e-Crime Wales Action Plan 2008

www.ecrimewales.com

e-Crime Wales Action Plan

Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 1. Establishing an e-Crime Wales Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Action 1.1: Action 1.2: Action 1.3: Action 1.4: Establishing management of the Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Providing field resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Creating the e-Crime Wales Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Organising the Annual e-Crime Summit . . . . . . . . . . . . . . . . . . . . . . . . . .11

2. Supporting businesses to combat e-Crime . . . . . . . . . . . . . . . . . . . . . . . . . .13 Action 2.1: Development of business support resources . . . . . . . . . . . . . . . . . . . . . .13 Action 2.2: e-Security training for ICT professionals . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Action 2.3: Developing the Welsh workforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 3. Raising awareness of e-Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Action 3.1: Over-arching PR & Communications Strategy . . . . . . . . . . . . . . . . . . . . .19 Action 3.2: e-Security Business Awareness Campaign . . . . . . . . . . . . . . . . . . . . . . . .20 Action 3.3: Law Enforcement Awareness Programme . . . . . . . . . . . . . . . . . . . . . . . .22 4. Reporting and monitoring of e-Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Action 4.1: Undertaking an e-Crime Impact Study . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Action 4.2: Cross-Sector Reporting Partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

www.ecrimewales.com

e-Crime Wales Action Plan

www.ecrimewales.com

e-Crime Wales Action Plan

Introduction
The threat posed by malicious attack and security breach make concrete strategies and clear, well-developed organisational IT security policies an imperative for all businesses of the 21st century. Although many organisations operating in the private, voluntary or public sectors are aware of the need for action not all have the resources of finance and of knowledge and skills, to implement such policies on their own. There is also a need to raise awareness and understanding among all organisations be they private, voluntary or public of what e-Crime is; what implications it can have, and how it should be reported. e-Crime Wales has been formed as a partnership of public and private sector organisations that are committed to equipping Welsh businesses with the knowledge and tools to be aware, vigilant and ultimately safe from the damaging effects of e-Crime in all its forms. The mandate to deliver on these objectives is provided by the Welsh Assembly Government, and this Action Plan sets out the steps needed to achieve them. The e-Crime Wales Steering Group is made up of organisations that have a stake in combating e-Crime in Wales. The Steering Group will support the Welsh Assembly Government e-Crime Wales Unit to implement the Action Plan by providing strategic steer, advice and support for specific actions where appropriate. The Action Plan supports the vision of e-Crime Wales for every business in Wales to be able to Recognise e-Crime when they see it. Share their experiences of e-Crime. Understand the magnitude of e-Crime; just like real crime it has extremely serious implications to lives and livelihoods. Know the practical steps to take in order to avoid becoming a victim of e-Crime. Learn the correct process for reporting e-Crime to the relevant authorities. Have the resources and support they need from police, government and private sector. Continue exploiting the benefits of ICT adoption without hindrance from the fear. or obstacle of e-Crime.

www.ecrimewales.com

e-Crime Wales Action Plan

www.ecrimewales.com

Establishing an e-Crime Wales Unit

1. Establishing an e-Crime Wales Unit

The e-Crime Wales Steering Group will take the lead in ensuring that this Action Plan achieves the objectives set out in the 2005 e-Crime Wales Manifesto and endorsed by the Welsh Assembly Government. Members of the Steering Group will champion and act as ambassadors for e-Crime Wales. They will promote partnership and collaborative approaches to the fight against e-Crime in Wales, and involve a wide range of stakeholders in this process including police forces and legal authorities; government departments and agencies; business groups and businesses; communities and the general public. The e-Crime Wales Unit of the Welsh Assembly Government will report to the e-Crime Wales Steering Group. The Unit is the responsibility of the Welsh Assembly Government but include staff seconded from Welsh stakeholder bodies. The Unit will be responsible for formulating and carrying out the policy of the Welsh Assembly Government with respect to e-Crime, and will take forward the activities contained in this Action Plan. The e-Crime Wales Steering Group will have overall strategic responsibility for the e-Crime Wales Unit.

