As cybercriminals grow in sophistication and organized crime becomes increasingly involved in the mix, the cost of cyber crime to U.K. business continues to grow, resulting in billions lost in down time, systems damage and client loss, according to a report released Tuesday by the National Hi-Tech Crime Unit (NHTCU).
As of last year, the estimated minimum cost of the impact of high-tech crime on companies based in the U.K. with more than 1,000 employees was £2.45 billion (US$4.61 billion), the NHTCU said. The results of the yearly survey were announced on the first day of the e-Crimes Congress in London.
In the survey of 200 large and medium-size companies, 89 percent said that they had experienced some form of high-tech crime in 2004; of those, 90 percent suffered from unauthorized access to, or penetration of, their company systems, while 89 percent suffered theft of information or data, the NHTCU said. Security breaches occurred from outside and, more often, from within a company’s system.
Furthermore, 97 percent of all respondents said they had experienced virus attacks in the year, costing £70.8 million, while financial fraud cost 9 percent of respondents £68.2 million, the NHTCU said.
The survey was conducted by NOP (the market research division of United Business Media PLC) for the NHTCU, which was created as part of the National Crime Squad in 2001. Since its inception, the unit has been involved in over 100 investigations and has arrested over 200 people involved in serious and organized computer related crime, the NHTCU said.
The Director General of the National Crime Squad, Trevor Pearce, estimated that in 2004, nine out of 10 companies in the U.K. suffered some sort of cybercrime, reiterating the study’s findings, and that the growing spread of that crime was having far reaching effects. “The inability to carry on with the day job (because of cybercrime) is a growing concern of companies,” Pearce said, speaking at the e-Crimes Congress Tuesday.
According to Pearce, the biggest trend in cybercrime has been the emergence of organized crime. “We are seeing a professionalization of organized crime as they enter the high-tech world,” he said.
Yet despite all of the warnings, a third of companies in the U.K. still do not perform security audits, and 35 percent have no crisis management procedures to deal with high-tech crime, Pearce said.
On average, a company experiences 7 virus attacks a day, though that figure can vary wildly depending on the company. For example, Alan Jebson, Group Chief Operating Officer at HSBC Holdings PLC told the audience that on the bank’s busiest day last year, the U.K.-based financial institution was hit with 100,000 attacks.
“Criminals are attracted to the Internet by the sheer lever of opportunity,” Jebson said.
Jebson expressed his industry’s concern that as cybercrime continues to take new forms, consumers are becoming more fearful of conducting any financial transaction over the Internet.
Blossoming new security threats include the use of zombie networks or botnets to attack companies; phishing online identity theft scams; pharming frauds which redirect Internet users looking for legitimate Web sites to Web pages at another site controlled by the unknown attackers, and the use of money mules, people who allow their bank account to be used to store stolen money (most likely from the same bank) before it is then moved to another site, often offshore.
“This is an area where our regulators could have a significant impact by helping to [ensure] banks move together towards addressing [these challenges to] secure banking online,” Jebson said.
As part of its efforts to combat cybercrime, Jebson said that HSBC has signed up with the U.K. government to play a major role in Project Endurance, a consumer education campaign on Internet security that was launched last November. The steering group includes the NHTCU, the Department of Trade and Industry, the Home Office, the Confederation of British Industry (CBI) and the Association of Payment Clearing Services.
However, Jebson warned that simple consumer education may fall short of the security mark, driving financial institutions to force their customers into a more proactive role. “I think the industry as a whole may have to adopt a firmer line with customers,” Jebson said. “For example, at some point we may not allow customers without a firewall to use HSBC online services.”
All of the conference speakers on Tuesday morning stressed the need for partnerships to be established between governments and corporations, as well as all levels of law enforcement, nongovernmental organizations (NGOs) and every computer user on both a local and an international level.
Every case opened by the cybercrime division of the U.S. Federal Bureau of Investigation (FBI) since it was set up in 2003 has had an international dimension, making cross-border cooperation, such as between the FBI and the U.K. National Crime Squad, all the more important, according to Steve Martinez, deputy assistant director of the FBI.
Martinez pleaded with conference attendees to report all instances of cybercrime. “We estimate that the FBI receives reports on only a third of cyber attacks. Law enforcement needs to be notified of all attacks,” Martinez said.
If the best way for curbing crime — good old fashioned law and order — is to be effective, corporations and individual users need to reach out to law enforcement officials, he said. “Sanctions must hit hackers and the most effective sanction is locking these criminals up, but we need your help providing intelligence and evidence,” Martinez said.
The e-Crimes Congress in London runs through Wednesday.