The NCA Strategic Cyber Industry Group has released its first Cyber Crime Assessment today. It contains a stark warning that: “..criminal cyber capability currently outpaces the UK’s collective response to cyber crime.” It is a warning that should act as a wake-up call for a lot businesses.
According to Jamie Saunders, Director NCA National Cyber Crime Unit: “This is the first time the NCA has released a joint assessment with industry on cyber crime, and it is a good example of the collaborative approach between business, law enforcement and government that we need to cultivate and strengthen if we are to succeed.
“I hope that senior members of UK business, and not only those involved in the protection of their IT systems, take note of its contents and think seriously about ways that they can improve their defences and help law enforcement in the fight against cyber crime.”
Two types of cyber crime
At 16 pages this is an easy report to read and take lessons from. It defines two separate types of cyber crime as:
Cyber-dependent crime: These crimes can only be committed using IT. Examples are the use of malware to steal user credentials and intellectual property. It also includes attacks such as ransomware designed to hold company and personal data hostage.
Cyber-enabled crime: Where IT makes it easier and faster. Examples include fraud, selling illegal items such as drugs and guns as well as child sexual exploitation.
A major rise in cyber crime
Using numbers from the Office of National Statistics (ONS) the report shows an alarming situation in the UK. For example:
- 2.46 million cyber incidents
- 2.11 million victims of cyber crime
These are disturbing numbers. The report says: “These figures highlight the clear shortfall in established reporting, with only 16,349 cyber dependent and approximately 700,000 cyber-enabled incidents reported to Action Fraud over the same period.”
To make matters worse there were less than 200 data breaches reported to the Information Commissioners Office in 2015. Irrespective of whether the UK eventually stays in or leaves the EU it will still have to deal with GDPR. It will introduce a legal requirement for data breaches to be reported. This should lead to more accurate data on the impact of cyber attacks.
Ben Harknett, VP EMEA, RiskIQ commenting on the report said: “There are numerous forms of cybercrime making up those 2.64 million incidents. Research we carried out at RiskIQ revealed that malvertising, as just one of those, jumped up over 300 percent year on year between 2014 and 2015 following a string of major publishing sites such as Forbes.com, Huffington Post and The Daily Mail being exploited by malvertising campaigns.
” We live our online lives ‘in the moment’ and although most people know better than to click on a link from an unknown source, malvertising attacks are disguised as trusted brands on trusted websites and so by their nature are much more difficult for a consumer to spot.”
Criminals targeting everyone and every size of business
One of the key points from this report is that this is not just about targeting large enterprises. The UK has a large and growing SME market. This ranges from people going self-employed and selling their services to larger enterprises to one of the fastest growing start-up markets in the world. Criminals gangs see value in attacking both groups. SME’s selling their services to larger companies are often security poor. This makes them easy targets and once infected the criminals use them to attack their larger customers.
In the case of start-ups attacks are more devastating. Stolen intellectual property is then sold to companies that are able to get to market very quickly. This means that may start-ups fail to survive a cyber attack. As many of these companies don’t have the resources to patent their work it can mean the end of their business.
Attacks against individuals are still a key focus of many cyber criminals. They are seen as the weak point in corporate security. Many fail to have proper security on their home computers making them an easy target. They use their own computers for work. This means that infected machines are taken into the office where they then spread the malware throughout the enterprise.
Cyber criminals are more sophisticated than defenders
Attacks on the UK are being carried out by what the report calls: “the most competent and dangerous cyber criminals.” who are employed by international crime groups. They have “industrialised their criminal activity.” deploying: “their own call centres, specialist skills and translators.” This makes them more efficient at running multi-national companies than those businesses that they target.
This situation is well accepted across the security industry but not by enterprises and organisations. The perception there is still one of disaffected spotty youths in their bedrooms or nation state attacks that only target very large enterprises and governments. This report makes it very clear that those views need to change saying: “Cyber crime activity is growing fast and evolving at pace, becoming both more aggressive and technically proficient. As such it is a major and growing threat to UK businesses.”
This disconnect between business and the reality of the cyber threat is shown in the US GAO report on connected cars. It asked about the risks from criminals attacking the remote control mechanisms used in cars. 66% said it was too complex, time consuming and costly for criminals to do this. That response completely ignore the collaborative nature of the cyber criminal threat and the skills they share with each other.
In another example of the seriousness of the threat the report says there is a: “..significant number of technically competent cyber criminals active in the UK, engaging in much of the confrontational cyber crime now targeting business and other organisations and the public.”
Where next for companies?
This report pulls no punches. The Strategic Cyber Industry Group calls out five obstacles within businesses to improving risk mitigation:
- Limited engagement by boards
- “Box-ticking” approach to cyber security
- Limited expertise
- Under-investigation
- Under-reporting
These are not the only issues for boards. Bola Rotibi, Research Director, Creative Intellect Consulting told us: “Many enterprises see the investment in cyber security as a one off cost. There is little understanding that it has to be a big ticket item every year. It takes time to reshape a corporate cyber security posture and get an enterprise policy in place. This means they run out of money just as they are beginning to see results.”
There is also a belief that being compliant with industry regulators means companies are cyber secure. At the Security Culture conference in Oslo in June, Rik Ferguson, Vice President Security Research, Trend Micro told the audience: “Compliance does not equal security. Effective security is layered security with each layer built in the assumption the previous layer will fail.”
What is the government doing?
The UK government has committed £1.9 billion to bolster the UK cyber defences over the next 5 years. This is part of the 2015 Strategic Defence and Security Review. From a law enforcement perspective the report calls out four things they are doing
- Cyber attacks targeted at UK victims: increasing the reporting of cyber crime, supporting victims and increasing the take-up of protective security
- UK-based cyber criminals: making the UK a high-risk country for criminals to host and perpetrate cyber crime
- International cyber criminals and groups: identifying, prosecuting and disrupting the most significant cyber criminals worldwide
- The enabling international cyber crime marketplace: degrading the criminal marketplace, undermining the profitability of the cyber criminal business model and raising the barrier to entry and operating for cyber criminals
This is not a problem that businesses or government can solve in isolation. It requires a strategy that means companies and government have to work together. In the report it says: “What is needed is a partnership approach to mitigating threats and identifying and disrupting criminals. Closer working between law enforcement and business to identify and arrest serious ‘upstream’ cyber criminals will protect businesses, stop future attacks and reduce the threat.
“Cyber crime response should therefore be treated as a strategic priority and include a stronger public-private partnership to investigate, report and combat cyber crime.”
Conclusion
This is a report that needs to be widely shared at board level as well as across an organisation. It is important that companies address the obstacles identified. While they are nothing new perhaps this report can get company boards to react. At the end of the report is seven things that companies can do now to start addressing this problem.
Cyber crime is here to stay. How badly it affects a company depends on what they do to mitigate the threat.