Action 1.1: Establishing management of the Unit

The e-Crime Wales Unit will be responsible for implementing the e-Crime Action Plan. The Unit will either perform a supporting role, geared to implementing actions that require development work, or an organisational role, depending on the Action area and circumstances. The Unit will consist of five permanent posts, created to support day-to-day management and implementation of the e-Crime Action Plan. The team will be led by an e-Crime Project Manager, who will report back into the Steering Group and have overall responsibility for managing the Action Plan. The Project Manager will be supported by a team of Executives and an administrator who will each be responsible for specific actions from the plan. Key activities Development of job specifications and roles Recruitment of an e-Crime Wales Unit General organisational and development work

Action 1.2: Providing field resources

Up to five police officers will be resourced to support implementation of the e-Crime Wales Action Plan. There will be one e-Crime Team Supervisor, who will be seconded to the Welsh Assembly Government and based within the e-Crime Wales Unit, and four Regional Business e-Crime Officers, each based in one of the four Welsh police forces. Role of the e-Crime Team Supervisor The e-Crime Team Supervisor will be a Police Sergeant who will be seconded into the e-Crime Wales Unit from one of the Welsh police forces for the duration of the Action Plan. The e-Crime Supervisor will strengthen the profile of the Unit by bringing to the team their knowledge of the law, police policy and procedure, and their experience of identifying and co-ordinating criminal investigations.

www.ecrimewales.com

e-Crime Wales Action Plan

The presence of a Police Sergeant at the heart of the e-Crime Wales Unit also sends a strong message to businesses and other organisations across Wales that the Welsh Assembly Government and the four Police forces in Wales takes e-Crime seriously and is prepared to deploy resources to deal with it. The e-Crime Team Supervisor will co-ordinate the activities of the Regional Business e-Crime Officers, and act as the link between these Officers and the rest of the e-Crime Wales Unit. As such, the e-Crime Team Supervisor will play an important role in ensuring that the Unit operates as a Wales-wide, cohesive, and focused whole.

Role of the Regional Business e-Crime Officers

The four Regional Business e-Crime Officers will be appointed to this role from within their home police forces. The Regional Business e-Crime Officers will act as a Single Point Of Contact (SPOC) on e-Crime to businesses in their areas. There are three elements to this role: the Officers will record - and if appropriate, investigate - incidents of e-Crime occurring in Wales; they will provide a focal point for e-Crime awareness-raising activities among their police forces and the local community, and they will supply the e-Crime Wales Unit with intelligence and up-to-date information on e-Crime, including any new areas of activity by e-criminals and emerging threats. This information will be shared with a wide audience via the e-Crime Wales website 1

Reporting lines
The e-Crime Team Supervisor will be responsible for the day-to-day management and co-ordination of the four Regional Business e-Crime Officers, and will report into the e-Crime Project Manager. However, the four Regional Business e-Crime Officers will have line managers within their home force structures, as well as reporting centrally into the e-Crime Team Supervisor. Key activities Identify and appoint to 5 police officers Deliver e-Crime awareness activities to police forces and community organisations Feed back field intelligence to the e-Crime Wales Unit for dissemination via e-Crime Wales website

