Police should focus more on prevention rather than response to cyber crime, says study

A study into the implications of economic cyber crime for policing (96-page / 1.91MB PDF) by Cardiff University, on behalf of the City of London Corporation and City of London Police, highlighted resource constraints the police have to deal with when tackling economic crime.

The academics said that "much of the reported economic cyber crime does not lend itself to a traditional reactive law enforcement response … unless there is evidence of numbers of linked series of allegations or large numbers of lower-value cases against groups of individuals".

"The imperfect information on the nature, motivation and geographical location of the perpetrator, as well as the limited possibilities of prosecution and even more limited likelihood of recovery of any losses, emphasise proactive prevention rather than the reactivity of an investigative response," the report said.

It said that police forces should devise individual approaches to tackling cyber crime and determine to what extent their efforts should be proactive and reactive.

"There is [a] policy question concerning the appropriate level of policing and in which parts of the country, and about how we can ensure both adequate levels and an appropriate balance between prevention and criminal investigation/prosecution of economic cybercrimes," the report said. "We have noted … that law enforcement can draw upon experiences in other, non-economic, areas of online crime such as child sexual exploitation and hacking, and may have to develop a hierarchy of responses according to their own priorities and assessment of the data."

"Nevertheless, we consider that the police need to develop and communicate more clearly their strategic response to ‘signal economic cybercrimes’, preferably accompanied by independent evaluation of the impact of those responses. This is a difficult decision because honest assessments of how much and what kinds of economic crime the police are able to handle are bound to arouse controversy," it said.

In its report, Cardiff University said consumers and businesses need greater help to prepare and protect against cyber crime. It said law enforcement agencies should "encourage financial and other services to be more proactive in requiring the use of mandated software, if only to encourage more security awareness and less self-determination among businesses and the public who do not have a common understanding of what to do to protect themselves, and why".

The report also suggested that the steps consumers and businesses have taken to protect themselves against cyber crime should be a factor to be taken into account by police forces when deciding what level of resources they should commit in response to cyber crime incidents.

"It may be asked if those who do not take any protective measures should be entitled to the same level of policing effort than those who do, and should this assistance also reflect the affordability of those protective measures? (This applies equally to how we treat victims of other property and violent crimes who do not take ‘sufficient’ precautions)," the report said.

From April 2016, crime statistics for England and Wales published by the Office for National Statistics will include data on cyber crime, with incidents of reported crime expected to rise significantly from the current estimated 6.5 million as a result.

Fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said the Cardiff University report, together with recent statistics reported by the Times that only 1 in 100 cyber frauds are actively investigated and only 1 in 500 end up in criminal convictions, raises questions about whether the police are "able to protect corporates and individuals in the 21st century".

Sheeley questioned government minister Andrew Selous' recent claims that "there is little evidence of corporate economic wrongdoing going unpunished" which led to the government dropping plans to introduce a new corporate criminal offence of failure to prevent economic crime.

"The City of London Police should now be honest with victims of crime – if victims want their money back they must pursue civil proceedings where asset recovery is the primary focus," Sheeley said. "The City Of London Police should be under a statutory duty to tell victims of crime of their lack of resources and that their primary driver is not the recovery of assets."

Sheeley said businesses can engage specialist civil fraud and asset recovery solicitors to help recover assets lost to cyber crime through the use of 'search and seize' orders, which permit fraudster's properties to be searched for evidence. He said 'freezing orders' can also be utilised to prevent fraudsters withdrawing ill-gotten gains from bank accounts.