Britain is having a general election probably in autumn 2024; while the cost of living will, as at most elections, be the main subject, what of crime, let alone of the part private security can play in preventing and deterring crime, and aiding the police, in the physical and cyber worlds? Mark Rowe asks.
While Pegasus launched last year, partnering the police with the contractor Mitie and several high street names, and was hailed, as featured in the December print edition of Professional Security Magazine, it did leave unanswered what place other retail security contractors (and their high street customers) would have.
It makes a contrast with the illegal drugs trade. The police have recognised ‘county lines’ dealing; that the crime (and perhaps further crimes, such as modern slavery) crosses police force boundaries, and requires forces to sink any differences. If retail theft by gangs, using the motorways to steal from perhaps thousands of pounds at a time, crosses force boundaries, it’s placed in the ‘too difficult’ basket. One security man with retail experience spoke of his ‘utopia’; that the central police National Business Crime Centre (NBCC), ought to be the only repository of a county-lines-like going after gangs of retail thieves.
Imagine (he said) the NBCC sitting as the hub of a network of business crime reduction partnerships (BCRPs) and business improvement districts (BIDs) and security companies, feeding their crime reports into a central point, in near real time (using numerous companies’ software). Imagine the thousands of security officers as further sets of ‘eyes and ears’, ‘and the only thing that stops it from being the most formidable force against crime’, the security man says, is ‘someone to pull it all together’.
Someone with a commercial interest or merely a background cannot; they would never win over the rival security firms. We could add; everyone is very busy; yet such a hub would not need that much police time and resources. The incident reports, from the daytime and night-time economies, are already around, and various security suppliers are pulling info together, as a service to their customers.
Despite the acceptance by police that uniformed private security has a place on the high street and in public places, evidently – and without acknowledgement – senior police have a line that they do not want private security to cross. To harness the full potential of private security – to ask for an identification of a ‘person of interest’ or to routinely request video surveillance footage of a suspect, that does not have to breach data protection rules – would make the police relatively less powerful.
As for cyber, the UK’s official National Cyber Security Centre (NCSC) sets out the six categories of cyber incident management, where one is a ‘national emergency’. Five is the first level that small organisations get a mention in; and the response from the authorities will typically be ‘advice’, and ‘possible follow-up support’. In other words, numerically most businesses in Britain are promised nothing from law enforcement, if they should suffer a cyber attack.
In return, according to a joint blog post last year by the NCSC and the data protection regulator, the Information Commissioner’s Office ICO), those authorities ask for ‘transparency’ from those suffering a cyber attack, arguing that being open about, for example, a ransomware attack, is in everyone’s interests. However those who do report an ‘incident’ (as required by data protection law) also report that they typically are dealing with a faceless or online-only investigator, and anything that the victim reports, may be used in a case against them, which can lead to a fine or public exposure. Given that there appears to be so little to gain from a business breached admitting to it, it’s unsurprising that the NCSC blogged last year about being ‘increasingly concerned about the organisations that decide not to come forward’.
A little remarked upon question in tech for security people – those working for the tech firms, and those using common software, which is just about everyone not living in a cave – is how tech firms from the largest, Google and Facebook, pride themselves on ‘failing forward’, developing software and products generally as creatively and quickly to market as possible, even at the risk of leaving (or not even being aware of) vulnerabilities, bugs, security or more general (the Post Office-Fujitsu-Horizon IT scandal spelt out that software developers accept that their products will have ‘bugs’ to fix).
As the February print edition of Professional Security Magazine features, that leaves chief security officers and chief information security officers in fear, after globally high-profile court cases against CSOs such as Joe Sullivan (Uber), that security people will be prosecuted – so far by US courts – for cyber breaches of their company (quite separately from the hackers who actually carry out the breach by finding the weaknesses, and who may choose to exploit their findings for money).
As for whether the NCSC and ICO share info about cases, the NCSC (part of the Government’s monitoring agency, GCHQ) states that it will not share with the ICO. In a memorandum of understanding signed by NCSC chief Lindy Cameron and information commissioner John Edwards, the ICO says it may share –
information about cyber security incidents with the NCSC (both on an anonymised, systemic and aggregated basis, and on an organisation specific basis where appropriate) to assist the NCSC’s role in helping to reduce harm from cyber security incidents in the UK.
Later in the document, when ‘a nationally significant cyber incident which is relevant to the work of the NCSC’ is reported to the ICO, ‘the Commissioner will recommend and encourage the organisation to notify the NCSC’. In the time and reputational pressure of such an ‘incident’, when presumably the ICO is the judge of what is ‘nationally significant’, readers can judge for themselves what ‘recommend and encourage’ consists of. Later in the document is a clue; that the ICO will ‘incentivise’ and look ‘favourably on victims of nationally significant cyber incidents who report to and engage with the NCSC’, such as punish them with a smaller fine.
Photo by Mark Rowe; CCTV, Silvertown, east London, summer morning.
