Skip to main content
e-Crime the real story

Imagine for one moment that you are the Chief Executive of an international investment business and you have a problem, a very big problem. An organised crime group has picked your business to be the victim of a Denial of Service (DDoS attack), similar to that experienced by Microsoft with ‘Blaster’ in August. The exploit is directed against the company’s servers running with vulnerable ports and the objective is to bring down the company’s on-line trading activities for thirty minutes each week.

Unlike Microsoft, you can’t simply switch your servers during the attack. Outside of the damage to reputation, the cost of thirty minutes loss of trading to your business, is over a million dollars and following the first incident, you receive a phone call from the gang, telling you that the problem will continue unless a million dollars in ‘consultancy fees’ is transferred to a bank in Columbia. What do you do next? Make a call to the National Hi-tech Crime Unit (NHTCU) and report the crime or buy more security software, learn a harsh lesson and quietly pay the criminals off?

This is the nature of the problem facing the police and business today and one of the scenarios being prepared for discussion at next year’s eCrime Congress. Without accurate figures and with no financial institution willing to discuss the subject, it’s only possible to present an estimate of the levels eCrime in Britain today. In many cases, companies believe they stand to lose more in terms of damage to their brand and customer confidence than they stand to gain by reporting an incident to the police.

Earlier this year, a survey commissioned by the NHTCU and conducted by NOP, revealed that security incidents had cost UK business an estimated £143 million over the previous twelve months.

The survey exposed three thousand different incidents among the one hundred and five organisations surveyed and the results included information theft, virus attacks and the loss of hardware other than laptop PCs.

From a business perspective, grasping the true size and nature of the problem is a difficult one. By including hardware and virus-related incidents, the ‘big ticket’ crime problems remain largely hidden n the statistics. It’s rather like being offered the tonnage of allied shipping sunk as a measure of U-Boat success in the second world war, it doesn’t tell you what you really want to know, how many ships were actually sunk?

Chris Potter, Information Security Partner at PriceWaterhouseCoopers points to two surveys carried out by the company. Potter comments, “One of the big issues with e-crime is the definition. The DTI Information Security Breaches Survey 2002 indicated that nearly half of all UK companies have suffered malicious information security incidents, but most of these relate to virus infection and web-site hacking attempts. Relatively few incidents to date have involved electronic theft or fraud, with surveys showing only 6% of UK businesses affected so far.”

Potter adds, “The cost incurred for an individual electronic theft or fraud is often much greater than for other security incidents. The recent PwC Global Economic Crime Survey 2003 estimated the average loss from a cybercrime incident as $800 thousand. Secondly, most businesses expect the prevalence of cybercrime to rise significantly over the coming years. As more business is done electronically, more economic crime will become e-crime”.

At the CBI, Jeremy Beale, Director of eBusiness, identifies a number of different problems facing companies where eCrime is involved: “Firstly, business can rarely tell if a crime has committed and if one has, who they should contact, the local police force of the NHTCU”. “Secondly”, says Beale “Is that it is too early to scale the exact size and nature of the problem but what is clear is that it is significant and government needs to bring its efforts together to create a single point of contact, though a central sponsor for information assurance”.

Few companies are aware of the NHTCU’s confidentiality charter, which is designed to protect a business from any potential damage or loss of confidence that might arise as a consequence of publicity. Companies can now report eCrime on an intelligence basis only, which the Police will work around and use as part of an information gathering exercise, which might possibly lead to the conviction of a third-party in the future or as part of suitably sanitised ‘threat assessment’ that might be shared with similar organisations. Alternatively, a company can report a crime with a view to having it investigated, in which case an application can be made to the trial Judge for public interest immunity in order to protect the name of the business involved.

According to Tony Neate, Industry Liaison Officer at the NHTCU,”More and more sections of industry are reporting crimes and the increase in successful arrest and prosecutions is leading to a more informed view of what is happening”. However, the NHTCU concedes that even greater efforts need to be directed towards educating the business community over the process of reporting. For those that don’t know, this involves contacting a first approach to regional computer crime unit, which will then escalate a report to the NHTCU if it demands national attention.

Jeremy Beale acknowledges the reporting problem and adds that the CBI is working with the NHTCU on a programme to inform small and medium sized businesses about the dangers of eCrime. “More”, says Beale, “Needs to be done to raise board level awareness of the responsibility of protecting business assets and we need to have more collaboration between industry networks and early warning systems”.

