A recent report from the Fraud Advisory Panel discovered that victims suffer an average loss of £101,000 to cyber-fraud; yet a staggering one in three cases are not passed on for further investigation.
Naturally, the police and governments have a role to play, but to put all the blame on them by default is unfair. Businesses need to be doing more to support them – especially as they will be held more accountable through new legislation like the General Data Protection Regulation.
While police and prosecution services need to continue to evolve and keep up with the changing face of high-tech crime, we need to give them a chance. Governments and police will always need time to adapt to fast-moving technology, which is why businesses and organizations need to support them.
Most fraud is fuelled by increasingly sophisticated technology, and as a result more advanced technology is being deployed by organizations in an attempt to combat this. Yet we are losing the battle through these technologies not being managed or implemented effectively. There’s almost always sufficient information and intelligence held on computer systems and networks to alarm and detail fraudulent activities. However, this information is often not collected or acted on quick enough. That’s unacceptable.
The security industry is broken
UK organizations are battling a huge rise in cybercrime, with it doubling year-on-year from 2014. One in ten people have now fallen victim to cyber-fraudsters who are more motivated than ever and the rise of connected devices has opened up the attack surface area, so finding gaps in security is far easier. On top of that, the value of personal data is on the rise, and motivations are shifting beyond just financial gain so the variety of sectors being targeted is widening.
Yet despite the rocketing levels of cybercrime and fraud, on average there is only one conviction a month related to cybercriminal activities. The high rewards and the relatively low risk of punishment are exactly why more and more criminals are moving into the digital realm.
Businesses need to be doing more
When the GDPR comes into force on 25 May 2018, rules that go above and beyond many of the contractual duties outlined in existing company agreements will be introduced. At the moment, service providers that process personal data on behalf of other businesses are not held directly liable for a breach of security, but that is soon to change.
While the regulation is a step towards change for the better, many organizations just aren’t prepared. The GDPR requires companies to improve logging, alarming and authentication processes, and notification of the supervisory authority of any breach of personal data within 72 hours; failure to comply with the GDPR rules will result in hefty fines.
Managing your security
If companies and organizations managed their security properly, then the job of the police and the Crown Prosecution Service would be a lot more straightforward. The frustrating thing is that most companies have purchased expensive technology from the IT industry, but are just not managing it properly. We find that there’s nearly always sufficient information and intelligence held on computer systems and networks to alarm and detail fraudulent activities. However, this information is often not collected and acted on in the right way.
Data used properly and professionally, acted upon quickly and then preserved as evidence, will reduce the amount of pain victims of fraud are currently experiencing. Recently we had an unexpected request from the FBI asking if a user on the internet had accessed a computer three years ago. The wheels of justice turn slowly, but because we had archived the firewall logs properly, we were able to give them the information they wanted within two hours. Allowing those wheels to continue to turn, and helping justice be served.
This wasn’t difficult. We just managed the security properly. We didn't do anything that a properly trained and managed security engineer would have done if they had been properly funded.
With hundreds of people losing their savings and having their lives wrecked by fraudsters, it the least we can do.