Official statistics show that cyber crime is on the rise in the UK, but the size of the problem in the business world is really unknown because not all victim organisations are reporting incidents.
This is for a variety of reasons, including a lack of faith in law enforcement’s ability to help, failure to see how reporting a cyber crime has any benefit, belief that the organisation or incident is too small for police to care, reluctance to admit their cyber defences have failed and concerns that reporting a cyber crime will trigger an investigation that will shut down or hamper business operations.
Mike Hulett, head of operations for the National Cyber Crime Unit (NCCU), which leads UK law enforcement’s response to cyber crime at the National Crime Agency (NCA) says all these reasons are based on misconceptions about the value of reporting a cyber crime and what businesses can expect.
At the most basic level, there are no incentives to report cyber crime, while in most other kinds of crime, at the very least, there is the incentive of reporting it to the police so that they can get a case number for insurance purposes, although that is changing,” he says, as more organisations take out cyber insurance with companies who typically encourage clients to report whenever they are victims of cyber crime.
Size doesn’t matter
No business is immune from cyber crime from the smallest to the largest of organisations, and the police want to hear from victims, no matter the size of their organisation.
“We want all victims of cyber crime to report. Who you are and what has happened is going to affect the scale and nature of the response, but there is no cut-off in terms of size of organisation affected. We want everybody to report, regardless of how large or small the organisation,” says Hulett.
As soon as possible
Data breach investigations reveal that some organisations can takeweeks or months to discover a cyber attack, but some cyber criminal activities are identifiable immediately such as distributed denial of service (DDoS) attacks, ransomware and other types of extortion.
The message here is not to delay in reporting cyber criminal activity. “Report as soon as possible, particularly if it is a crime in action. We have much more chance of being able to help and of being able to catch the criminals responsible if the crime is reported to us while it is taking place,” says Hulett.
Yes, but how?
The NCA recognises that it can appear to be a “cluttered landscape” for the businesses’ point of view in terms of how to go about reporting a cyber crime, particularly as many organisations will have to report personal data breaches to their data protection authority for the first time under the EU’s General Data Protection Regulation (GDPR) and new GDPR-aligned data protection laws in the UK.
But cyber crime reporting is not as difficult as may seem, says Hulett, adding that a lot has been done in recent months to ensure better coordination and communication in the background once a report has been made to ensure the most appropriate law enforcement response in a reasonable timeframe.
“While there are different law enforcement agencies involved behind the front door, it doesn’t matter which front door you go through, whether that is the UK's national fraud and cyber crime reporting centre Action Fraud, the National Cyber Security Centre or the local police force. Action Fraud is still the main point for reporting cyber crime, but it is now a 24/7 service either through a call centre or an online reporting tool.
“Previously people have been put off by the fact that it was available only at certain times of the day, but now it is available whenever people have the opportunity to report cyber crime or if a business wants to report a crime in action that is happening very late at night or early in the morning.”
For crimes in action that are reported outside of normal office hours, Hulett says there are methodologies to ensure that cases are referred to the most appropriate agencies. “For crimes in action, we have arrangements in place to refer them directly to the NCA if necessary.” He also advises that in such cases, organisations use the call centre rather than the online reporting tool.
If organisations are being targeted by cyber attacks they believe could be of national significance, they can report such incidents directly to the National Cyber Security Centre (NCSC), but no matter where they choose to report an incident, Hulett says they can rest assured it will be referred appropriately to ensure crimes get the right response at the right time.
“The challenge for businesses is that it is not always obvious whether they are being targeted by criminal or nation state activity, or whether they are merely experiencing some kind of IT issue. No matter where they go to report, there is enough awareness and connectivity behind the scenes to make sure it ends up in the right place,” he says.
An NCSC spokesperson told Computer Weekly that businesses should always report any cyber attacks to the NCSC immediately. "All reports will be dealt confidentially and the more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim.
“In the event of significant cyber security incidents, we may also be able to provide direct technical support and cross-government co-ordination of response activities.
“Cyber security should be as second nature for businesses as cashing up or locking the doors at night. The NCSC has also published guidance for organisations on improving their cyber security, such as our Small Business Guide.”
OK, but why?
The most basic reason for reporting a cyber crime, says Hulett, is that targeted organisations are victims of crime and as such they are entitle to a law enforcement response. “This alone is a good reason to take what help and advice is freely on offer from law enforcement,” he says.
The NCA appreciates that many organisations are nervous that by reporting the incident they will receive more publicity than it otherwise would.
“While it is up to the company involved to manage the media where there is a public security breach, they do not have to worry that law enforcement will exacerbate the situation by publicising something that is not already in the public domain,” says Hulett.
“Our goal is also to ensure there are consequences for criminals because cyber crime is still seen as a low risk, high reward environment and we need to change that perception by arresting and prosecuting people, and the more cyber crimes that are reported, the greater our chances of catching the relatively few people out there who are enabling cyber criminal activities.”
A key reason for reporting cyber crime, however, is that it enables law enforcement agencies to gather and exchange better intelligence about cyber criminal activity.
“Even if a company decides they do not want to support a prosecution, there is still value in engaging with us so we can see what has happened to the company and how it has been done to build up an aggregated intelligence picture across a number of incidents,” says Hulett.
“The same approach is used with traditional crime. Most burglars don’t get caught based on evidence at a single crime scene. Typically they get caught because police are able to build up a profile from evidence gathered across several crime scenes.”
What will happen?
