Daily Archives: 25/07/2014

London Mayor’s Office for Policing and Crime launches new Business Crime Strategy

The London Mayor’s Office for Policing and Crime (MOPAC) has launched a new 48-page Business Crime Strategy designed specifically to help protect London-based companies from acts of criminality.

The crime threat in the UK is changing. Criminals are becoming more sophisticated and more crime has moved off the streets and into the online world. MOPAC’s Business Crime Strategy – endorsed by the Metropolitan Police Service, the National Crime Agency and the City of London Police – outlines how each provider will build their capability to tackle fraud and economic crimes.

This is the first strategy of its kind. It represents a ‘Call to Arms’ for the police, businesses, local authorities and others to work together to build confidence and prevent and cut business crime. More than this, it sets out clear, deliverable plans to achieve end goals, with commitments from MOPAC and law enforcement alongside a challenge to businesses themselves.

Read the document in full

London's Mayor Boris Johnson: tackling crime in the capital

London’s Mayor Boris Johnson: tackling crime in the capital

On the Business Crime Strategy, Stephen Head (Commander and National Police Co-ordinator for Economic Crime at the City of London Police) said: “The threat from fraud, particularly cyber-enabled fraud, continues to grow and every section of society is now at risk. It’s therefore increasingly important that the police and businesses work even more closely together to counter this threat. The collaborative approach advocated by MOPAC and highlighted in this strategy is absolutely right if we’re to be successful in continuing to meet this challenge.”

He continued: “As the National Policing Lead for Fraud, the City of London Police will continue to work with MOPAC and others to ensure that London remains one of the safest and most business-friendly cities in the world, with a policing approach that’s fit and appropriate for tackling 21st Century crimes.”

Affording context to the Business Crime Strategy

Further to this, the following information is designed to give context to information included in the Business Crime Strategy…

Since taking responsibility for Action Fraud in April this year, the City of London Police has instigated a programme of work designed to offer an enhanced service for the victims of fraud and cyber crime. Since the end of May 2014, all victims who report to Action Fraud now receive a written update on the status of their report after 28 days, if not before. Action Fraud also provides expert advice and guidance to concerned individuals or businesses.

Action Fraud and the National Fraud Intelligence Bureau (NFIB), hosted and run by the City of London Police, is funded by Government to receive reports of fraud and cyber crimes from individuals, SMEs and large corporations. Outside Action Fraud, it also accepts reports of business fraud through a number of organisations including the UK Payments Council and CIFAS.

The combined Action Fraud and NFIB services do not investigate reported crimes of itself. The NFIB uses cutting-edge technology to automatically identify links between crimes and, in quick time, develops and disseminates crime packages for investigation by UK law enforcement agencies. It also proactively disrupts criminality and enriches the UK fraud and cyber threat picture.

During the 2013-2014 financial year, of the totality of fraud and cyber crimes reported into the NFIB no less than 53,556 packages were identified as having viable lines of enquiry and disseminated to UK law enforcement for investigation or intelligence purposes. In the same time period, some 118,000 additional crimes were targeted for disruption while over 805 alerts were disseminated for prevention purposes.

As the MOPAC Business Crime Strategy demonstrates, CIFAS reports on fraud against businesses. These reports often add value to the thousands of Action Fraud packages disseminated for investigation by UK law enforcement.

It’s important to note that police forces accept crimes for investigation based on the availability of viable lines of enquiry. In the past, forces have prioritised Action Fraud reports over CIFAS because of the quality of the data. However, the NFIB is working with forces and CIFAS to improve the quality of all data to create more opportunities for UK law enforcement to accept and investigate reports.

Informing Government and UK law enforcement

Action Fraud and the NFIB use the large number of reported fraud and cyber crimes to help inform Government and UK law enforcement about the scale of the threat that exists at a local, regional and national level in order to help drive their response to the benefit of victims. This has resulted in some police forces committing considerable additional resources to address these emerging threats.

For example, the Metropolitan Police Service is adding further capability to accept fraud and cyber crime packages for investigation which will then provide an enhanced service to victims.

The City of London Police proactively aims to improve the policing response to fraud and cyber crime and ensure that all business victims receive an efficient and effective service, particularly as reporting continues to increase. For instance, the force is creating a system whereby businesses can easily report multiple instances of fraud and cyber crime to Action Fraud.

Additionally, the force plays host to a number of fraud teams and specialist units that service business victims of fraud and cyber crime including the insurance industry, the credit and payment industry and intellectual property rights holders. ​​​​​

Advertisements

Leave a comment

Filed under Risk UK News

Fire risk assessments in schools: could we be sleepwalking into a disaster?

Government statistics show a steady downward trend in fires in schools from approximately 1,300 incidents in 2000-2001 to 700 in 2011-2012. However, we shouldn’t become complacent – arson in schools still accounts for nearly 180 fires every year. The Fire Industry Association’s technical manager Philip Martin explains the fire risks facing modern schools and what can be done to keep these locations safe.

Schools are changing places. They’re facing budget cuts and increasing demands to accept students of all abilities. For their part, secondary schools are being pressured into concentrating more on vocational studies, which could suggest an increase in laboratory and workshop activities.

Budget cuts could result in a reduced investment in fire safety measures, just as there’s an increase in the number of vulnerable people and hazards. It’s a potentially dangerous combination.

We need to bear in mind that fire safety legislation, which requires a fire risk assessment to be carried out in all schools throughout the UK, is focused on life safety. However, the biggest concern for many school governors may be the risk of arson. The life safety fire risk assessment isn’t concerned with property protection, but any measure taken to preserve life will tend to protect property.

The Fire Risk Assessment

The first question you should consider when carrying out a fire risk assessment is: ‘How can a fire start?’ The answer naturally falls into one of two groups: accidentally or deliberately. Not all hazards can be eliminated but they can all be managed. The Government’s guidance on educational premises covers this quite thoroughly.

When considering measures to prevent arson it helps to use your imagination. Stand outside the premises when it’s locked and empty and ask yourself how you would start a fire. Remember, most arsonists come prepared with nothing more than a lighter. That bin full of paper or pile of timber against the wall will start to look very appealing.

The life safety fire risk assessment isn’t concerned with property protection but any measure taken to preserve life will tend to protect property

The life safety fire risk assessment isn’t concerned with property protection but any measure taken to preserve life will tend to protect property

We need to think about physical security and removing or securing combustibles away from the school buildings, particularly away from overhanging eaves. We then need to think about intruder alarms and CCTV, both as deterrents and response mechanisms. Finally, we need to consider fire detection and sprinklers. BB100 offers some very sound advice on these matters.

As the fire risk assessor, you will need to look at the physical fire safety measures, the hardware and the management of fire safety, the software. Oddly, the hardware is probably the easier to assess as you can see and touch it. The software can be a puzzle.

You may have detailed procedures and comprehensive records but you need to be confident that they will work if put into practice. It could be useful to ask members of staff specific questions about what they’re supposed to do and what they would actually do. Ask them direct questions about what they know in relation to fire safety and who is responsible for what on site.

Taking responsibility: who’s in control?

This raises another question: ‘Who’s in control?’ Getting everyone in academic institutions to work together can be difficult. However, to make the premises safe someone has to take control, both generally and in an emergency. Legally, the organisation has to appoint an individual or individuals to be responsible for all aspects of fire safety. If more than one person is given responsibility, they should be co-ordinated and share information between them. Everyone in the organisation must be clear about their part in maintaining fire safety.

It may seem obvious that fire protection equipment such as fire alarms, extinguishers and emergency lighting should be serviced on a regular basis. Also needing a system of inspection and maintenance are elements such as fire-resisting walls, floors (ceilings) and doors, along with fire exits, extract systems (such as cooker hoods), ducts (especially fire dampers in ducts), fire safety signs and notices, fixed electrical systems and portable appliances (to name but a few).

Much of this maintenance isn’t costly or time-consuming. A simple walk around can be sufficient for inspecting and maintaining systems, and could be combined with a check on security systems and general housekeeping. There are two key points to note. Maintenance has to be planned and it has to be recorded. A simple logbook can help. The FIA has developed a new logbook which is available from FIA member companies.

Philip Martin: technical manager at the FIA

Philip Martin: technical manager at the FIA

The management of fire safety also needs periodic review looking at various aspects such as who is responsible for the management system, staff training, procedures (and not just the emergency procedures), records of maintenance supplier contracts and, of course, the fire risk assessment itself.

Fire drills will prove that the evacuation strategy works. Government guidance recommends that such a drill is carried out at least once a year and, preferably, every term. To be effective the drill needs to be planned, people informed and the drill monitored to avoid unnecessary risks (such as accidents on stairs).

The results of a drill can give valuable information on planning, training and the effectiveness of the facilities like alarms and escape routes.

Occasionally, a full evacuation isn’t desirable for safety reasons. In this instance, some form of simulation or desk top exercise may be sufficient – but only in exceptional circumstances.

Safe escape for everyone?

Naturally, schools should be open to students of all abilities. The premises should be adapted to ensure students can get into the premises and access all its amenities.

However, everyone must be able to get out in an emergency. We need to consider people with mobility and sensory impairment as well as those with intellectual and emotional impairment and how they may respond in an emergency. Think about both the hardware and the software when you ask yourself these questions…

*Can we use lifts in an emergency?
*Do we have procedures in place?
*Do we have properly trained and equipped staff?
*Can individuals with special needs be accommodated within the general evacuation procedure or will they require a Personal Emergency Evacuation Plan (PEEP)?

Guided by Government, the Fire Risk Assessors Competency Council (a stakeholder group supported by the fire safety industry) drafted a set of competency criteria and signposted ways of assessing the competency of fire risk assessment organisations

Guided by Government, the Fire Risk Assessors Competency Council (a stakeholder group supported by the fire safety industry) drafted a set of competency criteria and signposted ways of assessing the competency of fire risk assessment organisations

In the past, schools used to employ simple fire alarm systems comprising a few call points and bells. False alarms were rare and the consequences minor. Now, most buildings will have an alarm system with automatic fire detectors, mostly smoke detectors that will often be monitored by operators at an Alarm Receiving Centre (ARC). Smoke detectors respond equally to the smoke from fires as well as dust, steam and smoke from burning toast in the staff room, for example, which has led to more false alarms.

The FIA has a website dedicated to false alarms. Visit: http://www.fia.uk.com/en/cut-false-alarm-costs for more information.

Understanding your Fire Service

Over the last few years, the Fire and Rescue Service (FRS) across England and Wales has been under severe pressure to reduce costs. Stations are being closed and the number of fire fighters reduced. Automatic calls to the FRS are frequently ‘challenged’ and, depending on where you are, an automatic signal relayed to the FRS via an ARC would be classed as ‘unconfirmed’. This may result in fewer fire fighters attending on an initial basis, with the crew arriving at normal road speed (no sirens or flashing lights) – or, in some cases, not at all.

It’s important that you find out about your local FRS’ policy. Also, give the ARC instructions to call key holders as well as the FRS. When the premises are occupied, someone should make a 999 call rather than relying on the ARC in the event of a real fire.

Most people assume the fire brigade will rescue everyone and save the building. This needs to be examined a little more closely. Legally, and morally, if we are responsible for premises and the people on/in them, that responsibility includes being able to get everyone to safety in an emergency. If fire fighters have to rescue people it indicates we have failed.

We should not have to rely on the brigade to evacuate people, and that includes those with special needs. Moreover, they – ie the brigade – will not risk fire fighters’ lives trying to save your property. This means that once a fire becomes established in a building the brigade will tend to attack the fire from outside. Sadly, this often results in the total loss of the building.

Listen to the experts

Many hold the view that, in all but the simplest of premises, a lay person – even supported by the Government guides – wouldn’t have the knowledge and skills necessary to carry out a thorough fire risk assessment. Many Boards of Governors and local authorities are so concerned about this that they only use consultants to do the work. Whether they use a staff member or employ a consultant, how do they know the assessor is competent?

Guided by Government, the Fire Risk Assessors Competency Council – a stakeholder group supported by the fire safety industry – drafted a set of competency criteria and signposted ways of assessing the competency of fire risk assessment organisations. These two documents are available on the FIA’s website at: http://www.fia.uk.com

The FIA maintains a strong position, advocating that anyone carrying out work of a specialised nature should work for an organisation which is third party accredited to a UKAS-accredited scheme such as BAFE SP205.

Could we be sleepwalking into a disaster? The answer very much depends on you. We haven’t had a fatality in a day school in many years. Let’s keep it that way.

Leave a comment

Filed under Risk UK News

“International tensions heighten cyber security risks” warns KPMG

Malcolm Marshall – UK and global lead in KPMG’s cyber security practice – has commented on the impact that international political disputes can have on organisations’ ability to conduct ‘business as usual’.

“While attention is focused on the search for resolutions in the ‘corridors of power’,” stated Marshall, “businesses need to be ready to defend themselves, as the cyber space in which they operate increasingly becomes the new battleground.”

Marshall continued: “Businesses are so focused on cyber attacks by organised criminals that it’s easy for them to ignore the possibility of being targeted by groups wanting to make a political point, possibly even with backing from a hostile Government.”

