A report from Cardiff University for the City of London Corporation, supported by the City of London Police, has suggested that new approaches must be adopted by law enforcement to tackle the escalating problem of economic cyber crime.
One of the more controversial points of the report is that victims of cyber crime who fail to take security precautions should be treated as a lower priority by police than others who have acted to improve their own security.
“For some individuals [it is] arguable that they should not receive scarce Pursue policing resources because they have not exercised due diligence on their own behalf”, said the study commissioned by the City of London Police and the City of London Corporation, which runs the Square Mile.
It didn’t take long for Twitter users to share their thoughts on this report’s suggestion:
I don’t agree, do we take the same approach to victims of muggings, burglaries, & other crime? Victims are victimes https://t.co/ioVMCKamRk
— BrianHonan (@BrianHonan) October 15, 2015
Dr Mike Levi, Professor of Criminology at Cardiff University and lead author of the report, said: “This report provides new data and analysis around the scale of this activity and offers a comprehensive view of the challenges facing the policing and law enforcement responses. It appraises the success of different approaches to preventing and addressing crime, and presents practical suggestions with a focus on partnership-working, education and awareness-raising, information-sharing across industry, and intelligence-led policing.
“The risks of being defrauded by criminals using the internet will continue to increase unless more is done to protect ourselves and others. As crime changes, so must approaches to its policing.”
To shed some light on positive points in the report, it suggests that:
- Citizens should be better educated on the risks of cyber crime, making it easier for them to be protected.
- Organisations should review what they really need to have connected to the Internet.
- There should be greater coordination across police forces and other key bodies, nationally and internationally – including the National Crime Agency, Intellectual Property Office and Trading Standards as part of the wider policing family, as well as international partners.
- Law enforcers should place a greater focus on disruption tactics – such as identifying and shutting down fraudulent websites – over traditional reporting and investigating.
- Building on existing efforts of a joined-up approach to policing economic cyber crime, addressing those crimes that by volume, value, harm and/or severity of threat, and identification of the organisation and location of perpetrators, appear to pose the biggest risk.
I spoke to Alan Calder, the founder and executive chairman of IT Governance, who said:
“Organisations and individuals are only as secure as their weakest link. Alongside your own security efforts, it’s therefore vital that you ensure your supply chain is equally secure or, in the case of individuals, ensure that your family and friends understand the threat that cyber crime poses. An attack on a single link in a supply chain can have devastating effects further down the line.”
ISO 27001 and the supply chain
Organisations that want to protect their data assets and ensure there aren’t any weak spots in their supply chain should immediately look at ISO 27001.
The international standard ISO 27001 sets out the requirements of an ISMS (information security management system) – a holistic approach to information security that encompasses people, processes and technology, and which can be applied throughout the supply chain: once you’ve certified your ISMS to the Standard you can demand that your suppliers do the same, demonstrating to stakeholders, customers and staff that information security best practice is followed.
Organisations must remember that it’s in their interests to make sure all of their employees practice good information security at home as well as in the office. It’s not uncommon for staff to access corporate networks on their own devices and if these employees aren’t trained on security basics then they pose a threat. To combat this threat, organisations should provide regular information security staff awareness training programs that provide staff with the knowledge they need to remain secure, and encourage them to transfer this knowledge to their family and friends.
IT Governance’s Information Security Staff Awareness E-learning Course aims to familiarise non-technical staff with information security policies and procedures, thereby reducing the organisation’s susceptibility to attack.