Fighting Cyber Crime: The Partnership Approach

There’s plenty of evidence to suggest that neither the business community nor the police service have effectively prioritised their response to cyber crime. Indeed, a 2016 Institute of Directors survey of businesses found that only 57% had a cyber or information security strategy in place and less than half (49%) provided relevant training for staff, despite 91% claiming they believed cyber security was important, write Martin Gill and Charlotte Howell.

Similarly, challenges faced by the police in tackling economic cyber crime include a disjointed policing approach, a general reduction in police resources and the changing nature of cyber space making it both difficult to understand and access. Wall (2007) has argued that the police is a “relatively minor player in the broader network of security that constitutes the policing of cyber space”. The failure to report most cyber incidents to the police has limited the opportunity to build up a comprehensive understanding of the problem.

Yet each side, business on the one hand and the police on the other, has much to offer in the ongoing fight against cyber offending. Businesses help protect the national infrastructure. Some businesses have large and dedicated departments that are able to build up a profile of risks and develop appropriate responses. No wonder there have been calls for private-public sector partnerships in this area.

However, evidence suggests that some police officers, at least, are sceptical. Police officers participating in one study saw “public involvement in cyber policing as something that should be limited to providing basic tips”.

To highlight some of the key issues, we explored the views of both security personnel and police officers. The two groups were surveyed in different studies in different years. The findings should be seen as exploratory in nature, perhaps best justified by the lack of previous research. Each survey included questions on the response to cyber crime.

Security perspective

An online survey of security professionals from around the world was carried out which generated 289 replies. Here, we focused on questions designed to assess perspectives on the ability of law enforcement to tackle cyber crime. In many ways the results are striking. 58% of respondents didn’t agree with a statement that the police were very effective at tackling cyber crime, while only 3% (six people, in fact) strongly agreed.

Second, in response to the statement: ‘The police are experts at tackling cyber’, 61% disagreed and only 4% strongly agreed. Perhaps more disappointingly, less than half felt that, within the next five years, the police will be able to be relied upon to tackle cyber crime. In fact, over half the sample (55%) felt it was impractical to report all cyber offences.

In terms of role, the police were clearly seen to be able to offer something distinct in having the ability to close down websites, access to databases and intelligence, powers of arrest and the support of the law. The business sector was seen as being important because it has information/intelligence and, ultimately, evidence at its fingertips (albeit the view was this isn’t always used constructively, while representatives lamented the lack of feedback they received on that which they did supply).

However, sharing information is complicated. There’s a fear from the business side that the police will fail to appreciate commercial sensitivities. This is one reason why some felt they would rather deal with a specialist private security supplier than the police. There was also a concern that the police couldn’t respond quickly and meaningfully to incidents.

Despite all of the problems identified with the police response, some interviewees spoke very highly of the ability of the police service to respond effectively. They talked of those involved in specialist areas where a response from the police was prioritised or where they had struck up good relations.

One respondent determined to note that it was possible for the business community to take the lead here, and that the type of response businesses should expect from the police ought to be based on the type and quality of contribution it can make.

Some argued for a much stronger and clearer narrative on what the police and business (including corporate and private security) can and should expect from each other.

Police perspective

An online survey was conducted involving police officers. In total, some 1,361 officers responded. There was certainly a sense that businesses need to take responsibility for themselves, and certainly for tackling cyber crime. In fact, 86% thought so. The primary explanation given was that the police lacked the resources to do this adequately.

Meanwhile, just less than 50% of respondents agreed that the police service has a responsibility to investigate cyber crime (again primarily because of the concern about the lack of resources). Some felt the role of the police should be focused on instances where business has collated the evidence. Business leading in this area was largely welcomed.

Indeed, close to two-thirds believed that most of the expertise for fighting cyber crime rests in agencies outside of the police service (including among security suppliers and corporations such as banks).

Some respondents made the point that the police needed to develop more skills in this area and focus on retaining the good staff already on the books.

Respondents felt businesses needed to be more committed to sharing information with the police, with approaching nine in every ten respondents stating this view. A much smaller majority – but over 50% – admitted that the police also need to improve here in terms of being more committed to sharing information with businesses. This is an area that, if solved, has much potential for collaborative working, but at present remains a significant barrier.

Note of caution

Professor Martin Gill CSyP FSyI

Professor Martin Gill CSyP FSyI

We need to stress caution here about the interpretation of the results. The survey of security professionals was global, while the survey of police officers was exclusively focused on the UK. The surveys were conducted at different times and adopted different wording. Hence our caution that the findings might best be used to generate discussion.

With these limitations in mind, there was general agreement that the police service – much like business generally and private security specifically – is playing catch-up in understanding and responding effectively to cyber crime. For the police, too, responding to cyber requires the acquisition of new skills and the establishment of new relationships with countries as well as organisations. These skills and relationships are very different to those needed to respond effectively to the traditional threats of street crime, burglary and robbery.

Some security professionals could see – and had benefited from – the progress that has been made, but the ubiquity of cyber offences and the limited resources of the police led some to doubt that it was best placed to be a main (or the main) responder in the future. Indeed, there was a lack of clarity about how the police service could best position itself to help business going forward. There was more certainty that police effectiveness in this area wasn’t optimal.

The view was similar among police officers. While some could point to examples of excellent practice in police work, the general view was that the scale of cyber offending and the depletion of resources available to the police meant organisations will have to take primary responsibility for protecting themselves. There’s clearly a need to better understand and clarify the roles that can be expected of each and, going forward, how those roles can be harnessed to bring about the best possible result.

Using resources wisely

Charlotte Howell MSc LLB (Hons)

Charlotte Howell MSc LLB (Hons)

On the business side – and that includes internal security/fraud/cyber crime units – there’s a need to shape the type of response elicited from the police by establishing how companies can use their own resources to best effect. Business will need help from the police in clarifying the types of data/intelligence, etc that are likely to be most helpful and the ways in which these can be best communicated.

There’s also a defined requirement to better understand how businesses beyond the larger and well-resourced ones can best retain and process evidence that may be helpful to the police. There’s certainly some frustration at present that efforts here are not reciprocated by the police in terms of, for instance, providing feedback or in always taking cases on when a business has already undertaken a good deal of preparatory work.

There seems much to commend the sharing of information and making the most of ‘cyber security expertise’ which, by all accounts, is seen as a comparatively scarce resource.

Professor Martin Gill CSyP FSyI is Director of Perpetuity Research. Charlotte Howell MSc LLB (Hons) is Research Manager at Perpetuity Research

*This article is based on the findings from two Security Research Initiative reports: Gill M and Howell C (2016) ‘Tackling Cyber Crime – The Role of Private Security’ and Howell C and Gill M (2017) ‘Police Views on Private Security’

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts