How can we address the under-reporting of cyber-crime?

Simon Newman, head of Cyber and Business Services at the Police Crime Prevention Initiatives, discusses the reporting, or under-reporting of cyber incidents and reducing the vulnerability of organisations to cyber-crime and fraud

Cyber-crime is one of the biggest threats to the security of the UK. Categorised as one of four high priority areas within the government’s National Security Strategy, the threat is constantly evolving, affecting millions of individuals and businesses alike. Yet despite the efforts of government to raise awareness about the importance of good cyber security, the problem continues to grow, accounting for just under half of all crime according to recent data published by the Crime Survey for England and Wales (ONS).

While this figure is alarming, of even greater concern however, is the fact that only a fraction of these crimes are reported to the authorities. For example, in 2019, there were approximately 4.6 million incidents of cyber-crime and fraud over the previous 12 months but only 338,00 of these were reported to Action Fraud – just seven per cent of the total. This compares to 17 per cent of sexual assaults being reported to the police, 30 per cent of thefts and 60 per cent of burglaries. So why does cyber-crime suffer so poorly from under-reporting when compared against other forms of crime?

At the Police Digital Security Centre (PDSC), we regularly speak to victims of cyber-crime and ask them about their experience. What we consistently find among the business community in particular, is that speaking to the police about it is not a priority. One of the main reasons for this is that businesses face a number of competing demands for their attention when they suffer an attack or breach. For some, lawyers will be the first people they call, particularly if there is a risk that personal data has been compromised. Others will prioritise customers, staff and suppliers. Business owners may also have to think about speaking to their insurers, their bank or their Managed Service Provider. As a result, the police are often an afterthought.

The global nature of cyber-crime is another factor and presents a number of unique challenges for the law enforcement community. Investigations are time-consuming, complex and require specialist skills and knowledge that are in short supply. Despite every force having a dedicated cyber-crime unit, the sheer volume of cases means that forces have to triage and prioritise the most serious offences, leading to a lack of confidence in the police being able to deal effectively with the overwhelming majority of cyber-crime. When looking at the conviction rate of cyber-crime, which currently sits below one per cent, it is entirely understandable that many individuals and businesses affected by cyber-crime ask themselves when it comes to reporting it, whether it is worth it.

As an example, I recently took a call from a small business owner who had been the victim of a phishing attack which had resulted in her systems being compromised by an external attacker. While the owner was reasonably confident that no-one had suffered any financial losses as a result of the breach, she was understandably concerned about the impact it could have on her reputation and future business growth. Disappointingly, she had decided not to report it to Action Fraud because she felt the chances of bringing the offender to justice were very slim and that her immediate focus was on getting her business back and up running again.

Another reason concerns the perception of the seriousness of the crime by the victim. This is a factor that causes under-reporting in other crime types and is undoubtedly a factor here. For many victims of cyber-crime, the impact may appear to be relatively minor and below what they would consider serious enough to report it to the police. There is also the possibility that some people feel embarrassed by falling victim to certain types of cyber-crime, particularly in cases involving romance scams or sextortion. A sense of shame or fear of being humiliated can lead to victims trying to deal with the fallout themselves, often with a significant impact on their mental health and well-being.

There are also some interesting studies about how demographic factors affect crime reporting. For example, younger people, who are statistically most likely to be a victim of a crime are the least likely age group to report it. Some commentators have even suggested that cyber-crime is ‘just one of those things’ that young people expect to become a victim of.