Businesses failing to report security breaches

Cyber criminals are escaping punishment because companies are failing to report security breaches according to Detective Inspector Chris Simpson, former head of the Metropolitan Police Computer Crime Unit.

Speaking at an IT security event at the House of Lords on Monday, Simpson said businesses are reluctant to report cases of hacking, DOS attacks and other computer crimes for fear of negative publicity. He argued that the UK should adopt a similar law to the California Security Breach Information Act (SB-1386) where organisations are required to divulge details of security crimes and inform individuals if the security of private information has been compromised.

Simpson said: "Anecdotal evidence suggests there is underreporting of e-crime, consequently convictions for Computer Misuse offences are relatively rare." He stressed that the aim of police "was not necessarily to pursue a prosecution in every case" and that intelligence was essential to "disrupt wider criminal activity or to inform crime prevention initiatives". He added that companies and members of the public should be reassured that where information is given in confidence "we will do our utmost to preserve the anonymity of the informant".

He also revealed that when cases do come to trial there are issues in presenting technically complicated cases to jurors. He said: "The authorities are facing some tough issues around presenting technical prosecutions in court, particularly in respect of educating non technical juries.

"However, in several recent cases defendants have entered ‘guilty pleas' due to the weight of the technical evidence against them. Successful case preparation depends on close co-operation between the police, CPS and industry experts. This partnership approach has been very effective in a many recent cases."

According to Simpson, recent changes to legislation have increased the maximum penalties for Computer Misuse offences and this should add a deterrent to the commission of these crimes.

Furthermore, he claimed organisations are failing to employ effective security measures, particularly in respect of the internal threat. He said that the majority of reported security breaches involved current workers, former employees or contractors.

"The main threat to businesses is ignorance. An informed top down approach is essential to help prevent security violations, many of which can be stopped by inexpensive tools, robust security policy and effective management practices," he said. "Many avoidable vulnerabilities arise when systems access is not managed properly for employees, contractors and former workers," he added.

Sign up to our newsletters