1. See Action 1.3 opposite

www.ecrimewales.com

Establishing an e-Crime Wales Unit

Action 1.3: Creating the e-Crime Wales Website

A vital action for the success and sustainability of e-Crime Wales is the creation of a central information website to ensure that information on e-Crime is made accessible to Welsh businesses and to provide a repository for capturing the new information that will be produced as a result of improved monitoring and awareness of e-Crime activities. The e-Crime Wales Steering Group will take a strategic leadership role in developing and maintaining the central information website, ensuring that it serves the needs of all stakeholders in e-Crime Wales and is able to influence organisations in the field, from businesses needing to access information to ICT professionals who have information to contribute to the resource. The Steering Group will also be responsible for forging clear linkages and co-operating with other development bodies that have similar roles both locally and nationally. The e-Crime Wales Unit will assume overall responsibility for the day-to-day management of the e-Crime Wales website. This will involve overseeing the functioning of the website, and promoting and maintaining any material placed in it. The e-Crime Wales website will have 3 objectives: to act as a co-ordinating point for those agencies involved in developing e-Business skills and tackling related issues; to act as a conduit for the Welsh business community, both gathering information and providing it to those seeking advice and direction on issues relating to e-Crime; to act as a resource for the dissemination of new developments and relevant up-to-date information. The e-Crime Wales website will not replace UK and Wales-wide programmes and information networks that already target businesses in Wales2 but will work alongside these, providing a single point for co-ordinating activities relevant to e-Crime. The e-Crime Wales website will be a repository of information and will ensure that e-Crime issues are communicated to other networks and activities at Wales and UK level. It will also input into other relevant e-business activities alongside these other organisations. For businesses, the e-Crime Wales website will have a dual function. It will be a place where they can access clear, up-to-date information about e-Crime threats and how to prevent them and, more specifically, a place where they can be signposted towards the specific forms of support provided by the various agencies involved in e-Crime Wales. From the perspective of the members of e-Crime Wales, the e-Crime Wales website will function as a strategic, central location for the gathering and dissemination of new information and intelligence. As an accessible repository of information about e-Crime activity and prevention it will have a cumulative aspect that will be invaluable in the drive to prevent e-Crime. As businesses begin to feed their needs back into it, the e-Crime Wales website will provide fresh ideas and rationale for the development of innovative business support programmes and other interventions.

2. For example, the all-Wales information service provided by Business Eye, or the work of e-Skills Wales (part of e-Skills UK). (e-Skills Wales is responsible for the Sector Skills Agreement for IT: Action Plan for Wales 2005-2008).

www.ecrimewales.com

e-Crime Wales Action Plan

Implementation tasks Phase 1: Current Activity Audit

The first step in creating the e-Crime Wales website will be an audit of existing e-Crime information sources and supports. These may be either internal or external to Wales; the objective here is to assess the quality and quantity of the information resources and infrastructures currently available to the business community in Wales. The audit will identify what activities are currently underway or anticipated at UK level in terms of e-Crime, what agencies are involved in tackling e-Crime and who the key personnel within these agencies are. Later, e-Crime Wales will seek to build relationships with these individuals for the purposes of co-operation and co-ordination. The audit will also review what e-Business support and advice activities are currently underway in Wales, and will identify any gaps that the e-Crime Wales website could fill by developing and making available new material.

Phase 2: Design and population of e-Crime Wales website

The e-Crime Wales website (www.ecrimewales.com) will provide the initial point of contact for businesses and social enterprises with e-Crime issues. The e-Crime Wales Unit has already commissioned the design of the website, which will connect and integrate e-Crime related activity in Wales and become the backbone of the e-Crime support infrastructure. The website will be a trusted, reliable and relevant source of information for Welsh businesses and other e-Crime Wales stakeholders to turn to for e-Crime advice, information and guidance. Once the website is fully operational, a number of issues need to be addressed in relation to its population with information. Where the audit identifies schemes and materials already in existence, the e-Crime Wales Unit will contact the owners or authors and obtain their permission to use materials directly, with relevant co-branding from e-Crime Wales. If the audit identifies areas where information or advice on a particular topic is missing, the e-Crime Wales Steering Group will be able to commission any work needed to fill the gaps, provided it deems this relevant and useful to Welsh businesses. Information gathered during the audit of current activities in Phase 1 will be translated into a format that is accessible for general business users of the e-Crime Wales website. The information gathered from any research and development exercises commissioned to fill gaps will be added incrementally to the e-Crime Wales website, becoming available to anyone wishing to access it. The e-Crime Wales Unit will be responsible for maintaining and updating information in the e-Crime Wales website. This will involve: providing support during the development of the website, ensuring the co-ordination of the website with other UK activities and with general business support activities in Wales (notably via Business Eye), and sign-posting businesses to relevant sources of information. Finally, the Unit will continue to support the e-Crime Wales Steering Group by bringing to its attention any new areas in the e-Crime Wales website that could benefit from the addition of new, or more detailed, information. If the e-Crime Wales Steering Group approves further work, the Unit will be responsible for commissioning the new projects.

