There’s plenty of evidence to suggest that neither the business community nor the police service have effectively prioritised their response to cyber crime. Indeed, a 2016 Institute of Directors survey of businesses found that only 57% had a cyber or information security strategy in place and less than half (49%) provided relevant training for staff, despite 91% claiming they believed cyber security was important, write Martin Gill and Charlotte Howell.
Similarly, challenges faced by the police in tackling economic cyber crime include a disjointed policing approach, a general reduction in police resources and the changing nature of cyber space making it both difficult to understand and access. Wall (2007) has argued that the police is a “relatively minor player in the broader network of security that constitutes the policing of cyber space”. The failure to report most cyber incidents to the police has limited the opportunity to build up a comprehensive understanding of the problem.
Yet each side, business on the one hand and the police on the other, has much to offer in the ongoing fight against cyber offending. Businesses help protect the national infrastructure. Some businesses have large and dedicated departments that are able to build up a profile of risks and develop appropriate responses. No wonder there have been calls for private-public sector partnerships in this area.
However, evidence suggests that some police officers, at least, are sceptical. Police officers participating in one study saw “public involvement in cyber policing as something that should be limited to providing basic tips”.
To highlight some of the key issues, we explored the views of both security personnel and police officers. The two groups were surveyed in different studies in different years. The findings should be seen as exploratory in nature, perhaps best justified by the lack of previous research. Each survey included questions on the response to cyber crime.
An online survey of security professionals from around the world was carried out which generated 289 replies. Here, we focused on questions designed to assess perspectives on the ability of law enforcement to tackle cyber crime. In many ways the results are striking. 58% of respondents didn’t agree with a statement that the police were very effective at tackling cyber crime, while only 3% (six people, in fact) strongly agreed.
Second, in response to the statement: ‘The police are experts at tackling cyber’, 61% disagreed and only 4% strongly agreed. Perhaps more disappointingly, less than half felt that, within the next five years, the police will be able to be relied upon to tackle cyber crime. In fact, over half the sample (55%) felt it was impractical to report all cyber offences.
In terms of role, the police were clearly seen to be able to offer something distinct in having the ability to close down websites, access to databases and intelligence, powers of arrest and the support of the law. The business sector was seen as being important because it has information/intelligence and, ultimately, evidence at its fingertips (albeit the view was this isn’t always used constructively, while representatives lamented the lack of feedback they received on that which they did supply).
However, sharing information is complicated. There’s a fear from the business side that the police will fail to appreciate commercial sensitivities. This is one reason why some felt they would rather deal with a specialist private security supplier than the police. There was also a concern that the police couldn’t respond quickly and meaningfully to incidents.
Despite all of the problems identified with the police response, some interviewees spoke very highly of the ability of the police service to respond effectively. They talked of those involved in specialist areas where a response from the police was prioritised or where they had struck up good relations.
One respondent determined to note that it was possible for the business community to take the lead here, and that the type of response businesses should expect from the police ought to be based on the type and quality of contribution it can make.
Some argued for a much stronger and clearer narrative on what the police and business (including corporate and private security) can and should expect from each other.
An online survey was conducted involving police officers. In total, some 1,361 officers responded. There was certainly a sense that businesses need to take responsibility for themselves, and certainly for tackling cyber crime. In fact, 86% thought so. The primary explanation given was that the police lacked the resources to do this adequately.
Meanwhile, just less than 50% of respondents agreed that the police service has a responsibility to investigate cyber crime (again primarily because of the concern about the lack of resources). Some felt the role of the police should be focused on instances where business has collated the evidence. Business leading in this area was largely welcomed.
Indeed, close to two-thirds believed that most of the expertise for fighting cyber crime rests in agencies outside of the police service (including among security suppliers and corporations such as banks).
Some respondents made the point that the police needed to develop more skills in this area and focus on retaining the good staff already on the books.
Respondents felt businesses needed to be more committed to sharing information with the police, with approaching nine in every ten respondents stating this view. A much smaller majority – but over 50% – admitted that the police also need to improve here in terms of being more committed to sharing information with businesses. This is an area that, if solved, has much potential for collaborative working, but at present remains a significant barrier.
Note of caution
We need to stress caution here about the interpretation of the results. The survey of security professionals was global, while the survey of police officers was exclusively focused on the UK. The surveys were conducted at different times and adopted different wording. Hence our caution that the findings might best be used to generate discussion.
With these limitations in mind, there was general agreement that the police service – much like business generally and private security specifically – is playing catch-up in understanding and responding effectively to cyber crime. For the police, too, responding to cyber requires the acquisition of new skills and the establishment of new relationships with countries as well as organisations. These skills and relationships are very different to those needed to respond effectively to the traditional threats of street crime, burglary and robbery.
Some security professionals could see – and had benefited from – the progress that has been made, but the ubiquity of cyber offences and the limited resources of the police led some to doubt that it was best placed to be a main (or the main) responder in the future. Indeed, there was a lack of clarity about how the police service could best position itself to help business going forward. There was more certainty that police effectiveness in this area wasn’t optimal.
The view was similar among police officers. While some could point to examples of excellent practice in police work, the general view was that the scale of cyber offending and the depletion of resources available to the police meant organisations will have to take primary responsibility for protecting themselves. There’s clearly a need to better understand and clarify the roles that can be expected of each and, going forward, how those roles can be harnessed to bring about the best possible result.
Using resources wisely
On the business side – and that includes internal security/fraud/cyber crime units – there’s a need to shape the type of response elicited from the police by establishing how companies can use their own resources to best effect. Business will need help from the police in clarifying the types of data/intelligence, etc that are likely to be most helpful and the ways in which these can be best communicated.
There’s also a defined requirement to better understand how businesses beyond the larger and well-resourced ones can best retain and process evidence that may be helpful to the police. There’s certainly some frustration at present that efforts here are not reciprocated by the police in terms of, for instance, providing feedback or in always taking cases on when a business has already undertaken a good deal of preparatory work.
There seems much to commend the sharing of information and making the most of ‘cyber security expertise’ which, by all accounts, is seen as a comparatively scarce resource.
Professor Martin Gill CSyP FSyI is Director of Perpetuity Research. Charlotte Howell MSc LLB (Hons) is Research Manager at Perpetuity Research
*This article is based on the findings from two Security Research Initiative reports: Gill M and Howell C (2016) ‘Tackling Cyber Crime – The Role of Private Security’ and Howell C and Gill M (2017) ‘Police Views on Private Security’