Cooperation Urged On U.K. Cybercrime

"It's been reported that as many as two-thirds of U.K. businesses had at least one malicious incident last year, double the number in 2000. And while the average loss was ?30,000, several businesses experienced a loss of more than ?500,000," he noted.

Mr. Barr said research in the United States shows that 90 percent of companies there have been the target of a cyberattack, with 80 percent suffering a financial loss.

"In the past, we have seen how other high-tech crimes, such as the theft of computer chips and other high-tech components, have been, shall we say, exported from the United States to the United Kingdom," he said.

To effectively address the problem, he encouraged U.K. firms to partner with law enforcement officials, who can put the cybercriminals behind bars, and government officials, who create the laws and regulations required to arrest them.

"Having a solid, mutually trusting relationship in place with law enforcement before a cybercrime occurs is often vital to apprehending the crooks," said Mr. Barr.

His comments came at the National Hi-Tech Crime Unit's (NHTCU's) unveiling of its "Confidentiality Charter," during a press briefing at the Congress.

Through the charter, which encourages the exchange of information between law enforcement and the business community and the reporting of high-tech crime, the NHTCU has pledged to keep all exchanges of information confidential and to "minimize the risk that commercially sensitive information might reach the public domain."

Mr. Barr also urged companies to take other measures to better protect themselves from cybercrime and other potential disasters. In particular, he called on companies to establish enterprise-wide risk management programs, overseen by either the chief executive officer or a chief risk officer reporting to the CEO.

"Too many companies are making a mistake by managing risks in different departments, or what we call silos," he said. "IT executives, for example, should not try to manage the cyberproblem by themselves. They don't have all the expertise in managing risk. In addition, cyberrisks can generate non-IT-related risks involving physical, human and capital resources."

According to Mr. Barr, every company also should:

? Establish a risk management council, which would bring together representatives from finance, legal, human resource, communications, line operations and other departments.

? Create a culture, policies and procedures that encourage or direct every employee to play a role in identifying and managing risk.

? Analyze their interdependencies. In other words, consider what would happen if an unprepared supplier or business partner or even customer were to experience a business interruption or go out of business due to a cyberevent or other disaster. Additionally, determine what measures these firms have taken to protect themselves.

? Develop contingency management and disaster recovery plans that address cybercrime incidents, natural catastrophes and other disasters.

"If they're not already addressing the cyberissue comprehensively, companies must, if they are to survive or not impede their growth," concluded Mr. Barr.