10

www.ecrimewales.com

Establishing an e-Crime Wales Unit

Phase 3: Maintaining a feedback loop

A further task for the e-Crime Wales Unit will be the facilitation of a feedback loop amongst businesses, business support providers, the Welsh police forces, economic development agencies and ICT professionals. The feedback loop will allow organisations to obtain new information and intelligence on e-Crime in Wales as it becomes available. It is crucial that this information is well-maintained and regularly updated and therefore the e-Crime Wales website will need to be constantly refreshed and supplemented with new information as this emerges from other Actions in this Plan. Feedback information will include new intelligence from police forces, new support measures aimed at meeting specific business needs, information on e-Crime legislation and regulation, data on emerging trends as observed by ICT professionals in the field, and solutions resulting from innovative practices developed by businesses themselves. Key activities Development of a brief for tender of current activity audit Commission audit of current activity and identify gaps in provision Finalise specification for the e-Crime Wales website (www.ecrimewales.com) Populate www.ecrimewales.com with initial resources Market and publicise launch of e-Crime Wales website Commission e-marketing campaign to direct relevant traffic towards the website. Maintain and update content and functionality to aid the ongoing quality of the website as a trusted and relevant source of information.

Action 1.4: Organising the Annual e-Crime Summit

The e-Crime Wales Unit will assume responsibility for organising and delivering a major annual e-Crime Summit. This will require the Unit to identify speakers, book venues, and work with the e-Crime Wales Steering Group and other stakeholders to decide the thematic focus and appropriate content for each Summit. The e-Crime Wales Unit will liaise with appropriate members of the Steering Group and other experts in order to develop material for use at the Summits. The e-Crime Wales Unit will have key responsibilities in terms of developing material for use at the other workshops and training events highlighted in the Actions of this Plan3. In addition, the Unit will be responsible for managing workshop and event logistics in general. This will involve ensuring that venues are booked, workshop material is produced and sent out, and that the appropriate businesses and other participants are identified and invited to attend. Key activities Organisation of annual e-Crime Summit Commissioning and dissemination of e-Crime Workshop materials

3. See primarily Action 3 (page 14) and Action 4 (page 20)

www.ecrimewales.com

11

e-Crime Wales Action Plan

12

www.ecrimewales.com

Supporting businesses to combat e-Crime e-Crime Wales Action Plan

2. Supporting businesses to combat e-Crime

The e-Crime Wales Action Plan sets out the steps needed to improve the amount and the quality of the intelligence available on e-Crime, and to strengthen the feedback loops that link companies, business advisors, the police, and other public agencies. The presence of readily-available information and open lines of communication is particularly important for the success of this Action, which is concerned with ensuring that businesses have the advice and support they need to combat e-Crime. This is a particularly pressing need since experience suggests that, due to limited knowledge and resources, the majority of businesses - and many other organisations as well are inclined to assess and manage their IT risks inadequately, preferring to hope that a problem will not arise. Businesses need to be helped to overcome their limitations and placed in a position to deal with the e-Crime challenges that they face on a daily basis. A well-developed and well-managed support programme providing access to information, advice and practical support tools is therefore a key action. A certain level of IT-security support provision already exists in Wales, but it is often delivered as part of broader and more generic IT advice and support. There is room to improve the co-ordination of different approaches and providers, and to ensure that any changes made are based on a robust understanding of e-Crime levels and impacts. A single point of initial contact for those providing, and those seeking information and support about e-Crime, is an essential first step. This will allow companies and individuals to access up-to-date information and get referrals to specialist advice and support. Providers of business and IT support also need accurate and reliable information on e-Crime prevention so that they can deal adequately with their client businesses. Information, knowledge, support tools, and approaches that build on existing experience and good practice will therefore be a priority.

