Only fall of global firm will shake up cyber security

It will take a major global company going down in the wake of a cyber attack to really shake up information security, says police chief

It will take a major global company going down in the wake of a cyber attack to really shake up information security, according to City of London Police commissioner Adrian Leppard.

This is evidenced by the fact JP Morgan has doubled its information security budget after it was hit with a breach in August 2014, along with several other banking institutions.

“Loss of trust in a large multi-national is probably the only thing that will make governments do anything radically different,” Leppard told a NEDForum summit in London.

But, he said, this was not a criticism of the UK government, which is doing “all it can” with investment of nearly £1bn in support of a national cyber security strategy.

“We really could not ask more of the UK government, yet cyber crime is getting worse not better, which means we have reached the point where everyone has to take responsibility,” said Leppard.

It is becoming clear that governments are no longer able to protect citizens in the same way as they did in the past, he added, with criminals able to strike from anywhere in the world.

The UK, and London in particular, is also one of the most highly targeted countries in the world because it is one of the largest global economic centres, with many financial institutions.

Leppard said: “It is clear that although we are getting better at dealing with cyber crime, law enforcement with scale cyber crime society is facing. We are never going to enforce our way out of the problem.

“The only way we are going to be able to deal with cyber crime properly is by everyone improving their crime prevention capabilities in combination with increased action business and industry."

According to Leppard, law enforcement organisations around the world are now looking to partner with business and industry to help them to protect the global economy, because they hold all the critical data.

In the UK alone, some estimates put the cost of cyber crime at £27bn a year. But Leppard said the value of reported cyber crime comes nowhere near this figure.

UK police forces estimate only a fraction of cyber crime is reported. 

“We believe we see only about 20% of all cyber enabled fraud, only 20% of these reports can be followed up and only 20% result in successful prosecutions,” said Leppard. "The way forward is partnership with business and industry."

Police pursuing closer relationship with business

UK police, including the National Crime Agency’s National Cyber Crime Unit, are actively pursuing a closer relationship with business.

We need to be able to gather and share threat intelligence quickly, but that depends on better reporting

Adrian Leppard, City of London Police

“We are also discussing ways of encouraging industry to increase the level of reporting – whether this is about providing easier electronic means for doing so or if legislation is needed,” said Leppard.

“Finding the right approach is a huge challenge facing policy and law makers, and this is something the police are discussing with government.

“But all governments shy away from legislation that could potentially stifle legislation. I am advocating that we have a rigorous debate about how best to encourage people to do the right thing.

“The answer may lie in regulation or legislation, but I think the answer is more likely to be found through enabling business to see a commercial advantage in good cyber security.”

Leppard said another important part of the solution is finding ways to “harden” targets. “We need to be able to gather and share threat intelligence quickly, but that depends on better reporting,” he said.

Businesses must adopt a good cyber security standard

Businesses also need to adopt a good cyber security standard that is part of overall company security and ensure that everyone in the company is working to that standard.

“The answer is not more policing," said Leppard. "But better collaboration between law enforcement and industry, with the role of police increasingly about helping industry to protect itself. 

“It would help if all organisations were working to a common standard of information security, but I do not know how that could be achieved.”

Leppard said the UK government’s Cyber Essentials Scheme is a good place to start in establishing a minimum standard, but he said this only provides “lightweight” protection.

The biggest concerns for police in the year ahead, he said, is the potential proliferation of encrypted communications and the potential loss of security integrity of mobile communications.

“It is difficult to know where the biggest challenges will lie, but we are confident they will involve a cyber element,” Leppard concluded.

Read more on Hackers and cybercrime prevention