The national crime statistics show a 15% reduction to the lowest level for 33 years, at a mere 7.5 million offences last year. However, these do not include over 4 million cyber offences – which reverse the trend and increase the overall total by over 50%, as well as costing the economy over a billion pounds a week, with seven people being defrauded each minute.
Adrian Leppard QPM, Commissioner of the City of London Police, whose force leads on economic and cyber crime, said that the problem was “enormous” and calls for a national campaign along the lines of anti-drink driving, to help the public become aware of the problem. He also highlighted the importance of businesses protecting themselves from cyber attacks and the stealing of personal information. This is especially pertinent to the finance sector, which contains the personal data of almost every adult in the country.
Many firms are acutely aware of their vulnerabilities, particularly the need to protect from internal as well as external attack, and have installed various levels of security and access controls, covering passwords to pen drives, which are managed by a dedicated department, usually IT.
If you become a football steward, then you can be checked, but not if you work in critical IT roles in major banksStrange anomalyThe Financial Conduct Authority (FCA) requires that anyone seeking to be an ‘authorised person’ needs to be checked against the Disclosure and Barring Service (DBS) (formerly the Criminal Records Bureau). However, there is no such requirement for any check for those working in IT. In fact, it is worse. It is expressly prohibited to subject current or future IT staff to verification from the DBS as the vast majority do not hold a role that meets the strict criteria that allows them to be checked.
It does lead to a strange anomaly. If you become a member of the Master Locksmiths Association or a football steward, then you can be checked, but not if you work in critical IT roles in major banks and finance houses controlling millions of data points, and are responsible for the money transmission of billions of pounds.
In July, the FCA and the Prudential Regulation Authority issued a consultation paper (CP 13/14) which announced changes to the current Approved Persons regime, proposing to bring a Senior Management Responsibility (SMR) function and a much wider ‘Certified’ person’s requirement. However, whilst there is a requirement for a senior manager to have responsibility for IT overall, and for that manager to be checked, it doesn’t apply to the programmers, developers, controllers and helpdesk staff.
The core problem is that the focus of the DBS is on safeguarding people, not financial crime, so attention is focused on convictions for sexual and harming offences, not for fraud. The Government also wants to rehabilitate offenders more quickly so in May 2013, it announced that further ‘filtering’ of disclosable offences would occur, which reduces what will be divulged when an employee is checked. Some of this was very sensible, such as removing notification of police cautions; however it does mean that the background checks are now less thorough.
The Government also published a list of offences which would never be filtered, which again demonstrates that beating financial crime is not a priority, as not one of the 1,028 listed offences relates to financial crime or fraud (apart from not paying customs duty).
Commissioner Leppard is right to call for a campaign against cyber crime, but the Government needs to shut the back door and give employers the basic tools to carry out first level due diligence on those who hold power over a critical part of the cyber network.