 2016 this week. Designed to outline the “real and immediate threat to UK businesses” from cyber crime, the report tells us little that is new. It argues that criminal capability is outpacing industry’s ability to defend against attacks, and suggests that “only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime.”

None of the headlines that will be drawn from this report will be a surprise. We need better co-operation in information sharing between different companies and between companies and law enforcement.

The loss to the UK economy through cyber crime is huge (estimated at “billions of pounds per annum – and growing”), but we don’t know how bad it is because of massive under-reporting by impacted companies.

Criminals are becoming better organized. There are relatively few master technical criminals, but this is more than offset by the emergence of malware-as-a-service and access to various easy-to-use tools that can be used for nefarious purposes.

“Some of these groups are now so well established and business-like that they have well-defined organizational structures, access to specialist skills and functions like call centers and translators,”the report reads.

Nevertheless, the report rises three issues that are worthy of deeper consideration. The first is on compliance. “A ‘compliance approach’ that aims to meet minimum standards does not adequately deal with intelligent and evolving adversaries, as threats are evolving faster than most defensive technologies and security practices.”

The unspecified implication of this comment is that concentration on compliance could lead to a false sense of security; and in that sense could be dangerous. “True security,” comments Charles White, founder and CEO of IRM, “is more an alignment of culture, appetite, systems, processes and procedures — none of these have a compliance attainment level. Compliance alone has little or no value in the world of enterprise cyber security because the moment most corporates think they have attained compliance they consider the job done.” It clearly is not.

Advertisement. Scroll to continue reading.

The second issue is on ‘reporting’, where there is a “clear shortfall in established reporting”. The NCA study makes no mention of General Data Protection Regulation (GDPR), which is perhaps unsurprising following the Brexit, but GDPR if enacted in the UK could force a complete change of attitude.

“I can’t think of one benefit a company would gain by reporting a cybercrime. But this isn’t about the company its about the individual,” says White. With GDPR, “UK plc is no longer being asked politely by authorities to protect citizens’ data or IPR, it’s being told you’ll be fined and named if you don’t.”

Without GDPR or similar in the UK, the current emphasis on protecting the company rather than the individual will continue. With GDPR, new and effective reporting procedures will be required.

The third issue is a lack of boardroom involvement in security. “Cyber crime mitigation efforts within many businesses are hampered,” says the NCA, by “limited board and top management engagement in addressing cyber security and cyber crime challenges.” Improved education is one way forward, but that would require an understanding of the current failings: does the boardroom not understand security, or not care about security?

Both of these questions, suggests Richard Turner, EMEA President at FireEye, would be solved if the board actually considers the potential cost. “Boards need to realize the impact a breach can have on stakeholder value,” he told SecurityWeek.

“A recent study conducted by FireEye & Vanson Bourne, showed that 52% of consumers would take legal action against their service providers if their personal details were stolen or used by criminals in the event of a data breach. This shows the impact this can have on a business and why it cyber security needs to be a boardroom discussion.”

But perhaps the real reason for UK boardroom complacency is the current lack of a really good UK corporate cyber disaster.

“The UK has yet to experience a cyber attack on business as damaging and publicly visible as the attack on the Target US retail chain,” the NCA report says.

This could quickly change. Following the UK referendum on continued membership of the European Union, warns Turner, “it is quite likely that foreign nations with UK interests or dependencies will focus their espionage efforts more fully on the UK to harvest post Brexit intelligence in order to shape their own strategies or responses.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.