The joint assessment by the National Crime Agency (NCA) and the Strategic Cyber Industry Group (SCIG) describes the real and immediate threat to UK businesses from cyber crime concludes that “the speed of criminal capability development is currently outpacing our response as a community and that only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime.” The annual assessment by the NCA Strategic Cyber Industry Group, Cyber Crime Assessment 2016, makes chilling reading. 

Cyber crime activity in the UK in 2015

The report found:

• a cyber crime industry and infrastructure: “Although the most serious threat comes, directly or indirectly, from international crime groups, the majority of cyber criminals have relatively low technical capability. Their attacks are increasingly enabled by the growing online criminal marketplace, which provides easy access to sophisticated and bespoke tools and expertise, allowing these less skilled cyber criminals to exploit a wide range of vulnerabilities.”
• the Office of National Statistics reported in a trial inclusion of cyber crime in the annual Crime Survey for England and Wales for the first time that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the UK in 2015. (They have evidence that this is massively under reported.)
• the skills and sophistication of international crime groups make them the most competent and dangerous cyber criminals targeting UK businesses and they are getting better. They are responsible for they use and sale of sophisticated financial “trojan” malware
• a significant number of technically competent cyber criminals are active in the UK, engaging in much of the confrontational cyber crime and are now targeting business and other organisations and the public
• almost all large companies and a substantial majority of smaller companies have experienced a data breach
• technological advances, including the widespread use of anonymisation tools, and constantly improving criminal operating methods have made many corporate cyber security tools and basic procedures insufficient alone to protect corporate networks. Criminal adoption of encryption has also become a challenge for law enforcement when tackling specific threats
• UK not encountered visible damage and losses have not (yet) been large enough to impact long term on shareholder value.

Challenges for business in fighting cyber crime

The assessment reported that cyber crime is intrinsically challenging for business, as:

• perfect security is almost impossible. Almost all organisations, no matter how much money and effort they put in, are vulnerable to determined attacks by high-end crime groups which have developed tools and techniques that can penetrate all but the very best defences.
• it is an international activity – paying no heed to borders. UK-focused efforts (by both business and law enforcement) can only be part of the solution.
• the technical challenges are evolving at a rapid rate. Solutions that may have worked last year may not necessarily work this year or next.

Joint effort needed by businesses, law enforcement and government

The report quoted Interpol who on 22 January 2016 issued this statement: “Policing, especially in cyberspace, is no longer the exclusive preserve of law enforcement. The private sector, academia, and citizens themselves all need to be involved.” which sums up the basic conclusion of the report: more co-operation all round is needed to fight cyber crime.