Law Enforcement
Computer Security No Longer a “Geeky Distraction” in War on Cyber-Crime
Our reliance on computers has absolutely exploded in recent years. The concepts of social media, big data, and bring your own device (BYOD) are very recent developments. One could argue that our lives are now dependent on our access to computers and the Internet. We need our computers, smartphones, and tablets for everything from shopping to socialising. In fact, a 2011 United Nations Human Rights report noted that the Internet has become a key means by which individuals can exercise their right to freedom and expression. Simply put, many of us could not live…or at least comfortably live…without computers and Internet access.
This has translated into consumers naturally wanting to shop online and businesses adapting accordingly. Firms now hold digital databases of employees, client lists, and intellectual property. Employees are using corporate computer networks through which to do their own shopping, Internet browsing, and emailing. The amount of data that we are storing as individuals as well as retailers is astounding.
But still, all too often, those who are running businesses—from company directors to small and medium enterprise (SME) partners—consider computer security to be a “geeky distraction” that is fairly unimportant and can be simply delegated to the information technology (IT) team. It is not. It is core to your businesses and, if you do get it wrong, your work stream and revenues can be stopped in a heartbeat.
Growth of Cyber-Crime
The issue of computer security is now more important than ever before because criminals have identified that living our lives online presents opportunities for them. I was recently discussing the rise of cyber-crime with a senior Police officer who informed me that cyber-criminals are now the most popular members of the prison community. Apparently, seasoned armed robbers are considering changes of career from running into jewellers with balaclavas and shotguns and risking security smoke or being shot at by Police officers for a few thousand pounds, to understanding computer crime and potentially transferring €10,000 per minute from a company from the comfort of their sofa. Hard-core criminals and would-be criminals are increasingly attracted to computer-related offences as they are quicker and easier.
I undertook a lot of work with the Government Communications Headquarters (GCHQ) funded cyber-crime research centre at Lancaster University, U.K., with regard to the reasons behind the increase in cyber-crime. It was found that a significant factor was the lowered entry barrier for would-be criminals. The attraction of a computer-related crime is fairly easy to identify—low risk to safety, potential very high gains, and potentially untraceable or unnoticeable by the victim.
Coming face-to-face with your victim is immediately intimidating. It is also easy for a person to minimise the effect of their offending if they have no idea who the victim is in real terms. With the entry barrier for computer offences being lower than traditional offences, more people are choosing to commit these crimes. This is, of course, in addition to those who would be criminals anyway, choosing to use computers as their route to criminality.
The effect of the frequency of offending increasing in this manner is magnified further by what I would suggest is an abject failure by the State to protect us from the risks. Simply put, Police forces are massively underfunded for investigating computer-related offences and simply do not have enough people with the necessary skills. It is an impossible task. It is like trying to use a thimble of water to douse a forest fire.
Using Outside Experts
I have therefore found that an increasing number of businesses are approaching cyber-crime experts to assist them. My work often involves an investigation of some sort with respect to the alleged offence, advice on that offence and then, depending on the situation, referral to the Police, Trading Standards, or privately prosecuting the individual on behalf of the company. This niche has arisen solely because the Police are so behind the times with regard to the risks posed by cyber-crime. Private individuals and business ought to be afforded the full protection of the criminal law and such victims often feel that the Police do not take them seriously and that they need outside assistance.
Despite the daunting task, law enforcement is interested in cyber-crime. I recently provided training sessions for senior officers of the North West Police, the Yorkshire and Humber Police, and South Wales Police regarding how best to prosecute these cases. It seems to me that working in conjunction with Police will allow for our communities, whether digital or otherwise, to be protected properly in future.
Impact on Retailers
The impact of cyber-crime on retail is significant, to the point that some retailers have formed internal investigation teams. But the focus of such teams tends to be on loss prevention rather than prosecution or civil litigation; both of which are entirely possible, proportionate responses and a clear deterrent to other would be cyber-criminals. At the very least, the cost of the investigation can be recouped through litigation.
A recent Government survey found that the average weekly spend online was £586.6 million in July 2013. The attraction for criminals is clear, and the risk therefore translated to both those internal and external to the retailer.
It is estimated that around 39 per cent of incidents involving data breaches and systems failures come from inside an organisation. This can be caused by genuine mistakes, such as losing laptops or storage media, to insider collusion in the commission of an offence. Of course, we are also familiar with the risks posed by external agents, such as hackers or hacktivists, who may choose to target a retailer for a myriad of reasons ranging from financial gain to personal vendetta to political statement.
Businesses should be aware that the risk of a hack or data loss is not solely related to that retailer’s website. They also need to be wary of the use of third-party data centres, cloud providers, and payment processors. These third-parties carry company data and a breach that is their responsibility can still detrimentally affect both the finances and reputation of the business.
Examples of Risk to Retailers
The risks are far reaching and extend to issues that many retailers will have simply not considered. For example, a computer error, whether caused by negligence or an explicit cyber attack, may mean that tills go offline. Could many High Street shops or e-commerce retailers continue to function if they were unable to process transactions? I would suggest not. Not only would this significantly affect sales, but it would also affect their stock management processes. The repercussions could last for quite some time.
The hacking of a Chip-and-PIN system is now a clear target for online criminals. Indeed, in 2012 Barnes & Noble suffered such a breach. What would be the effect of an online retailer being unable to accept credit or debit cards for a week? Once that sinks in, consider what the effect would be to the reputation of a business and the likelihood of further commerce if they had to disclose to the general public that the financial details of customers may have been compromised.
If customer data is lost, there is then a risk that regulators, such as the Financial Conduct Authority or the Information Commissioner’s Office, become involved, potentially causing further reputational damage and/or sanctions (see page 38).
I believe that the shift to tablet and mobile transactions is a further concern for retailers. It is estimated that global mobile transaction volume and value is expected to have an annual average growth of 42 per cent through 2016. The shift of consumers to mobile devices will naturally see cyber-criminals attracted to that area also. The vulnerabilities are clearly at the point-of-sale and in terms of the storage of the transaction data. Depending on how the transactions occur, both of these factors are arguably the responsibility of the retailer.
The concept of employees bringing their own mobile and tablet devices to work (BYOD) is a fairly recent one that brings with it additional inherent risks. The absence of tracking and central control around these devices, such as mobile device management, is an issue. These factors leave the devices and the companies where employees are using them at risk of malware and data theft through hostile applications and unauthorised access.
A security breach in any of these methods could be absolutely catastrophic and may mean that a retailer can no longer function—all because of an issue that some company directors still believe can be delegated to their internal IT team. If there is one piece of advice that I can give a retailer, it is that data security should be top of agenda. This needs looking at and it needs looking at immediately, before disaster strikes.
