I was very fortunate to attend last weeks North West Cyber Security Conference. Events like these, and there are more and more of them cropping up, are always a good opportunity to get a feel for the cyber landscape. With a wide range of cyber professionals, technology companies, support organisations, training companies and more it’s almost impossible not to be inspired and motivated by the immense range of skills and talents that are focused on managing and reducing the threat from cyber criminals that we all face.
Many presentations on cyber often look at parallels on how previous challenges that have blighted business have been addressed. By taking this approach cyber risk can take on the mantle of being manageable to even the wariest executive. During one such presentation, delivered expertly by an individual working in law enforcement, he compared todays cyber security challenge to that of car crime and made a couple of statements that really grabbed my attention. He stated that in the late 80s and early 90s, due to the rise of the ‘hot hatch’, car crime soared and then started to drop significantly. Despite what we may have thought, he pointed out that the Police were not responsible for this reduction in car crime.
Government figures on car crime, available from the Office For National Statistics (ONS) show that car crime was in the region of 1.5million incidents in 1981, peaking around 1992 / 1993 at 4.5million incidents. In 2015 it had dropped down to less than 1 million incidents. Over a similar period licensed cars on the UK road has grown from below 20 million to over 30 million, so it’s easy to see that as a percentage car crime has dropped significantly. Is this the sort of curve we could see with cyber crime – but over a shorter period? More and more devices, a peak in crime and then it drops considerably? Perhaps we will. So if the Police didn’t resolve car crime, who did? And will they do the same for cyber security?
With car crime the Police highlighted the issue. They made the public aware that this was a big problem and started to make recommendations on what the public and businesses should do in order to reduce this. Industry then responded with a range of anti theft measures, from car alarms and immobilisers to steering locks (remember those?). All these had to be retrofitted – patched if you will – to a hardware platform that had exploitable vulnerabilities; sound familiar? Insurance companies, who were no doubt suffering significantly from the increase in car crime, started to understandably increase premiums but would offer reductions if the customer was taking specific preventative measures.
I can personally recall this as I remember getting a specifically approved alarm and immobiliser retrofitted to my ‘hot hatch’ in the early 90s in order to reduce the insurance premiums. Then the car manufacturers got on board. They became aware that as they had provided more and more functionality in their products – fuel injected engines, improved stereos, alloy wheels and more – that they had become attractive to thieves. Some cars were more susceptible than others, so car manufactures started to build in more and more security measures.
Locking wheel nuts, pin coded stereos, remote locking, immobilisers, alarms and more. All of this started being built in as standard. At the same time the third party retrofitting companies must have started to see business start to fall as the natural upgrade cycle of cars lead to a situation where security was resolved by the manufacturer after market pressure dictated that consumers expected security to be a key feature of their new car. I wonder how the security divisions of the major car manufacturers transformed over that time? A similar transformation is no doubt happening today within the leading IT manufacturers.
Today we are at a point where car security is at such a level that in order to steal a car a thief has to pretty much get hold of the keys by breaking into a house first!
Now I’m sure that greater academic minds than I could study the parallels between car crime and cyber crime and come up with a wide range of predictions and recommendations on what is going to occur. Who will be the winners? Who will be the losers? and when cyber security is as much a part of everyday life for businesses and consumers as car security is today. This does not mean we can sit back and just wait, quite the contrary, we all have a collective responsibility to secure our technology, in the same we have and have had a responsibly to lock and secure our cars.
The big question for me, is that if car crime peaked in 1992 / 1993 with 4.5million incidents, when will we hit that peak in cyber crime? Or have we already hit it?