According to the Home Office, theft from commercial premises has decreased from 52% of premises to 38%, while burglary has decreased from 25% to 12% since 2002. Vandalism is down from 23% to 18%, and fraud down from 20% to 8%. It’s a rosy picture suggesting that law enforcement is winning the battle against crime.
But it is not, suggest information security experts, a true reflection of crime in the UK. The problem is that cybercrime is excluded even though a website today is as much part of company premises as the physical building. According to the Home Office the 2012 report is designed to be directly comparable to the 2002 report. “This was not possible for all crime types or questions, however, and consequently cyber crime and anti-social behaviour have not been included in this analysis,” says the new report.
The result, say the experts, gives a completely misleading picture of crime in the UK. “There are few things in life we can be absolutely sure of,” explains Ross Brewer of LogRhythm, “but one of them is the fact that the number of cyber attacks aimed at UK businesses is on the rise.” Criminals, he suggests, have learnt over the last ten years that “stealing cash from an organizations’ safe is neither as lucrative nor effective as taking the information to access online bank accounts.” Consequently, he adds, “there is little point in talking up the reduction in the number of burglaries or shoplifting incidents, when hackers are routinely compromising corporate networks.”
There are two immediate examples. The ‘feeding frenzy’ of website defacements in support of Julian Assange –and in fact all website defacements – is ignored with the result that vandalism is down from 23% to 18%. Similarly, the dramatic rise in online financial fraud over the last decade is excluded, leading to an apparent reduction in fraud from 20% to 8%. “Of course if you count out the largest new market for crimes that has appeared in the last twenty years you are going to produce some rosy crime statistics, showing nice 50%+ drops,” says Daniel Beazer, director of strategy at Firehost. “However, a report on crime which doesn’t include cybercrime is like a sports study which chooses to ignore football.”
The problem for the Home Office is twofold. Firstly, companies do not always know when they have been breached; and secondly, they are not keen to publicize the fact when they do. For the former, Brewer suggests that a switch from reactive defenses to proactive monitoring, such as log analyses and SIEMs, will give companies the necessary insight. “In short,” he adds, “visibility and proactive monitoring have become the new burglar alarm.”
The latter is more intractable, and explains, says Beazer, “why business is lobbying so hard against the EU's plans for proactive breach notification of personal data.”
But whatever the reasons for the exclusion of cyber from crime statistics, the result is dangerous. “We can’t have cybercrime relegated,” says Beazer. “Unthinking attitudes to cybercrime, as reflected in documents such as these, could have businesses neglecting to take the necessary precautions online. Government reports such as this one should endeavor to make its readers more, not less vigilant and unfortunately this one could have the exact opposite effect.”