CACP Bulletin

Fall 2017

Issue link:

Contents of this Issue


Page 6 of 13

4 CACP Fall 2017 Police Executives need to understand four things about cyber security. First, there has been a dramatic increase in both the frequency and sophistication of cyber-attacks such as Ransomware and Malware attacks. In some cases, police systems have been systematically targeted. [1] [2] Second, police executives are responsible for the well-being of their organization. If their systems are successfully attacked the media will want the Chief's comments, not those of an IT Partner. (For the purpose of this article the term "IT Partner" describes IT support whether it comes from internal staff or external organizations.) Third, an IACP-CACP survey done in 2013 showed that while police executives understand the danger and possible consequences posed by cyberattacks, only a small number have had a third-party audit which is the primary way to effectively test their cyber defenses. [3] Fourth, while technology is playing an increasing role in policing, IT Partners tend to be over-confident in their ability to withstand a focused attack. In fact, one recent study [4] indicates that organizations have "…wrapped themselves in a false sense of security when it comes to resisting cyberattacks." With the above facts on the table, what are some next steps? The Problem Cyberattacks are quickly evolving. An April 26, 2016 investigative report from NBC News highlighted Ransomware, software that encrypts your system to extort money. The report stated, "Ransomware crimes on all U.S. targets are soaring. In just the first three months of 2016, attacks increased tenfold over the total entire previous year, costing victims more than $200 million." [1] Cybercrime is now a primary domain for organized crime, which conducts much of its business on the web. However, seemingly benign social movements are also creating disruptions for organizations they perceive as threats to their movement's philosophy. Deloitte recently produced a Canadian cyber security study [5] based on more than 100 organizations from various sectors. The Financial Post's Barbara Shecter commented on this study in her article of December 3, 2015 [4] stating, "…many Canadian businesses have 'wrapped themselves in a false sense of security' when it comes to resisting cyberattacks". The Deloitte study concludes 90% of the organizations examined "feel" protected from cyberattack. Shecter went on to say that of those surveyed only nine (less than 10%) achieved the highest score on the three key cyber security measurements. With only half of the organizations surveyed reporting a defined cyber recovery process, it would seem that the feeling of well-being is not rooted in reality. However, the National Post stated that CEO's are starting to see the danger signs. Ian Russell, the chief executive of the Investment Industry Association of Canada, stated, "The cyber threat is far too sophisticated and serious to relegate it simply to the firm's IT department." [4] . Clearly, police executives should oversee IT security as they do other security issues. Many IT people remain confident that their cyber security posture affords them an extremely high wall of defense. However, if a trusted third-party has not tested those defenses, no one can be sure if that wall is made from stone or balsa wood. Hewlett Packard's white paper entitled "Cyber Security Best Practices" defines the problem with some startling statistics. "The number of successful cyberattacks in the U.S. has grown 144 percent in the past four years, and the rest of the world is close behind. In that same time, the cost to the average company has almost doubled." [6] It is important to understand that cyberattacks often attempt to avoid detection, because the longer an attack goes undetected, the more damage it can do. The HP article confirms this stating, "On average, advanced attacks now persist in the network seven months before they are detected. And the time to resolve those attacks once detected has increased by 221 percent to 45 days. Victims suffer financial losses, damage to brand, and damage to customer relationships." [6] It appears that attackers are growing bolder and more dangerous each year. Add the security risks faced through the use of ever changing mobile technology, and the need for a solid defense is completely clear. Feeling safe doesn't really mean you are safe. Responsibility If police executives were asked, "What keeps you up at night?" most would not answer "cyber security". However, the ubiquitous nature of smart phones has raised the expectations of a public that is more technology-aware. If the general public is becoming more technically sophisticated they certainly believe that their local police agency is becoming more careful and sophisticated. This is part of public trust and confidence. Police executives make skillful decisions every day. Decisions like placing a guard on the evidence room if the door is broken are easily made. Realistically, computers have quietly become the biggest evidence rooms. This means that the police executive must decide how to best CYBER SECURITY – A Call to Action for Police Executives Submitted by: Eldon Amoroso, Senior Director (Retired), London Police Service. Member CACP ICT Committee and IACP Computer Crime and Digital Evidence Committee

Articles in this issue

view archives of CACP Bulletin - Fall 2017