Action 2.1: Development of business support resources

Advice on how to identify and report e-Crime is essential for businesses. However, support that will allow businesses in Wales to take action to prevent e-Crime is also vital. When businesses have identified potential problems, they seek to deal with them quickly and effectively but often they lack the resources and guidance to do this properly. The actions here are therefore about connecting users of e-Crime resources and guidance materials with the providers. The e-Crime prevention measures must be easily absorbed and trusted by businesses, and public agencies must further stimulate demand for acceptable e-Crime prevention practices by, for example, building e-Crime standards into their own e-procurement practices. The following resources and guidance are required and will be developed or integrated into a wide-ranging resource kit of business support: Easy-to-follow ICT security and e-security guidelines and standards for Welsh SMEs will be made widely available to small and medium-sized businesses. Fact sheets will be made available through the e-Crime Wales website and at awareness raising activities and information days. ICT management and business risk management tools (linked to existing business support tools around use of ICT4) The incorporation of e-Crime skills into appropriate accreditation systems for Welsh ICT professionals. Guide to sources of support for implementation of effective e-security. The Department for the Economy and Transport of the Welsh Assembly Government will take the lead in ensuring the delivery of this action. However, it will work in partnership with other ICT and e-Crime agencies 5.
4. Building on but simplifying existing standards such as BS7799 (now ISO27001:2005 and ISO27002:2005).

www.ecrimewales.com

13

e-Crime Wales Action Plan

Implementation tasks Phase 1: Research and definition

As part of the audit carried out under Action 1.3, the existing support offer, both from Wales-based initiatives and UK-wide schemes that are accessible in Wales, will be analysed. The results will inform the refinement and development of new support resources and guidance to be offered to Welsh businesses. A small working group will be established to assist in defining the resources and guidance to be developed.

Phase 2: Refinement and verification

The resources that are defined by the working group will be developed either by allocating responsibility to various ICT practitioners within the organisations represented on the working group or, in exceptional circumstances, by commissioning external experts to design specific elements. Prior to completing the development of the resources and supports, it will be important to verify them with a panel of public and private sector business intermediaries to ensure that they are relevant, effective and capable of being efficiently delivered by a wide range of support providers.

Phase 3: Packaging
Following verification, the resources and guidance will be assembled, branded and packaged as a coherent resource kit for combating e-Crime in Wales. This will require professional marketing and design input.

Phase 4: Training & dissemination

The resource kit will be made available for delivery by the business support community across Wales after suitable training. The kit will be available to both private and public enterprises in order to foster universal application of good practice. The e-Crime Wales website created in Action 1.3 will be used to direct businesses to appropriate business advice and support that uses the kit.

Phase 5: Stimulating demand for e-security

Following the dissemination of the resource kit to businesses, e-security standards will be embedded as minimum requirements in e-procurement procedures by public bodies in Wales. This will directly stimulate demand from businesses for e-security investments and will also contribute to the e-Crime prevention programme in Wales. The resource kit will offer support and signpost companies to funding mechanisms intended to help small firms meet these standards, thereby helping to make Wales a better place to do business.

5. Including, as appropriate, the Serious Organised Crime Agency (SOCA) or the Police Central e-Crime Unit (PCeU) currently proposed by the Metropolitan Police. Within Wales, e-Crime Wales will work with the ICT and business support structures established by the Welsh Assembly Government.