As far as Beale is concerned, the eCrime debate is still “treading water”, while the police struggle to gain an accurate impression of the size of the problem and business gradually realises that it is an issue that has to be recognised and understood at the most senior levels.

eCrime is here to stay and there is every indication that it will continue to grow at a steady and alarming rate unless business and law-enforcement can collaborate more closely. Head of the Hi-tech Crime Unit, Len Hynds agrees that at present, a great deal of energy is devoted to ‘scoping the problem’ and then addressing the issues that arise as a consequence. “You would be surprised”, he says “At how even the conduct of more conventional crimes, such as drug-trafficking are expanding into the digital environment, which illustrates the serious nature of the problem facing society".

For business, now appears to be the time to accept that being mugged can happen as easily in cyberspace as it can on Clapham Common but being warned isn’t enough. If you listen to the CBI, PWC and the Police, being prepared and a little paranoid might offer all of us a better business strategy for the future.

The next eCrime Congress will take place in London 24th – 25th February 2004

More Comments on eCrime

“One area of concern is the rise in identity theft, where criminals gain access to individuals' financial information. Financial services call centres are a particular risk, since many call centre systems will let the operator see the full account and password details for the caller. The operator can then pass these details onto criminals who can then pose as the caller and access their account”. Chris Potter – Information Security Partner - PWC.

“The relationship between law-enforcement and industry is fundamental to the growth of e-business in this country. For the police it’s a matter of changing tactics to meet the challenges of a digital environment” Detective Chief Superintendent Len Hynds – Director NHTCU

“We need to examine roles and responsibilities in dealing with eCrime. Is it the banks, the NHTCU or even Microsoft? All of us need to be behind a collective programme that deals with the problem”. Stuart Okin – Chief Security Officer Microsoft (UK) Ltd


Popular posts from this blog

Mainframe to Mobile

Not one of us has a clue what the world will look like in five years’ time, yet we are all preparing for that future – As  computing power has become embedded in everything from our cars and our telephones to our financial markets, technological complexity has eclipsed our ability to comprehend it’s bigger picture impact on the shape of tomorrow.

Our intuition has been formed by a set of experiences and ideas about how things worked during a time when changes were incremental and somewhat predictable. In March 1953. there were only 53 kilobytes of high-speed RAM on the entire planet.

Today, more than 80 per cent of the value of FTSE 500* firms is ‘now dark matter’: the intangible secret recipe of success; the physical stuff companies own and their wages bill accounts for less than 20 per cent: a reversal of the pattern that once prevailed in the 1970s. Very soon, Everything at scale in this world will be managed by algorithms and data and there’s a need for effective platforms for ma…

Civilisational Data Mining

It’s a new expression I haven’t heard before. ‘Civilisational data mining.’

Let me start by putting it in some context. Every character, you or I have typed into the Google search engine or Facebook over the last decade, means something, to someone or perhaps ‘something,’ if it’s an algorithm.

In May 2014, journalists revealed that the United States National Security Agency, the NSA, was recording and archiving every single cell-phone conversation that took place in the Bahamas. In the process they managed to transform a significant proportion of a society’s day to day interactions into unstructured data; valuable information which can of course be analysed, correlated and transformed for whatever purpose the intelligence agency deems fit.

And today, I read that a GOP-hired data company in the United States has ‘leaked’ personal information, preferences and voting intentions on… wait for it… 198 million US citizens.

Within another decade or so, the cost of sequencing the human genome …

The Big Steal

I’m not here to predict the future;” quipped the novelist, Ray Bradbury. “I’m here to prevent it.” And the future looks much like one where giant corporations who hold the most data, the fastest servers, and the greatest processing power will drive all economic growth into the second half of the century.

We live in an unprecedented time. This in the sense that nobody knows what the world will look like in twenty years; one where making confident forecasts in the face of new technologies becomes a real challenge. Before this decade is over, business leaders will face regular and complex decisions about protecting their critical information and systems as more of the existing solutions they have relied upon are exposed as inadequate.

The few real certainties we have available surround the uninterrupted march of Moore’s Law - the notion that the number of transistors in the top-of-the-line processors doubles approximately every two years - and the unpredictability of human nature. Exper…