Cyber crime in Scotland: evidence review research findings

Key findings - Crimes affecting businesses

• Many organisations collect data on the impact of cyber-crime on businesses, however as there is not consistency in how these data are collected across these organisations, it is not possible to present a robust overview of the impact of cyber-crime on business. Nevertheless, it is clear from the available evidence that cyber-crime is an issue for businesses.

Fraud

• In spite of the challenges highlighted above, it is clear from the available evidence that fraudulent acts are frequently experienced by businesses.
• The 2017 Cyber Breaches Survey found that staff receiving fraudulent emails or being redirected to fraudulent websites was the most common type of cyber breach experienced by UK businesses covered by the survey.
• The 2016 Retail Crime Survey revealed fraud to be the second most commonly experienced crime amongst respondents, accounting for 18% of incidents.
• Evidence suggests the costs of online fraudulent activities are smaller than costs associated with traditional crimes and amount to a minority of total online transactional values.
• The 2016 Retail Crime Survey estimated that 53% of the total cost of fraud was cyber-enabled, representing a total direct cost to the retail industry of around £100 million. This translates to approx. 15% of the total direct cost of crime against retailers.
• UK evidence from Financial Fraud Action hows in 2016, fraud losses as a proportion spent on UK issued cards stood at 8.3 pence per £100.
• For 2016 Financial Fraud Action estimated value of transactions carried out online using fraudulently obtained cards accounted for 9.5 pence in every £100 spent with UK merchants.

Computer misuse

• 'Computer misuse' is used to capture a number of crimes generally covered by the Computer Misuse Act 1990 and incorporates activities such as unauthorised access ( e.g. hacking) and attacks (computer viruses).
• The UK-level 2017 Cyber Breaches Survey estimates that 46% of businesses identified at least one cyber breach or attack between 2016 and 2017, but this data is subject to caveats.
• Incidence of such breaches increases with businesses size (number of employees) and turnover, in addition to varying by sector.
• The attractiveness of personal customer data to criminals could be increasing the risks for companies holding such information. The 2017 Cyber Breaches Survey found that 51% of UK businesses holding personal customer data experienced a breach, compared to 37% who didn't hold this information.
• Evidence from the UK 2017 Cyber Breaches Survey shows where businesses experience a breach, incidents of computer viruses, spyware and malware (33%) in addition to Ransomware (17%) are amongst the most common.
• Evidence suggests that staff are viewed as pivotal in the prevention of cyber attacks but are also potentially a weak link in businesses' defences.
• Very few businesses have systems in place to calculate the costs of cyber attacks and there is a lack of consistency in previous research which attempts to estimate costs.
• The majority of businesses identifying a breach do not report them to external bodies and even less report them beyond their cyber security provider. The main reason is that incidents or the impact were thought to not be significant enough.