14

www.ecrimewales.com

Supporting businesses to combat e-Crime e-Crime Wales Action Plan

Key activities The following outlines the key activities associated with the implementation of this action. Research and definition Establishment of a business support services working group Development of support resources and guidance Identification of e-security standards within existing e-procurement standards Commissioning of development work (if required) Launch of new e-security standards or re-launch of existing standards

Action 2.2: e-Security training for ICT professionals

The Department for the Economy and Transport has principal responsibility for providing ICT support to businesses in Wales. The programmes managed by the Department typically operate using independent ICT professionals who act as consultants to companies, analysing their needs and assist them to select solutions that are appropriate to their business. Many small and medium-sized companies also employ their own ICT managers, who also need to keep their skills and knowledge up-to-date. Only where ICT professionals themselves have advanced e-security skills and knowledge can they adequately consider the security aspects of businesses ICT operations. The Department for the Economy and Transport will use its leadership in managing the provision of ICT advice in Wales to encourage ICT professionals - both external consultants and those employed within companies and other organisations - to review their existing skill levels. This will be done by capitalising on work already undertaken to categorise skill requirements such as the National Occupational Standards that have been developed for IT users and IT professionals by e-Skills UK6, and using these to design a skills audit. Once the audit has been completed, suitable training opportunities will be identified, or developed if necessary. While general training goals and workforce development are not a core part of Department for the Economy and Transport responsibility, the Department is responsible for ensuring that ICT advice provided under public sector business support schemes is sound and incorporates adequate levels of e-Crime prevention. Drawing on the expertise of relevant organisations and the work undertaken in Wales already, the Department for the Economy and Transport, with support from the e-Crime Wales Unit7, will take on the main responsibility for encouraging ICT professionals to upgrade their skills.

6. The Sector Skills Council for IT and Telecoms 7. For example, the Welsh Assembly Government Department for Children, Education, Lifelong Learning and Skills (DCELLS), and e-Skills UK

www.ecrimewales.com

15

e-Crime Wales Action Plan

Implementation tasks Phase 1: Internal e-security skills audit

The Department for the Economy and Transport will initially establish the need for e-security training on the part of the ICT professionals by commissioning an audit and assessment of the e-Crime skills needs of ICT professionals in Wales. This assessment will be informed by the National Occupational Standards and the National Vocational Qualification for IT Users (known as the ITQ), which have both been developed by e-Skills UK8 , and by any relevant material that has been collected as part of preparations for the annual e-Crime Summit. Members of the e-Crime Wales Steering Group will also contribute their expertise where relevant, for example on technical aspects, risk management and compliance issues.

Phase 2: Setting up of e-security skills working group

The task of auditing the skill needs of ICT professionals will be used as an opportunity to set up a working group to deal with all e-Crime skills and training aspects. Representatives from the Department for Children, Education, Lifelong Learning and Skills who are members of the e-Crime Wales Steering Group will engage with key Welsh ICT training organisations to form a working group charged with taking workforce development activities forward. The working group will develop a methodology to identify exact skill needs. It will also highlight the extent to which e-security-related ICT knowledge is already embedded in the e-skills activities that are part of wider ICT training provision in Wales.

Phase 3: Training plan implementation

Following the audit, individual and joint training plans for use by their own professionals and advisers will be developed by the ICT training organisations participating in the working group. These plans will take account of the potential for joint training activities to be organised - either by private sector ICT training organisations, or by institutional providers of formal training opportunities. Regular auditing of e-Crime skills will subsequently be embedded in staff appraisal processes of all participating organisations. Where a fundamental need for training is identified, the Department for the Economy and Transport will take the lead in identifying exact skill needs in collaboration with the Department for Children, Education, Lifelong Learning and Skills. In view of the link between this e-Crime prevention work and broader activities around development of IT skills in the workforce, expertise will be sought from ICT training experts in Wales.

