Sapsiwai - Fotolia

Security industry largely welcomes NCA cyber crime report

Most information security professionals support the National Crime Agency's call for help from businesses in pursuing cyber criminals

This article can also be found in the Premium Editorial Download: Computer Weekly: Building big ideas in banking

The information security industry has largely welcomed the Cyber Crime Assessment 2016 by the UK National Crime Agency (NCA), but not all support the call for business collaboration with law enforcement to pursue and disrupt cyber criminals.

There is, however, unequivocal agreement with the NCA’s assessment that the speed of criminal capability development is currently outpacing the UK’s collective response to cyber crime.

“The NCA is right to highlight that the cyber crime arms race is the single biggest threat to corporates and individuals globally, particularly as cyber crime is not bound by national borders or political and trade treaties,” said Rob Cotton, CEO at global cyber security and risk mitigation specialist NCC Group.

“The risk of being hacked or having valuable data stolen continues to grow at a seemingly unstoppable pace, and although it’s encouraging that awareness is building among consumers and businesses, more needs to be done to affect behavioural change,” he added.

Since responsibility for cyber security ultimately rests with a company’s board, Cotton said they need to ensure they treat it as a priority and invest in an effective mitigation strategy to prevent even the most sophisticated attacks.

NCC Group is currently in the process of forming a cyber security committee which will be led by a senior independent non-executive director and will comprise the non-executive directors and the CEO, which is Cotton.

“I will report monthly to the committee on the performance of the group’s internal security and defences,” he said. “We believe we are the first listed company to create a cyber security committee at a board level. With the ever-rising threat of cyber attacks, we are of the opinion that all listed companies should have a board-led cyber security committee.”   

The NCA is urging businesses to view cyber crime not only as a technical issue, but also as a board-level responsibility, and to make use of the reporting paths available to them, sharing intelligence with law enforcement and each other.

Under-reporting continues to obscure the full impact of cyber crime in the UK, the report said, which hampers the ability of law enforcement to understand the operating methods of cyber criminals and most effectively respond to the threat.

According to AppRiver security research manager Troy Gill, there are two main reasons why companies do not report breaches. “They’re either ignorant of the breach or fearful it will cost them customers, drastically reducing their profits,” he said.

Read more about collaboration between business and law enforcement

In recognition of business concerns, the NCA has given the assurance that reporting a cyber crime is unlikely to result in any disruption of business and all will be handled with strict confidentiality.

“Companies have proven they can’t be entrusted to store data properly or implement good security practices on their own, so compliance is needed to ensure that they are at least meeting minimum standards to keep their customers’ information secure,” said Gill.

Unless we’re talking about the board of a cyber security company or compliance agency, remaining secure and compliant is probably one tiny sliver of issues they deal with daily. If most boards knew what was at stake by remaining non-compliant or negligent with their IT security, they would make it a priority. Unfortunately, most don’t realise this until it’s too late,” he added.

But the NCA is calling on board directors to challenge their business management teams to go beyond compliance with minimum cyber security standards to ensure that rapidly evolving cyber security and resilience challenges are addressed and the threat to the UK is reduced.

Countercept strategic manager Peter Cohen said while it is true that compliance does not equal security, it does give organisations a baseline that is generally geared around mitigating low-level threats such as commodity malware or script kiddie activity.

“As such [compliance] can be considered a reasonable starting point – depending on the compliance framework. The real danger with compliance is that while its purpose is understood within security circles, executives often believe that compliance is security, however when it comes to mitigating more capable threat actors, this simply is not the case,” he said.

Cyber crime too big to tackle alone

According to the NCA report, cyber crime is a threat of such magnitude, complexity and fluidity that neither businesses nor law enforcement will be able to meet the challenges alone.

“What is needed is a partnership approach to mitigating threats and identifying and disrupting criminals,” the report said.

The NCA believes that closer working between law enforcement and business to identify and arrest serious ‘upstream’ cyber criminals will protect businesses, stop future attacks and reduce the threat.

“Cyber crime response should therefore be treated as a strategic priority and include a stronger public-private partnership to investigate, report and combat cyber crime,” the report said.

BT Security CEO Mark Hughes agrees. “Collectively we all need to be more open and transparent in the reporting of cyber crime, recognising that all of us face similar threats from ruthless, innovative and transnational criminal entrepreneurs.

“A new partnership is needed between government and industry to take the offensive in disrupting the business models used by criminals, and both BT and KPMG are committed to playing our part in helping the National Cyber Security Centre and NCA succeed in this shared goal,” he said.

Stephen Love, European security practice lead at IT services firm Insight, said that while defensive measures such as layered security solutions, antivirus protection and encryption are crucial in protecting a business from attack, too often businesses are playing catch-up.

“There might be a hole in a system that hackers infiltrate, so it is filled with a patch. Now it is vital we begin to think proactively and stop the hole from appearing in the first place, and this is where a collaborative approach is needed between businesses and law enforcement agencies,” he said.

“Every organisation, no matter the size, needs to put security at the very top of the boardroom agenda to ensure all measures are taken to prevent a cyber attack. In addition, if they do fall victim or their systems have foiled an attack, the organisation should report it to a law enforcement agency immediately.”

Call to arms

The NCA’s National Cyber Crime Unit director Jamie Saunders told Computer Weekly the call to arms is for business to work with law enforcement to pursue the cyber criminals behind the attacks, to either put them behind bars or to disrupt their operations.

So far, he said, the focus has mainly been on hardening defences, which has to continue. “But we need to support that with a much more robust approach to disruption and upstream intelligence.”

But Ryan O'Leary, vice-president of the Threat Research Centre at WhiteHat Security, said that while it is a step in the right direction for the UK government to invest more money in cyber defence, he believes money is always better spent in the defence of an attack rather than in trying to find the culprit.

“Those who can pull off cyber attacks are prevalent on a global scale, as the NCA’s annual assessment has proved; if one individual or group were able to execute an attack, it is very likely many others could do the same. The issue is not the attacker – they are always going to exist – it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away,” he said. 

O’Leary points out that many of the attackers operate out of countries that make it near impossible to instigate legal action. “Finding the individuals responsible also gains the company nothing. As proven by the large number of breaches and fraud incidents quoted by the NCA, fear is not a deterrent to international attackers. These individuals have nothing to fear since they know they cannot face legal action or be extradited from their home country,” he said.

Saunders recognises that not all cyber criminals can be pursued because of where they are based, but in those cases it is still important to know who they are so that their operations can be disrupted. The NCA has participated in several international operations that have aimed at shutting down cyber criminal infrastructure.

There has to be a strong emphasis on attribution, he said, because a purely defensive stance means cyber criminals will just come back repeatedly to try their luck.

The NCA assesses that the most advanced and serious cyber crime threat to the UK is the direct or indirect result of activity by a few hundred international cyber criminals, typically operating in organised groups, who target UK businesses to commit highly profitable malware facilitated fraud.

By disrupting the operations of these groups, the NCA and other law enforcement organisations around the world believe they can significantly reduce the capacity of lower level criminals who rely on organised crime groups to provide the technical tools and infrastructure to commit crime.

Read more on Hackers and cybercrime prevention