On 7 July 2016 the National Crime Agency published its “Cyber Crime Assessment 2016 – need for a stronger law enforcement and business partnership to fight cyber crime”.

In this article, Neill Blundell, Head of the Fraud & Investigations Group at Eversheds and Jason Williamson, Eversheds Associate, consider (i) the growth in cyber crime, (ii) the challenges business face as a consequence and (iii) the practical steps businesses can take to enhance their defences against cyber-criminal activity. 

Cybercrime – tackling the invisible threat

Tackling cyber crime has leapt to the top of the corporate agenda in recent years as the opportunities for cyber-enabled fraud continue to increase. The rapid pace of technological change has not been met by concurrent improvements in law enforcement’s ability to investigate and prosecute cybercrime effectively. The rapid pace of technological development has been mirrored by the rise of cyber crime as a commercial threat to organisations and individuals. This cyber arms race is only likely to accelerate so long as cyber criminals are able to outpace UK law enforcement in enhancing their technological capabilities.

As law enforcement activity has been curtailed by austerity, the threat posed by cyber crime and cyber criminals has accelerated. This is evident from the figures: the National Crime Agency (NCA) estimated that, in 2015, there were over 2.46 million cyber fraud incidents affecting 2.11 million victims in the UK. Of that number, only 700,000 cyber incidents were reported to Action Fraud in the same period.[1] This impact is estimated to cost the UK economy – and UK corporates – billions of pounds per year.

The Growing Threat

Internet usage has grown at a rapid pace: the internet was used daily or almost daily by 82% of adults (31.8 million) in the UK in 2016, compared with 78% in 2015 and 35% in 2006.[2]The rapid expanse in the way people can access the internet has contributed to this development: in 2016 21% of adults used a smart TV to connect to the internet and 70% used a mobile phone or smartphone to access online content – an increase from 66% in 2016 and double the 36% of adults in 2011.[3]

This movement towards the internet economy has also seen more of our daily activities move online – whether that be buying or selling goods or services or accessing internet banking services. Between 2007 and 2016 the number of adults using the internet for online banking has doubled (30% to 60%). Interestingly, the growth in internet usage appears to have been met by an advance in the number of people willing to provide personal, contact and payment details online: it is estimated that more than 80% of people aged 25 to 54 have provided personal, contact or payment details online at some point in 2016.[4]

It is with this background in mind that it becomes clear how cyber crime has increased at the pace it has: the growth in internet usage for business and personal admin has expanded the opportunities for cyber criminals to access sensitive and personal data. As a consequence, the private sector has been forced to play policeman to combat the growing cyber threat. In recent years, data security breaches at major companies, such as Sony and TalkTalk, have signalled the strength and adaptability of the cyber crime threat. INTERPOL said:

‘Policing, especially in cyberspace, is no longer the exclusive preserve of law enforcement. The private sector, academia, and citizens themselves all need to be involved.’[5]

There has been an uptake in firms turning to alternative remedies – such as private prosecutions – to deter criminals from abusing and manipulating company systems.

This approach is necessitated by the mounting skills and sophistication of international crime groups and their competence in cyber crime. A significant number of the cyber criminal threats businesses face are from individuals or groups acting abroad, but have industrialised their activity in a way that allows them to operate across borders. As cyber criminals expand on their capabilities and reach, so too must corporates in creating robust policies and procedures to combat the threat.

Challenges for business in fighting cyber crime

Corporates must ensure that the tracking and investigation of fraud is consistent, losses from cyber fraud are properly calculated and cyber crime is appropriately reported. The NCA’s Cyber Crime Assessment 2016 identifies a number of challenges businesses face from cyber crime:

1. Security – businesses cannot avoid cyber crime altogether: no institutions, no matter their size, the extent of their resources or personnel, are risk-free. All institutions are vulnerable to determined attacks by sophisticated criminals and must develop tools and techniques to combat the threat.
2. International Reach – cyber crime does not recognise borders.
3. Technological evolution – solutions to new threats need to be developed as fast as criminals are able to identify new opportunities.

In addition to this, a significant concern of businesses will be that domestic and foreign regulatory scrutiny of systems and controls to tackle cyber crime will become more focussed.

Addressing the cyber threat

There is no simple solution that can completely eradicate the risk of cyber crime, but businesses can ensure they have robust systems and controls to deter or identify as early as possible any cyber risk. There are five key points businesses should consider when implementing a cyber crime strategy:

1. A Compliance Approach – the cyber risk should be a strategic priority for the Board. Firms often find that limited resourcing and investigation capabilities are exacerbated by the lack of top management engagement. By implementing a ‘compliance approach’, led by senior management, that deals with any threats as they emerge, firms will be better placed to tackle the cyber threat, and demonstrate to regulators that they have the procedures in place to do so.
2. Testing Defences – a systematic and robust plan for testing cyber crime defences should be put in place. Testing should be focussed on a corporate’s resistance to cyber threats, but also its ability to mitigate any damage caused from cyber-attacks.
3. Co-operation with law enforcement – the under-reporting of cyber crime remains a serious problem – it often means that cyber crime activity is also under-investigated by corporate victims. This approach has a direct impact on corporate risk management and it is important that firms forge a new partnership of co-operation and information sharing with law enforcement agencies.
4. Education – regular training should be provided to employees on cyber risks and how to tackle any cyber threat. The under-investigation of threats is often a direct result of the lack of expertise or resource.
5. Pro-active – corporates should not only have robust defences, but should be pro-active in deterrence too. There are a number of options available that businesses can use to challenge cyber criminals, including private prosecutions, civil action, or reports to law enforcement. Corporate victims should utilise the full armoury of tools available to them to hold cyber criminals to account and deter further activity.

Dealing with the invisible threat now

Cyber crime is an attractive prospect to cyber criminals which can result in significant profits with a relatively low risk of being caught. Technological development will only mean that the cyber threat will continue to evolve – corporates should take action now to ensure defences are robust, policies and procedures are clear, and that they are pro-active in challenging the cyber threat.

[1]                 Cyber Crime Assessment 2016 – need for a stronger law enforcement and business partnership to fight cyber crime, page 6

[2]                 ONS

[3]                 ibid

[4]                 ibid

[5]                INTERPOL 22 January 2016