He went on to comment: “Over the past five years, the international business community has seen a number of incidents where websites have been hacked so that political messages can be uploaded where they will receive widespread exposure. The Syrian Electronic Army is just one example among many. ‘Hacktivists’ are certainly more active during periods of international tension, but the next step is the one that businesses should be wary of.”

Malcolm Marshall of KPMG

Malcolm Marshall of KPMG

KPMG’s cyber leader explained: “Cyber attacks are becoming part of international conflict, and it seems that probing cyber attacks are likely to be the first element in the hostile phase of future conflicts. The well-worn phrase about who has their ‘finger on the button’ has taken on a new meaning. This is something that banks, financial institutions and global businesses need to consider. After all, the ability to disrupt electronic trade, divert funds or overload IT systems so that transactions cannot be completed may have an effect that stretches far beyond the geographies where disputes are raging.”

In conclusion, Marshall said: “This doesn’t mean organisations should panic and ‘bunker down’. What it does mean is that, just as scenarios are planned to help in dealing with major physical security breaches, so organisations need to put plans in place that recognise we now operate in a world without cyber borders. If businesses can successfully build these defences and take proactive steps to protect themselves, they will reduce the chances of inadvertently becoming embroiled in a wider dispute.”

Vehicles should be ‘Secure by Design’ when it comes to cyber security

Maintaining the cyber security theme, Wil Rockall – director of information protection within KPMG’s cyber security practice – has voiced his opinions on news that security experts have developed technology that would keep automobiles safe from cyber attacks.

“As the automotive industry increases the level of technology used in new vehicles,” said Rockall, “the nature of the threats faced also increases, particularly in the form of cyber attacks. These attacks could potentially allow cyber criminals to penetrate in-car systems, either using physical interaction or by seizing control through attacks over the Internet.”

Typically, a connected car network has over 50 potential access points for a cyber attacker, and this will only increase as the level of technology integrated within cars escalates.

“Three years ago, criminals sought access to vehicles by stealing the keys,” asserted Rockall, “but today three-quarters of cars stolen in London are stolen without them, principally through electronic methods.‎ It’s important that cyber attacks don’t become physical ones because manufacturers are unable or unwilling to design-in security.”

Rockall believes the automotive industry needs to invest in creating systems that are securely built and well-tested, with capabilities that can be improved as threats evolve and vulnerabilities are discovered.

The public must be able to trust the new systems put in place, suggests Rockall, and be confident that when operating their vehicles a ‘crash’ isn’t going to be caused by cyber attackers.

“Simply introducing a car ‘security product’ isn’t a strong enough defence,” urged Rockall, “and neither is it a wise strategic direction of travel for the industry. We should look towards making vehicles ‘Secure by Design’. This will provide security measures aimed at preventing vulnerabilities from being ‘attackable’ rather than accepting flaws in design and masking them with a third party conventional security product.”

Leave a comment

Filed under Uncategorized

Prolexic Report: ‘Distributed Denial of Service attacks on the increase’

Prolexic’s latest report on Distributed Denial of Service (DDoS) attacks has shown that, compared to this time last year, the number of attacks has increased by 22%. The report also shows that the average attack bandwidth has increased by 72%, while the average peak bandwidth has risen by 241%.

On the positive side, the report states that attack duration has decreased by 54% from an average of 38 hours to 17 hours. Attacks may last for a shorter period, but those attacks are now more frequent and more powerful.

A DDoS attack is an attempt to make a computer network unavailable to its intended users, normally by targeting it with so much data that it slows the network down and renders it unresponsive to its intended users. The largest reported DDoS attack to date was when a client of CloudFlare was targeted, with the peak of this attack reaching 400 gigabits per second.

The DDoS Report by Prolexic has shown that, compared to this time last year, the number of attacks has increased by 22%

The DDoS Report by Prolexic has shown that, compared to this time last year, the number of attacks has increased by 22%

With the threat of cyber attack increasing – something identified in the Business Continuity Institute’s Horizon Scan report, which shows that 73% of business continuity professionals are either’concerned’ or ‘extremely concerned’ by this threat materialising – the technology to counter such attacks has also developed. This could explain why the length of attacks has decreased – as one attack fails, the attacker quickly moves on to an easier target.

Gaming, software and media worlds hit hard

While the length of the attacks has – on average – halved since last year, it’s still worth noting that 17 hours could result in a major outage for the organisation being attacked. If that organisation is reliant upon its network then the consequences may well be dire.