Organisations affected by cyber crime are often nervous about what will happen after they report an incident to law enforcement, but Hulett says perception is often different from reality.
The first thing to understand, he says, is that not everyone who reports a cyber crime is going to get an instant response.
Just like responses to other crime types, Hulett says law enforcement has to prioritise and when it comes to cyber crimes, crimes in action or crimes that meet a certain threshold in terms of attack type, size and impact typically get top priority and will automatically referred to the NCA, while historical and low-level incidents will be referred to the relevant police force for investigation.
“If for example, a company were to call Action Fraud to report an active ransomware attack in which their systems have been encrypted so that they can’t do anything, Action Fraud would pass it straight on to the NCA’s central TICAT [triage, incident coordination and tasking] team to decide on the most appropriate response,” says Hulett.
The response can be from the NCA itself, one of the regional organised crime units (ROCUs) or the most appropriate police force.
“In a live ransomware scenario, the affected company would get a call from our TICAT team to get as much information as possible about the incident, including details of what systems have been affected and if there has been any contact from those behind the ransomware.”
Although the NCA would prefer organisations to report incidents as a crime to improve the official statistics around such incidents, Hulett says law enforcement will still provide advice to companies on how to deal with incidents even if they do not want to file an official crime report.
However, he says that if a company does not want to report an incident as a crime orsupport a prosecution, a forensic team will not sent out.
When companies choose to cooperate with law enforcement, Hulett says whoever has been tasked with the incident will engage with the company to find out who the key employees are and where the firm’s hardware is located so that the affected systems can be imaged to capture whatever evidence is available in the least disruptive way possible.
“We fully recognise that they are victims or crime and that companies’ priority is to get their business up and running as soon as possible so we try to deal with that as sensitively as we can, but at the same time businesses need to understand the importance of imaging servers as soon as possible before the evidence is gone.”
Businesses also need to understand that cyber crime investigators will only image their systems to capture evidence, but will not do things like rebuild affected systems or install new servers.
“If those behind the ransomware have contacted the targeted organisation, it opens up the opportunity for law enforcement to engage with them covertly to try to work out who they are with a view to identifying and arresting them to face prosecution,” explains Hulett.
Another concern is that by reporting a cyber crime to law enforcement, organisations lose control over when and how the incident is made public or brought to the attention of regulators, which can also make them hesitant to answer questions from law enforcement about how their systems work for fear of exposing a lack of security controls.
“We will not go public about an incident or share any information with regulators that is not already publicly known about, but we will advise them to report to the appropriate regulators as soon as possible and we will advise them when it is appropriate to warn customers of a potential breach because they may be subject to direct or secondary fraud, but ultimately it is the company’s decision,” says Hulett.
Ticking time bomb
Although there may be circumstances when investigators will want to delay going public so that they can glean as much information as they can before alerting the criminals, he says that wherever customers are affected, it is a “bit of a ticking time bomb” for the company involved. “Most companies are tuned in to the fact that they have to go public because of the huge potential reputational damage if they are seen to be trying to cover something up.
“If a company delays going public, the moment affected customers start tweeting about it, the company loses control, so there is a very narrow window in which boards have the choice about whether to say something or not.”
Beware of social engineering
In terms of general advice based on the types of investigations the NCA is doing, Hulett says organisations should not underestimate the power of cyber criminals to use social engineering techniques to get the information they need to breach cyber defences.
“Good cyber defences are easily undermined by the compromise of the logon credentials of IT administrators and other employees either through bad password practices such as using a single username and password for several accounts or through social engineering attacks.”
Once cyber criminals are able to get legitimate credentials, Hulett says they can use them compromise business email accounts to commit crimes and to thoroughly explore company networks without detection to gather information about the company, its employees and its data assets before carrying out an attack.
Despite increases in cyber crime, he says the NCA is also seeing a growing number of companies who are good examples. “Those companies that get it more right than wrong tend to view cyber security as a continuum rather than something that is reviewed only on an annual basis.
“More organisations are also waking up to the fact that physical security and personnel security are linked to cyber security and that there is no point in doing all these things separately,” says Hulett. There is also a growing number of companies that have cyber insurance to help cover the costs of recovering from a cyber attack and getting systems back up and running again.
“Cyber insurance is growing in popularity, and if it is something that encourages general good cyber security practice and increased cyber crime reporting to law enforcement, then we would support that, but companies need to ensure that cyber insurance does not result in a false sense of security and that they are doing everything that they can to prevent a cyber attack and to recover if one occurs.”
Another positive trend, says Hulett, is the growing awareness of the importance of ensuring cyber security throughout the supply chain. “Businesses are increasingly realising that it is just not their own cyber security that you need to take into account, but also the cyber security of their partners as demonstrated by the NotPetya attacks in 2017 when companies three or four stages removed from the original company targeted by the malware were heavily impacted.”
The growing number of high-profile cyber attacks in the news, says Hulett, means people are more aware of what can happen which is having the positive effect on companies’ understanding of the importance of investing in appropriate cyber security.
“Companies’ behaviour is improving, and the GDPR [General Data Protection Regulation] is likely to help even further with that because companies that previously have not given much thought to data protection are now starting to pay attention.”
As a parting warning, Hulett says companies should ensure that their backup systems are not vulnerable to the kind of attacks that make them necessary, citing the example of one UK company that was downed by a malware attack but was unable to restore its systems because the malware attacked Active Directory so the company was unable to access its data backups.