Education and Information Sharing are Central to the NCA Cyber Crime Assessment
The UK’s National Crime Agency (NCA) released its Cyber Crime Assessment 2016 this week. Designed to outline the “real and immediate threat to UK businesses” from cyber crime, the report tells us little that is new. It argues that criminal capability is outpacing industry’s ability to defend against attacks, and suggests that “only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime.”
None of the headlines that will be drawn from this report will be a surprise. We need better co-operation in information sharing between different companies and between companies and law enforcement.
The loss to the UK economy through cyber crime is huge (estimated at “billions of pounds per annum – and growing”), but we don’t know how bad it is because of massive under-reporting by impacted companies.
Criminals are becoming better organized. There are relatively few master technical criminals, but this is more than offset by the emergence of malware-as-a-service and access to various easy-to-use tools that can be used for nefarious purposes.
“Some of these groups are now so well established and business-like that they have well-defined organizational structures, access to specialist skills and functions like call centers and translators,”the report reads.
Nevertheless, the report rises three issues that are worthy of deeper consideration. The first is on compliance. “A ‘compliance approach’ that aims to meet minimum standards does not adequately deal with intelligent and evolving adversaries, as threats are evolving faster than most defensive technologies and security practices.”
The unspecified implication of this comment is that concentration on compliance could lead to a false sense of security; and in that sense could be dangerous. “True security,” comments Charles White, founder and CEO of IRM, “is more an alignment of culture, appetite, systems, processes and procedures — none of these have a compliance attainment level. Compliance alone has little or no value in the world of enterprise cyber security because the moment most corporates think they have attained compliance they consider the job done.” It clearly is not.
The second issue is on ‘reporting’, where there is a “clear shortfall in established reporting”. The NCA study makes no mention of General Data Protection Regulation (GDPR), which is perhaps unsurprising following the Brexit, but GDPR if enacted in the UK could force a complete change of attitude.
“I can’t think of one benefit a company would gain by reporting a cybercrime. But this isn’t about the company its about the individual,” says White. With GDPR, “UK plc is no longer being asked politely by authorities to protect citizens’ data or IPR, it’s being told you’ll be fined and named if you don’t.”
Without GDPR or similar in the UK, the current emphasis on protecting the company rather than the individual will continue. With GDPR, new and effective reporting procedures will be required.
The third issue is a lack of boardroom involvement in security. “Cyber crime mitigation efforts within many businesses are hampered,” says the NCA, by “limited board and top management engagement in addressing cyber security and cyber crime challenges.” Improved education is one way forward, but that would require an understanding of the current failings: does the boardroom not understand security, or not care about security?
Both of these questions, suggests Richard Turner, EMEA President at FireEye, would be solved if the board actually considers the potential cost. “Boards need to realize the impact a breach can have on stakeholder value,” he told SecurityWeek.
“A recent study conducted by FireEye & Vanson Bourne, showed that 52% of consumers would take legal action against their service providers if their personal details were stolen or used by criminals in the event of a data breach. This shows the impact this can have on a business and why it cyber security needs to be a boardroom discussion.”
But perhaps the real reason for UK boardroom complacency is the current lack of a really good UK corporate cyber disaster.
“The UK has yet to experience a cyber attack on business as damaging and publicly visible as the attack on the Target US retail chain,” the NCA report says.
This could quickly change. Following the UK referendum on continued membership of the European Union, warns Turner, “it is quite likely that foreign nations with UK interests or dependencies will focus their espionage efforts more fully on the UK to harvest post Brexit intelligence in order to shape their own strategies or responses.”