More than 5 million small- and medium-sized businesses operate in the UK. Many likely have no employees dedicated to IT and security, leaving them vulnerable to cyberattacks.
Through the work of the National Cyber Security Centre (NCSC) and schemes such as Cyber Essentials, the UK Government has been keen to help improve the cybersecurity of businesses in the country. Could the UK police be doing more to help combat cybercrime, especially at the local level?
Recently launched Cyber Resilience Centres in Manchester and the North East, along with 10 more across England and Wales, present a new opportunity for police to work with local businesses to understand and deal with the issue of cybersecurity.
Policing cybercrime in the UK
The UK polices forces have been upping their game in the cybersecurity space. The Office for National Statistics (ONS) estimates that around 1 million cyber-related crimes occurred in 2019, but actual figures could be much higher. A 2016 report by Barclays and the Institute of Directors found only 28% of cyberattacks against businesses in the UK were reported to the police.
Without proper data around the scale of the problem, it can be hard for police forces to justify spending time and money targeting a problem. “If you look at the police dilemma nationally at the moment,” says Mandy Haeburn-Little, CEO of consultancy Business Resilience International Management (BRIM), “with the level of cybercrime increasing, police are really keen to understand everything there is to know about cyber and to have all of that reported to it. But if every business was to report every suspicious email, malware, phishing attempt to policing, then everything would fall over because it would be millions of reports.”
At the same time, efforts are being made to improve local law enforcement’s ability to response to cybercrime. The National Police Chiefs Council (NPCC) has been working to establish a consistent baseline of cybersecurity capabilities across the country and ensure every regional police force has a cybercrime unit.
“I've been hugely impressed by the desire of policing nationally to understand the threats that businesses are facing, and to understand the things that impact on the private sector business,” says Haeburn-Little. “Those cyber police are very well qualified to give specialist advice to business on cyber threats, but they don't have the time to be out servicing a huge number of businesses. So, we need to find a different formula to address that.”
Bringing the Scottish Business Resilience Centre to England
A new model for dealing with cybercrime that the police in England and Wales are trying is based on the Scottish Business Resilience Centre (SBRC). Originally founded as the Scottish Business Crime Centre created in 1996 and renamed in 2013, the SBRC was set up as a non-profit to support and help protect Scottish businesses by bringing together police, academia and local businesses to create and share information and best practices as well as a number of services to help increase business resilience.
“We had to two-fold objective,” says Haeburn-Little, who stood down as the CEO of SBRC in August 2019. “One was support business of all sizes; the second was to create a really secure environment for business to flourish. We became very much the business arm for the single police force in Scotland.”
Its resilience remit includes broad business resilience, protecting against organised crime and terrorism, securing supply chains and transport links, and even ensuring a safe night-time economy. The SBRC added cybersecurity to its list of concerns and services around seven years ago, but Haeburn-Little says interest in cyber-resilience has risen dramatically over the last few years.
Police Scotland has a presence at the SBRC to share information with members, collect information and help the police understand the needs and concerns of local businesses. The SBRC also has close links to Europol and other groups in Scotland dedicated to preventing fraud.
As well as providing free information for businesses on how to stay safe online and protect against cyberthreats such as ransomware, the SBRC has partnered with students enrolled on the Ethical Hacking and Digital Forensic courses at Abertay University to deliver a number of cybersecurity services to Centre members.
“It works with some of the best students and provides them with a really intensive mentoring and tutoring program which covers all aspects of business, as well as further mentoring their skills, and we pay them for everything they do,” says Haeburn-Little. “They go out with our support into the business world and help support businesses. It pays the students through the university, gives them a really fantastic track record.”
Since 2017 the ethical hacking students working at SBRC have operated under the banner of Curious Frank as a division of the SBRC. The services they deliver include cybersecurity assessments on internal and external systems, web and application testing, exercises around business continuity and supply chain resilience, social engineering and incident response tests, as well as OSINT (open source intelligence) gathering.
New UK Cyber Resilience Centres
The Resilience Centre model has drawn attention from police forces south of the border, and cyber resilience-focused centres in Greater Manchester and the North East of England are in the process of being set up to replicate the model with local forces in the UK outside of Scotland. In addition, Haeburn-Little and BRIM have been appointed to establish ten more Cyber Resilience Centres in partnership with Police UK.
“The Cyber Resilience Centres provide support to business of all size in cybercrime prevention and a range of services to support that,” says Haeburn-Little.
The centres BRIM have announced they’re delivering so far will be in the East and West Midlands and Wales with more to be announced. Each centre will have the same structure and will be able to deliver the same core services and will take around six to seven months to set up and bring online.
