The CBI's recent cyber crime report, released at the end of last month, was accompanied by a call to action, challenging the Government to come to the rescue of cyber crime victims through the work of its cyber crime unit and by setting up a UK centre for cyber crime complaints. The message is clear: UK companies want justice to be done and the Government should be responsible for meting out punishment to cyber criminals.
In my view, however, this kind of idealism is only playing into the hands of such criminals. If companies persist with the belief that the law can protect them from cyber crime, they will continue to lose billions a year from security breaches. In other spheres, prison sentences and the fear of being caught may decrease crime levels, but it seems that cyber criminals have less respect for the law.
This disrespect stems from the fact that the law is inherently unsuited to tackling cyber crime. Whilst laws are national, cyber crimes are international, thus making prosecution almost impossible. Cyber crime laws will also always be retrospective and delays inevitable.
Furthermore, too few investigating officers have the necessary skills and training to combat cyber criminals, and those who do are often tempted away by the high salaries of the private sector. If cases ever do get to the courts, prosecution is rare as cyber evidence is incredibly difficult to present and validate. Finally, sentences for cyber crime are laughably lenient: the longest UK sentence so far issued is four years.
Cyber criminals are unlikely to be caught, unlikely to be prosecuted and unlikely to be justly sentenced. These people are gamblers and, with the odds stacked so convincingly in their favour, they will continue to commit their crimes. Thus, no company is safe from cyber criminals but, rather than relying on someone else to look after them, companies must be responsible for making their security stringent enough to protect them.
To achieve this, most firms need to undergo a cultural change and employees must be prepared to compromise usability to ensure that systems are protected. Staff must understand the potential consequences of careless behaviour, and security policies should be well defined and strictly policed to make it easier to monitor for abnormal behaviour.
It is essential that companies don't become complacent as confidence gives hackers an opening. Even if they have implemented strong user identification and authentication policies, it is still worthwhile to track unusual behaviour like repeated failed login attempts within the company.
Companies should also remain cynical and disregard all claims that products and systems are secure until they can be proved. They should not allow themselves to be guinea pigs and should ensure that they take expert advice before experimenting with new technologies.
Finally, if you don't have the expertise to determine security risks, hire those who do. Ensure that security employees are officially accredited and can prove their credentials. It is essential to keep your key staff, their knowledge and expertise and not to risk losing them for short-term, economic reasons. Your only hope is to know more than your attackers.
Whilst no security steps can ever completely protect you against most high-level hackers, they will help ensure that you are as well protected as possible. It is vital that your staff's security education is to the highest level. Knowledge is the cyber criminal's most powerful weapon and thus your best line of defence. When it comes to cyber crime you are fighting on your own, so it falls to you to make sure you are equipped.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software