“E-crime is the biggest emerging threat to the retail security as the rapid growth in e-commerce in the UK sees new ways of shopping being accompanied by new types of crime … the British Retail Consortium … estimates the total cost to retailers in 2011 – 12 was at least £205.4 million. That includes £77.3 million in losses from frauds themelves as well as prevention costs and legitimate business lost as a result of those measures … ”
“Estimated losses in revenue experienced as a result of legitimate business being rejected through on-line fraud prevention measures came to £111.6 million in 2011-12.”
That is more than half the total cost and puts some of the e-crime data, at long last, into perspective. Another finding was that e-crime cost double the percentage of on-line turnover (0.75% out of £28 billion) as it did of overall turnover (0.36% out of £303 billion). Given that on-line margins are commonly much tighter that is serious. But the doubling of cost appears to be mainly due to the effect of intrusive on-line security rejecting attempted sales. [I know the feeling … I have walked away from at least as many sites as I have shopped at].
Yesterday I submitted a submission to the Home Affairs Select Committee Enquiry into e-Crime. A key message was that we still have no better idea of what is “really” happening than we had at the start of Eurim-IPPR study. All of the 50 or recommendations from that study had consensus support. Most appear somewhere in the action plans to implement the current UK strategies for Cybersecurity and “Fighting Fraud Together”. But few have yet been prioritised and resourced, let alone implemented.
In my submission I contrasted the claims of £27 billion of “losses” in the Detica “report” for Cabinet Office with the demolition job by Ross Anderson and others. The latter compared criminal earnings in the $millions with security spend in the $billions. In the BRC report the biggest “cost” is, however, the abandoned transactions. You should also read the BRC recommendations, including those in their paper on Future Challenges and compare these with those in other reports. .
The BRC recommendations are a polite way of saying that we need to make senseof the dozens of competing initiatives being organised by those (ingovernment and law enforcement as well as professional bodies, tradeassociations and clubs of vendors and consultants) who can spotpotential bandwagon customers from the far side of a mix of jungle and swamp.
Yesterday,before submitting my evidence to the Select Committee, I discussedways forward with the new industry chairman of the Digital Policy Alliance (which is taking over the work I organised when I was Secretary General of EURIM).I have passed him my files and he is arranging for an intern to usethese to expand a recent whiteboarding exercise (organised as part ofthe planning for the DPA programme) into a full “map” of the variousinitiatives. The idea is to arrange an “audit” to identify which are ofinterest to industry players who are serious about protecting themselvesand their customers – as opposed to building regulatory, compliance orother empires or selling yet more security snake-oil.
On 10thSeptember there is due to be a joint meeting of PICTFOR and the DPA toreceive a presentation of a recent survey of the views of theInformation Assurance Community on what is currently happening.Hopefully things are now in train for a series of announcements,beginning on 17th September, covering industry-led exercises that will startthe process of draining the swamp so that business gets much bettervalue from its spend on security, whether that spend is direct or out of the taxpayers money being spend by lae enforcement and central government. I will blog on some of the initiatives over the next few days, after we have sent invitations to the EURIM/DPA members who will have priority at the launch events. As yet DPA membership remains that same as for EURIM, including the “try before you buy” routine for an individual membership which can be credited against a corporate upgrade