Like in Scotland, all the Centres will be not-for-profit and use the money from membership to pay students for their services and cover overhead, with what’s left reinvested in to helping improve cyber-resilience in the region those centres are serving. Businesses don’t have to be members to get free advice if they have any concerns around cybersecurity or cybercrime.
“Anybody who is self-employed will be really focused on running their business and making a profit, and just making everything work,” says Haeburn-Little. “The centres will be that trusted place to go no matter what your question is related to cyber or digital security, whether you want to actually have a service or to discuss a problem that you might have or your internal processes has thrown up.”
As with the SBRC, the centres will partner will local universities to help provide security services delivered by those students. As with the SBRC, these students will focus on assessments, testing services on internal and external systems, OSINT gathering and reporting as well as tabletop exercises, policy reviews and education and awareness training. Each centre will have around 20 students delivering those services, a chief ethical hacker to support and manage them, and a police lead with additional secondments. Any services that members require that the service can’t provide will be offered through IASME-certified companies.
Each centre will have a police lead assigned to it, as well as other officers who will work with the members around cybercrime prevention, speak at events, and share learnings and best practices from the likes of the NCSC. “It's a really different profile for policing,” says Haeburn-Little, “adopting a different model that is that nexus between business, academia and policing.”
She adds that she is looking to help foster a talent pipeline between the police and the students so those skills are available to the police for a period of time. “We need to find a different way to create a really strong pipeline of young, really innovative talent that's trusted and coming in through a different direct route, not going to the full policing mechanics. So, they will have worked with me through the centres, then come into policing for a period of time.”
Police presence in the Business Resilience Centres
A Home Secretary-commissioned report suggested the police’s recent approach to cybercrime is “good but can be improved,” especially around knowledge sharing, understanding the demand around cybercrime, and ensuring greater consistency in response from force to force. However, the cost and political wrangling that comes with recruiting more officers means that there are limited resources when it comes to tackling cybercrime. This is one of the reasons the National Police Chiefs Council (NPCC) has dedicated funding to establishing the new centres.
“I see [the centres] as a really good opportunity to take some of the strain away from policing,” says Rebecca Chapman, T/superintendent at South Yorkshire Police and director at North East Business Resilience Centre (NEBRC). “At the moment, our protect officers are trying to serve 563,000 SMEs in our region. That's quite a big ask for one or two people in each force in the region.”
Chapman says that in many cases, especially for small and medium enterprises, the majority of cyber incidents can be avoided if they receive the right security advice in the first place and implement basic digital hygiene, which is why police are keen to spread preventative advice through the centres. “It’s just impossible for one or two protect offices in each force to get out and cover that many businesses. If we encourage people to be members at the centre, they're going to get that advice.”
“It's about protecting the public and doing that without having service up from a police force as such,” says Chapman. “We don’t have the expertise or the time or the funding to deal with everything, every single business in the area, but by setting up the Centre with academia and business, we're now able to provide that function.”
The Manchester and North East centres are in the process of setting up, and the NEBRC is about to launch its first events to introduce the concept to local businesses in the region. Chapman is in regular contact with BRIM’s Haeburn-Little, and her counterpart, Detective Superintendent Neil Jones in Manchester, meets with other cyber-leads within the forces and hopes to help the police leads in other centres as they come online.
As well as Chapman, the North East Centre has seconded two detective inspectors with cybercrime management background and an admin manager. The board and advisory panel have been chosen, Northumbria University and Sheffield Hallam University are on board to provide students to help deliver services, and the centre is considering at getting a co-located space for businesses to drop in on.
“Never before have we had this unique opportunity to link in with business and academia at the same time” says Chapman. “We're taking advantage of the fact that we've got academia and business involved so that they could tell us what the threat and picture looks like from their point of view.”
Day-to-day, the police’s role will be to be on hand to answer questions around cybersecurity, be available with regards to reporting cybercrime, and attending and speaking at events put on by the Centre for its members, and gather intel around the cybersecurity threat landscape. The admin manager will be coordinating businesses news, mailshots and member services.
When asked by CSO what the goals for the centres from the perspective of policing, Chapman says the aim is threefold: Collect more data about cybercrime, prevent cybercrimes from happening in the first place by bringing up the standard of cyber hygiene within UK businesses, and protect the public.
“Success for us would say that more businesses feel confident to come forward and report crime, so that we can gather intelligence on what the crime trends are,” says Chapman, “and look at working with academia and business to combat that crime and feed it back to the centre.”
“If businesses can report more then we get a better picture. If we get a better picture, we get more resources and then you can build on it. We'd rather get ahead of the curve, prevent crime happening in the first place, and get people those tools to help themselves rather than have to sweep up afterwards and investigate. It's about protecting the public and that low-level advice because prevention is better than cure.”