The Prolexic report also reveals the industries most targeted by these types of attack. The gaming industry was the main victim, accounting for nearly half (46%) of all attacks. The report suggests that “gaming attacks are frequently motivated by players trying to gain a competitive advantage, or by malicious actors seeking to steal personal data from players.”

The software and technology industry and the media and entertainment sector accounted for 22% and 15% of attacks respectively, while the financial sector accounts for 10% of all attacks.

The United States was the origin of most attacks, accounting for over 20%. Having not appeared on the list at all in the previous report, Japan wasn’t too far behind with 18% while China accounted for 12% of attacks and Germany 10%.

Leave a comment

Filed under Risk UK News

Security partnerships “delivering savings to the police service”

Continued partnership working between the police service and the UK’s private sector security companies has helped forces across the country reduce costs in the face of public sector budget cuts.

In a report published earlier this week by Her Majesty’s Inspectorate of Constabulary (HMIC), police forces’ responses to budget cuts were praised, while concerns have been raised around the impact on neighbourhood policing.

Responding to the HMIC document, the British Security Industry Association (BSIA) – the Trade Association representing the UK’s private security industry – is reinforcing the important role played by security companies in delivering cost savings to forces across the country.

Since 2011, police forces have had to find £2.5 billion worth of cuts, while the central Government funding grant for police forces in England and Wales was reduced by 20%. Rising to the challenge, forces’ response to these cuts has been rated either ‘Good’ or ‘Outstanding’ in the HMIC report.

Continued partnership working between the police and private security firms has helped forces across the country reduce costs in the face of public sector budget cuts

Continued partnership working between the police and private security firms has helped forces across the country reduce costs in the face of public sector budget cuts

Providing support services and performing back office functions are key ways in which private sector security companies help to drive efficiencies by freeing-up warranted police officers to return to front line duties. HMIC’s report highlights a projected reduction in the police workforce of up to 34,000 by March 2015, by which time there will also be 8,500 fewer front line police officers. Despite this, efficiency is on the rise, with the proportion of police officers in front line roles set to increase from 89% to 92%.

Zoe Billingham – Her Majesty’s Inspector of Constabulary – commented: “It’s not easy to provide the high quality police service that the public rightly demands with far less money. Forces have had to change how they do their business. The best of them understand their demand in a sophisticated way and target their resources well, working with local public sector organisations to reduce crime and collaborate with other partners to cut costs.”

Indeed, many members of the BSIA already collaborate with police forces to provide a range of services, from victim support provided by personal safety devices through to ‘street-to-suite’ custodial services (the latter have been proven to save 350 hours of front line police time across an eight-week trial period).

Concerns over neighbourhood policing

Meanwhile, concerns over neighbourhood policing are also allayed by private security involvement. One member of the BSIA has supported the police in driving down anti-social behaviour by conducting park patrols in Manchester, for example, while another member company provides additional support for the police service in one of London’s busiest shopping destinations, namely Carnaby Street.

Most recently, seven BSIA member companies were selected to support the policing function at this month’s Commonwealth Games, which is now underway to great acclaim in Glasgow.

Encouraging more police forces to consider further engagement with private security firms is key to enabling those forces to meet the ongoing demands they face in light of budget cuts.

James Kelly: CEO at the BSIA

James Kelly: CEO at the BSIA

BSIA CEO James Kelly stated: “It’s not about creating a privatised police force, as many opponents of partnership working would have us believe. In contrast, this is a case of private industry taking on support functions to aid the police in delivering the Government’s programme of reform.”

Kelly continued: “The security industry already contributes significantly when it comes to assisting the police and emergency services if called upon to do so. Through its dedicated public affairs programme, the BSIA will continue to engage with police forces, Police and Crime Commissioners and Parliamentarians in order to ensure that political thinking remains open to this diverse and innovative approach.”

Robbie Calder – chairman of the BSIA’s dedicated Police and Public Services Section – said: “Police reform simply cannot be delivered without the support of private sector security companies. Many of the core aims of police forces would be difficult to achieve without outsourcing at least some support functions to the domain of the private sector.”

To find out more about the BSIA and its Police and Public Services Section visit: http://www.bsia.co.uk/police-and-public-services

The HMIC’s report, entitled ‘Policing in Austerity: Meeting the Challenge’ can be viewed online: http://www.hmic.gov.uk/publication/policing-in-austerity-meeting-the-challenge/

Leave a comment

Filed under Risk UK News