Fraud (credit card, identity and cyber-fraud) is now the crime that British citizens are most likely to become a victim of. In England, the number of reported fraud crimes against the person were 3.7m, outstripping theft against the person at 3.4m (Office of National Statistics, year ending March 2020).
Not only is this alarming, but financially huge. When you add in fraud committed against business and fraud against government departments (benefit, tax credit and student loan fraud), the magnitude is around 10% of UK GDP. The negative impact on public confidence in law and order, and on investors’ confidence in post-Brexit Britain as a place to do business, is hard to calculate. But it is real.
In a recent paper (The Impact of Fraud on National Security), the Royal United Services Institute (RUSI) argue that a new approach is needed to tackle this crisis, and calls for fraud to be recognised as a threat to UK National Security that needs a unified and well-resourced response to tackle it.
The report states that “The UK has become a target destination for global fraudsters," But the extent to which international criminals focus on the UK is hard to gauge, because intelligence agencies have not traditionally focused on the issue. There is no national strategy for tackling fraud, while the police response is underfunded and lacking focus. This makes fraud "everyone's problem but no-one's priority". In short, the causes are hard to quantify but they are many and varied.
One feature of criminal fraud, is that much of it is a of high volume/low value nature. With a high proportion of it cyber or digitally-enabled. In turn, the individual low value element of much of these crimes prevents them getting enough points to be noticed on police action plans. In other words, our digital world with its cheap applications and equipment, is enabling determined crime gangs to commit high volumes of low value crimes, which individually are often not worth investigating. The whole of the problem is now much greater than the sum of the parts.
To remedy this, the RUSI report recommends thirteen specific actions for the UK Government and its agencies. The unified theme is clearly set out in the first recommendation; “The National Security Council (NSC) should commission a new ‘whole of system’, public–private strategy for tackling fraud. This should include: a new national to local networked criminal justice response; pathways for cross-government collaboration; and a clearer role for the private sector – including the financial, e-commerce and telecommunications sectors – in tackling fraud”.
Reading this report made me think about the parallels in everyday business life that we in the security industry, deal with every day. Its an ongoing battle to keep our information from getting out and unauthorised people and malware from getting in. Criminals spend their time looking for weaknesses and cracks in our defences, and they are there to be found; often between the silos of Physical, Information and IT security. My view has always been what RUSI is now recommending to tackle UK fraud. A unified response, a one-security team approach that is funded appropriately. The question is why is a one-team or holistic approach to security, so rare? The answer is in two parts, priorities and people.
First, priorities. According to McKinsey’s report on Unlocking Business Acceleration (Aug 2019) nearly 60% of CIO’s indicated that their CEO depends on them to achieve the organization’s top three business priorities. The trade-offs CIO’s claim to make in order to achieve more agility, can include a reduction of good process, including security and data governance. This means that business priorities dictate that data security is lower down the organisation agenda, and the acceptance of higher security risk is a trade-off for agility, and speed to market. This can create a tacit internal view that security is an obstacle to progress, which is then treated as an afterthought within the organisation’s culture. Therefore, the security silos that exist, remain isolated and unconnected. This is one of the main reasons we continue to see organisations apologising in the media every week for the latest data leak, breach or oversight. Unless real change happens, this will continue.
As for people; a Ponemon study (Feb 2019) said the number one issue preventing a unified security approach in organisations was internal turf wars, and people protecting their ‘territory’. To put it in a more positive way, good security-minded individuals are by nature reticent to share. This is a human nature issue, and up to leadership to resolve.
It will be interesting to see if the RUSI’s plea for UK authorities to tackle fraud, using a unified and appropriately funded approach comes about. It will also have to pass the twin obstacles of priorities and people that we see everyday in our world of security. It is possible to do. It requires thought and commitment, and can save money if done well. The ‘do nothing’ option is too dangerous to consider. Crime has shifted from the streets to cyberspace and our focus and resources now have to at least mirror this new crime landscape. If not, it will only get worse. To cover the financial losses, costs go up and taxes increase for everyone. As time goes on it makes everything unsustainable.
Great security does not mean expensive security. Finance does not need to be a third obstacle to the unified (or holistic) security evolution. For the sake of our country and businesses, our personal data, reputations and our wealth, a unified approach to physical, information and IT security is the future for all organisations, and it should be happening now. We don’t need to wait for government to create its unified solutions, lets do what we can do here and now.