6 minute read
HOW CAN WE ADDRESS THE UNDER-REPORTING OF CYBER-CRIME?
Simon Newman, head of Cyber and Business Services at the Police Crime Prevention Initiatives, discusses the reporting, or under-reporting, of cyber incidents and reducing the vulnerability of organisations to cyber crime and fraud
Cyber crime is one of the biggest threats to the security of the UK. Categorised as one of four high priority areas within the government’s National Security Strategy, the threat is constantly evolving, affecting millions of individuals and businesses alike. Yet despite the efforts of government to raise awareness about the importance of good cyber security, the problem continues to grow, accounting for just under half of all crime according to recent data published by the Crime Survey for England and Wales (ONS). While this figure is alarming, of even greater concern however, is the fact that only a fraction of these crimes are reported to the authorities. For example, in 2019, there were approximately 4.6 million incidents of cybercrime and fraud over the previous 12 months but only 338,00 of these were reported to Action Fraud – just seven per cent of the total. This compares to 17 per cent of sexual assaults being reported to the police, 30 per cent of thefts and 60 per cent of burglaries. So why does cyber crime suffer so poorly from under-reporting when compared against other forms of crime?
At the Police Digital Security Centre (PDSC), we regularly speak to victims of cyber crime and ask them about their experience. What we consistently find among the business community in particular, is that speaking to the police about it is not a priority. One of the main reasons for this is that businesses face a number of competing demands for their attention when they suffer an attack or breach. For some, lawyers will be the first people they call, particularly if there is a risk that personal data has been compromised. Others will prioritise customers, staff and suppliers. Business owners may also have to think about speaking to their insurers, their bank or their Managed Service Provider. As a result, the police are often an afterthought.
The global nature of cyber crime is another factor and presents a number of unique challenges for the law enforcement community. Investigations are time-consuming, complex and require specialist skills and knowledge that are in short supply. Despite every force having a dedicated cyber crime unit, the sheer volume of cases means that forces have to triage and prioritise the most serious offences, leading to a lack of confidence in the police being able to deal effectively with the overwhelming majority of cyber crime. When looking at the conviction rate of cyber crime, which currently sits below one per cent, it is entirely understandable that many individuals and businesses affected by cyber crime ask themselves when it comes to reporting it, whether it is worth it.
As an example, I recently took a call from a small business owner who had been the victim of a phishing attack which had resulted in her systems being compromised by an external attacker. While the owner was reasonably confident that no-one had suffered any financial losses as a result of the breach, she was understandably concerned about the impact it could have on her reputation and future business growth. Disappointingly, she had decided not to report it to Action Fraud because she felt the chances of bringing the offender to justice were very slim and that her immediate focus was on getting her business back and up running again.
Another reason concerns the perception of the seriousness of the crime by the victim. This is a factor that causes under-reporting in other crime types and is undoubtedly a factor here. For many victims of cyber crime, the impact may appear to be relatively minor and below what they would consider serious enough to report it to the police. There is also the possibility that some people feel embarrassed by falling victim to certain types of cyber crime, particularly in cases involving romance scams or sextortion. A sense of shame or fear of being humiliated can lead to victims trying to deal with the fallout themselves, often with a significant impact on their mental health and well-being.
There are also some interesting studies about how demographic factors affect crime reporting. For example, younger people, who are statistically most likely to be a victim of a crime are the least likely age group to report it. Some commentators have even suggested that cyber crime is ‘just one of those things’ that young people expect to become a victim of.
WHAT CAN BE DONE TO ADDRESS UNDER-REPORTING?
The police and government have worked hard and had some success in addressing this issue in other crime areas and it would be sensible to apply those lessons here. Raising awareness about why reporting is important is a good first step.
The higher the number of incidents we know about, the greater our understanding becomes of the nature and scale of the problem. It can help inform policy makers, enabling them to develop effective responses to new and emerging threats. Higher reporting rates can also help us better understand the effect cyber crime has on victims.
Raising awareness is also important in terms of managing the expectations of the public, particularly in relation to the role of Action Fraud, the centralised reporting centre for fraud across England, Wales and Northern Ireland. As a reporting body, it has no investigative capability – yet this distinction is often misunderstood. Public dissatisfaction with Action Fraud is clearly a factor in the low number of incidents reported to them. A rebranding of Action Fraud to become a ‘National Fraud and Cyber Crime Reporting Centre’ is one suggestion that might help overcome confusion about its role.
There’s also more we can do about victim care. While the investigation of every allegation of fraud and cyber crime isn’t operationally feasible (which may be due to the complexity of the crime or the location of the offender), there are some big gaps in victim support at a local level, with much of the investigative capacity focused at a regional or national level.
A recent study by the Institute of Criminal Justice Studies at the University of Portsmouth, found that ‘computer misuse crime has similar, and in some cases a worse impact, than comparable traditional crimes such as burglary’. A review of the current landscape, including the training given to frontline officers would help build confidence and encourage a greater numbers of victims to report cyber crime to the police.
Finally, the private sector also has an important role in encouraging people to report crime. The banking community and insurance sector in particular have worked hard to promote the importance of good cyber security among their customers. Taking this one stage further in helping their customers understand the importance of reporting incidents would help engender a cultural shift in reporting.
In summary, the growth in cyber crime and the evolving threat from criminals seeking to exploit new technology means that it will continue to be among the top two or three crime types for the foreseeable future. While much of the focus is rightly on prevention by encouraging individuals and businesses to take responsibility in reducing their vulnerability, the police must be more joined up and work closely in partnership with others to improve the experience for victims of cyber crime. If it doesn’t, to use a phrase from the Home Affairs Select Committee Policing the Future report (2018), ‘Policing is at risk of becoming irrelevant’.
FURTHER INFORMATION
www.policedsc.com
