Firms urged to come clean on IT breaches

Cyber crime reporting must rise if prosecution rates are to improve

Experts are encouraging firms, particularly banks, to publicise security breaches to tackle the stigma and culture of secrecy associated with such attacks.

Howard Schmidt, chief security officer at eBay and former chief security officer for the White House, says incidents such as distributed-denial-of-service attacks, key logging and phishing should be reported to police authorities and, if necessary, communicated to the public.

‘It is embarrassing for financial services firms to report data breaches,’ said Schmidt. ‘But they must report them to give the authorities the tools to deal with the problem.’

Laws in the US such as Sarbanes-Oxley and Californian privacy legislation make it a legal requirement for businesses to declare security breaches, but this is not the case in the UK.

Schmidt says training police in technology-related crime is critical. It is not compulsory for British officers to undergo any high-tech training, which is only offered on a voluntary basis.

Chief inspector Chris Simpson, formerly of Scotland Yard’s Ecrime Unit, says resources are scarce for dealing with e-crime.

‘So few crimes are reported by businesses it is hard to get a handle on the efficiency of the prosecution of e-crime,’ he said.

‘Numbers of specialist investigators are relatively low, and I think the loss of the National High Tech Crime Unit (NHTCU) has had a negative impact on public confidence.’

Since the NHTCU became part of the Serious Organised Crime Agency (Soca), there has been no national reporting unit for e-crime, and businesses are told to report incident to local forces.

What do you think? Email us at [email protected]