Eighty percent of online crime is not reported to the authorities, according to City of London Police commissioner Adrian Leppard.
Of the 20 percent of crime that is reported, only a further 20 percent of cases receive an adequate response from law enforcement, the commissioner said at a meeting hosted by IT suppliers’ association techUK.
The issue is compounded by banks’ unwillingness to report breaches, a lack of police capability to respond, the international nature of cyber crime and a need for a fundamental change in mindset, Leppard said.
The scale of the threat is greater than currently thought and may even have surpassed what drugs have delivered to the criminal economy, he claimed.
The data comes from information gathered by the City of London Police, which leads the national response to economic crime, its unit the National Fraud Intelligence Bureau and banks.
The low reporting rates are primarily because banks are happy to write off incidents as costs, Leppard told attendees.
This makes it harder to gain an accurate picture of online crime, costs customers collectively and helps to fund growing cyber criminality, he said.
Attacks are becoming increasingly sophisticated, with criminals ‘spear-phishing’ administrators and installing anonymous software routines, allowing them to go undetected. On the other hand, it is also increasingly easy to conduct attacks without in-depth technical skills, for example by buying hacking services on anonymised websites, often from overseas, he said.
Although police forces recognise the threats and are trying to develop the right skills to respond, it is unlikely they can fully address the skills gap given ongoing cuts to the sector, Leppard argued.
For example, the College of Policing has introduced learning modules for cyber skills, but there has been just a two percent take-up on this training among police forces, he said.
The issue is made more difficult to tackle by the international nature of online crime, which places it beyond the reach of UK law enforcement. While Europol and Interpol can help to coordinate an international response, this can only go so far, he added.
Leppard called for a different mindset: one that prioritises prevention and victim support and accepts the infeasibility of prosecution in many cases, rather than a traditional police approach of waiting to fully understand the nature of a problem before dealing with it.
Some experts have called for banks to be forced to report breaches involving personal data loss, as is currently the case in the UK.
George Quigley, chair of the Institute of Chartered Accountants’ IT faculty, said such a rule would "mean that firms can see the issue in full” and “realise the relevance” of protecting themselves” during a panel debate at the Parliament and Internet conference last November.
Gerry Penfold, risk consulting partner at KPMG, agreed: “The government hopes we can get there without mandatory reporting. But we don’t seem to be getting there.”