A very interesting answer from Paul Wright, Head of Computer Crime at City of London Police on LinkedIn Q&A forum (the question was "How important is to safeguard customer data?". I had asked the question. Well, you may say it is a dumb question. I was more interested in the answers from the experts than be satisfied with my perception.)
Can history help with this? Who brought down Alfonso Capone? Was it, Frank J Wilson, George E Q Johnson or Elliot Ness? They all played their part but in real terms, it was none of them, it was a shooting in February 1930 that led to Capone's downfall. The details of which are sparse, fragmented, and shrouded in secrecy, but what the event did do was trigger the formation of the 'Secret Six'.
There aim was to assist law enforcement to take down organised crime and in particular Alfonso Capone; and they succeeded for in July 1931 'The Chicago Herald' reported him as saying;
"The Secret Six has licked the rackets. They've licked me. They've made it so there's no money in the game."
Since that time the upper echelon of the criminal fraternity have responded by moving into the unlawful obtaining of customer data, where the perception is that information is less well protected and the sentencing of offenders, when caught, is relatively light.
If we do not invest in the skills necessary to enable us to investigate such abuse in this ever-changing environment, will have to contend with playing 'catch-up' in understanding how new technologies are associated with a range of traditional wrong doings.To achieve this all will have to commit adequate funding and combine it with a promise of quality.
Unfortunately not all of those who use the Internet do so with good intentions. In order to facilitate the goals of this element there is a growing amount of information on the web that is showing them how to commit various unlawful acts using a computer and the information highway.
Why is customer data so easily exploited? This is due to the Internet and it being readily available, then once obtained it is used to facilitate a cocktail of offences. This causes some to ask, should we consider the use of private sector controls requiring organisations to take effective steps to tackle the risk of security breaches. Especially as the works of those who produce investigative guidelines for hi-tech and e-crime tend to focus on detection and prosecution, give reduced attention to the area of e-crime prevention and little attention to the forensic intelligence analysis of seized data.
Therefore, is there a need for multidisciplinary partnerships between academia, industry and law enforcement to work on the loss of customer data? The combined effort could produce a number of significant results, from developing research into technologies and tools, to creating a repository for technical papers. Many already encourage us to share knowledge, expertise and experience. This sharing of information could give organisations the tools to put in place better defences to tackle the abuse of computers and computer systems. It is only through better understanding of the scale and the scope of the problem that they will be able to build effective strategies to deal with it.
Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given for not reporting intrusions was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated.
There has to be a realisation that organisations cannot create such a secure environment in isolation. It will require them to establish internal and external partnerships that are supported by a framework of regulation and legislation.
The 'Secret Six' showed us how an alliance can defeat organised crime, however seventy years on we are faced with a similar predicament, only now it's on a huge global scale and is being facilitated by the Internet and technology. Could a modern day 'Hi-Tech Six' achieve the same results?
Paul will be keynoting at the Oasis Security Forum in London this month. See you there, Paul.
If you live in/around London and are interested in software security, then you should try to attend the forum. I will be moderating two panels at the forum.