Police are often the last people an organisation wants to speak to when a security breach costs it intellectual property, sensitive data or even cold hard cash - but that needs to change, according to a commercial crime detective with WA Police.
“I’ve heard it said that there are two types of businesses in the world: those who know they have been compromised and those who don’t,” Detective Inspector Tim Thomas told iTnews.
Thomas believes businesses need to be more open about breaches in order to keep themselves safer in the longer term.
He says there is a significant discrepancy between the volume of cyber-based crimes being discussed in the community compared with the number being reported to the police.
Cybercrime is a method of offending rather than a type of offence, he explained. When combined with under-reporting as well as the multi-jurisdictional nature of cybercrime, a situation where the true scale of cybercrime offending is unknown occurs.
“There is a lot of information in the marketplace about the degree, cost and scale of cybercrime offences. However, these figures are not reflected in the reports we receive. So either there is a very large degree of under-reporting taking place or the figures are wrong," Thomas said.
He believes victims are reluctant to report cybercrime to the police because they are concerned it will damage their brand name.
"What we are trying to do is change the culture. We want victims to work with the police to find the offenders and bring them to justice. In our experience the general community is very supportive of businesses which take this approach."
Although organisations were trying very hard to keep their systems and data secure, they commonly faced an almost impossible challenge to maintain a constantly high level of security, Thomas said.
He said a typical scenario involved a company going to great lengths to ensure its staff and systems were secure, but then making a simple mistake.
“It’s startling when companies exercise all sorts of controls and rigour around their own staff but then employ a contractor, take them on face value and give them the keys to the kingdom. Why?" he said.
“Cybercrimes are committed by people, not technology, and many companies are not paying enough attention to this area. There is no drill-down into the individuals ... at the end of the day it boils down to a person coming through the door -- that is one of the most common attack vectors we see."
If sensitive information is stolen because an untrustworthy contractor copies it onto a USB key or a departing employee takes a copy of the client database, this is just as damaging to the company as a network intrusion.
People outside of law enforcement have very little idea of the actual challenges faced by the police in this area, Thomas said.
A significant problem has been the way crimes are classified and recorded - most cybercrimes are traditional offences which are being committed in a new way, and are therefore recorded as fraud or threats.
But the issue is currently being addressed by a federal government initiative. Called the Australian Cybercrime Online Reporting Network (ACORN), the program will offer an online, one stop shop for cybercrime reporting in Australia.
“Some of our laws say it’s unlawful to do a whole range of things on computers and networks with information holdings if you are not authorised to do so. But if someone hasn’t told a person what they are and are not allowed to do it can be difficult for us to prove," Thomas said.
“It’s not very exciting or technical but it’s a day to day reality for us."
Thomas says companies often stumble when assigning staff and contractors with suitable access rights and privileges - especially when it comes to mission critical aspects of the business.
“Then they get a disgruntled employee, or someone seeking personal gain who does the wrong thing. In the absence of clear permissions it can be very difficult to prove criminality,” he said.
The WA Police has set attendees to the AusCERT 2014 conference an encryption-based challenge, based on an actual crime.
The challenge is only open to AusCERT delegates and kicked off yesterday (Monday 28th April). Entries close on Thursday 8th May and winners will be announced on Wednesday 14th May at the conference.
“It was a real world data set and based on a problem encountered by the WA police years ago. We replicated what had occurred and obviously changed all the identifiable information,” Thomas said.
Thomas claims the problem isn’t ‘extremely difficult’. However, he said the result isn’t as important as the methodology used to find the solution.
“Law enforcement have a particular mindset and we approach problems differently - it doesn’t make us better, just different,” he said.
He is also hoping to learn some new problem solving methods from the delegates.
“It’s not the hardest problem in the world so let's see if you can do it faster or better than the Western Australian coppers."