There were just 47 prosecutions for hacking under the Computer Misuse Act in 2017 claims UK legal firm RPC. It is 18% lower than 2016 and the second year in a row that the number of prosecutions has fallen. Compare this to the 1.7 million cyber-related crimes in the UK last year and this is a woeful state of affairs.
Bringing a successful case for hacking is not simple. Cyber security teams responding to an attack are not thinking about the forensic requirements of a court case. They want to get systems up and running and kick the hackers out of their system. This is why the National Crime Agency set a forensic test for the latest Cyber Security Challenge F2F.
The police also struggle to assist with this problem. They lack the resources to deal with the sale of cybercrime. In April last year, the National Cyber Crime Centre announced a new cyber incident prioritisation framework. It is intended to direct resources to where they are best used. The problem, is that it exacerbates the lack of resources to support SMEs who are attacked.
Compounding all of this is the problem of applying UK law to hackers from abroad. In many cases, the UK struggles to extradite the hacker. If Brexit happens, the comments from Europol about reducing crime sharing and cooperation will make this worse.
Richard Breavington, Partner at RPC says: “Police forces are doing their best with the resources they have but the scale of the problem means businesses cannot necessarily rely on the police to really help them when there is a cybercrime.”
“There will have to be some radical changes before businesses can start depending on the law enforcement agencies rather than private industry, including insurance, to help them if they have suffered from a cybercrime.”
Cyber insurance, data breach services and cyber resilience
Jake Moore, Cyber Security Specialist at ESET UK commented: “Having investigated cyber crime for the police for many years, I know fully well how difficult it is to prove beyond reasonable doubt when it comes to digital offences. Sadly there are a plethora of tools to help equip a hacker with anonymising their whereabouts or identity online.
“Breaking encryption and investigating incognito IP address can take a very long time – if at all sometimes – and the cyber criminals around the world are fully aware of this and take advantage of law enforcement being on the back foot.”
This is why companies are investing in cyber insurance and data breach services such as RPC’s ReSecure service. RPC ReSecure steps in when a breach has occurred and helps to deliver the technical forensic support that is needed.
Data breach services also fill a significant gap in the cyber incident plan. The General Data Protection Regulation (GDPR) requires companies to report breaches. Many don’t know what to report or how to report. If a company operates in multiple countries, reporting can be onerous and extensive. Building this knowledge in-house is not simple.
It is the same with reputation management. Organisations believe that their Public Relations and Corporate Communications teams will deal with the press. What they don’t realise is that they need support when it comes to media training and dealing with social media
Organisations often think that Disaster Recovery plans will cope with a cyber incident. They rarely do and they don’t deal with the forensic investigation or preserving of evidence. They also fail to understand the size of many attacks and are not practiced. This has led to the creation of cyber resilience plans and services. In a recent podcast with Felicity March who works at IBM, she explained what cyber resilience was.
What does this mean
There is no evidence to suggest that hacking prosecutions are increasing in 2018. A check of several Crown and High Courts using The Law Pages shows little in the way of Computer Misuse Act prosecutions. This reinforces the belief among hackers, UK and overseas, that they are not going to get caught.
For organisations such as the NCA who has several programmes to deter hackers, this is disappointing. However, there is hope. The NCA Prevent programme seeks to identify people who are drifting into cybercrime and persuade them to stop. It is aligned with other programmes that are trying to redirect curiosity and skills to a legal career. Given the huge skills gap in cyber security, salaries remain high and will do so for some time. This means that there is ample opportunity for those who want to become ethical hackers, computer forensic experts or other cyber security related jobs.
According to Moore: “We need to turn around our culture to cyber security and remember that it is always better to prevent proactively than respond reactively. The threat from cyber and online attacks is increasing all the time as cyber criminals find innovative new ways to target organisations and individuals all the time. It’s imperative to consider the loss of trust from your customers should you ever get hacked. Personal information such as phone numbers, addresses and credit card details can be stolen in seconds but take years to rebuild that customer confidence.”