Dan Kitwood/Getty Images
show image

Sooraj Shah

Contributing Editor

Sooraj Shah is Contributing Editor of New Statesman Tech with a focus on C-level IT leader interviews. He is also a freelance technology journalist.

“Police won’t tell the ICO about data breaches if businesses report them,” says national cyber crime lead

Businesses should report cyber attacks, data breaches and fraud to the police or to the National Crime Agency (NCA), without fear that the details will be passed on to the Information Commissioner’s Office (ICO), according to the national policing lead on cyber crime, Peter Goodman.

While businesses are not required to report every breach to the ICO, they are required to consider whether the breach poses a risk to people, and the level of severity of any risk to people’s rights and freedoms. Depending on the potential impact of the breach, it may be deemed necessary to report it to the ICO. However, many businesses are reluctant to do so in fear that it could lead to a monetary fine, and could damage the organisation’s reputation.

Goodman, who was speaking to NS Tech at the first-ever Cyber Security Connect UK conference in Monaco last week, explained that one of the key issues that the government faces is that businesses are not reporting cyber crime enough – meaning they don’t have as much information as they require to find the perpetrators and mitigate risks.

“We’re desperate for people to report all of the time, and if businesses report to the police or NCA that doesn’t mean they are reporting to the regulator around GDPR. If we get told something by a company or a business, we don’t tell the regulator – that’s a separate thing entirely,” he said.

According to Goodman, the organisation has an agreement with the regulator meaning it does not have to report any incidents that it knows of. The idea is to help build up the government’s intelligence base, and ultimately find those responsible for the cyber attacks.

Goodman, who is also Chief Constable of the Derbyshire Constabulary, acknowledged that this was a hard sell for businesses, but said that the government is trying to get the message out there to businesses as much as they can.

“Occasionally, we are getting businesses reporting this but not as many as we should. People are still fearful that we’re still in government – but we have to make it as clear as possible that we’re separate and distinct,” he said.

But while he said that the police or NCA would not send over information to the ICO that a business has given them, he said that in the reverse scenario, he hoped that the ICO would let law enforcement know if something is reported to them.

“We want to be able to approach businesses and say ‘we understand you’ve been subjected to cyber crime’ and ask them if they want law enforcement support for this – this doesn’t mean carrying out an investigation, but just to help them,” Goodman stated.

Action Fraud – finally an improvement

At the conference, Gary Brailsford-Hart, the director of information (CISO and DPO) of City of London Police, admitted that Action Fraud, which has been the government’s main programme associated with reporting and tackling cyber fraud, has not been as effective as it should have been – even joking that people would have thrown rotten fruit at him for mentioning the initiative.

Goodman added that if people had phoned Action Fraud in the past, they would get a sympathetic response and then nothing, because the policing teams didn’t have the competence, capacity or capability to do anything about the crimes.

However, Goodman and his team have persuaded every chief constable in the country that now is the time to create their own local cyber crime unit with funding help from the Home Office and Cabinet Office. The aim would be to make sure that any individual or business who reported a crime to Action Fraud would receive a response and effective advice.

“The analysis we had for the first six months is that almost 96 per cent of victims who reported cyber crime have received appropriate responses and an investigation into the crime – which might not account to anything yet, but they’ve received preventative advice and appropriate care, and their satisfaction is through the roof compared to six years ago,” he said.

However, he was wary about talking up a new intelligent platform that Action Fraud had put in place three weeks ago, stating that it would still take some time before understanding how much better the new platform would be. But he does believe Action Fraud is improving.

“We’re working with National Cyber Security Centre (NCSC) and a lot of other partners to look at a more bespoke approach. This has allowed us to get to a situation now where if you’re a very big business and you have an attack against you and you engage with government – you will get a sophisticated response from NCSC and Action Fraud. If you’re one tier down, you’ll get a sophisticated response from the Regional Organised Crime Units (ROCUs), and if you are an individual, you will get an intelligent response from policing,” he said.

“So for the first time, we are getting the entire landscape improving,” he said.