Phase 4: Promoting e-security training to external ICT professionals

A series of information days will be organised for ICT professionals. This target group encompasses consultants, who provide advice through other public sector schemes and organisations or work independently with businesses, and ICT managers who are employed within companies. The objectives here are to raise awareness of the need for specific training and to make support and guidance available to companies so that they can undertake an internal audit of employees e-skills. Other ICT skills initiatives sponsored by the public sector will also be used to encourage a wider group of ICT professionals (both external consultants and company ICT managers) to review and enhance their e-security skills.

8. e-Skills UK (www.e-skills.com) has also developed several tools to help employers and individuals identify IT skills and competencies, and to assess where skills or development gaps lie. For example, the e-Skills Passport, which supports the development of IT users, and the Skills Framework for the Information Age (SFIA) Profiler, which is aimed at IT professionals. These tools may also offer useful frameworks to inform the analysis of broad skill needs.

16

www.ecrimewales.com

Supporting businesses to combat e-Crime

Key activities Verification of training needs Development of detailed skills audit Skills audit Establishment of e-Crime Wales working group on e-security skills Training plan development Joint training workshops Off-the-shelf training Information days for a wider audience of ICT professionals

Action 2.3: Developing the Welsh workforce

General ICT skills have consistently been identified as a key skills area by various studies and strategy documents9. ICT learning opportunities for the Welsh workforce are thus already an integral part of the training portfolio overseen by the Department for Children, Education, Lifelong Learning and Skills. The task of the e-Crime Wales Steering Group is therefore to work with the Department for Children, Education, Lifelong Learning and Skills to: Ensure adequate integration of e-security skills provision in this wider portfolio of learning opportunities; and Put in place appropriate access routes for companies by including ICT risk management and related e-security skills in the audits carried out by business advisers. In addition, e-Crime Wales will use the working group set up as part of Action 2.2 to explore the scope for further co-operation with relevant ICT training organisations in Wales and to anchor ICT risk management and e-security skills in the training agendas of Welsh companies in the medium and long term. The stakeholders in e-Crime Wales generally and the Department for the Economy and Transport in particular have realised that e-security skills above and beyond general ICT skills are a fundamental prerequisite for companies to thrive in the Information Society. As European Structural Funds for 2007-2013 come on stream in Wales, the Department for the Economy and Transport will contract with external organisations for delivery of ICT and other business advice services for small and medium-sized businesses. As such, the Department will be responsible for ensuring that the skills of individuals working on its programmes are of appropriate standard and quality. Other stakeholders in e-Crime Wales, particularly the Department for Children, Education, Lifelong Learning and Skills which is responsible for delivering workforce training goals, fulfil a similar quality assurance role as part of their programme management responsibilities. Representatives of the Department for Children, Education, Lifelong Learning and Skills at the Welsh Assembly Government will therefore take the lead in extending the training element of e-Crime Wales to the wider ICT skills agenda .

9. A Winning Wales Future Skills Wales, Skills and Employment Action Plan 2004 10. The working group set up under Action 2.2 will bring together the structures and expertise available through the Department for Children, Education, Lifelong Learning and Skills, e-skills UK and other relevant Sector Skills Councils. Members of the group will work together to carry out any development needed to reinforce structures, or to integrate provision of specialised e-security training with wider ICT skills development.

www.ecrimewales.com

17

e-Crime Wales Action Plan

Implementation tasks Phase 1: Review and upgrading of current e-security skills

The WAG representatives of the e-Crime Wales Steering Group will initiate exchanges with the Department for Children, Education, Lifelong Learning and Skills and training organisations with a view to conducting a review of current provision in Wales of ICT risk management and e-security skills training for Welsh workforces. The information already available in Wales via e-Skills UK, together with any additional material gathered as part of the development work for the e-Crime Wales website will form the basis for deliberations in a working group. Where gaps in provision are identified, e-Crime Wales will work with the Department for Children, Education, Lifelong Learning and Skills to facilitate any necessary development work.

Phase 2: Integration of e-security audit in business support services

The Department for the Economy and Transport and the Department for Children, Education, Lifelong Learning and Skills will review existing referral mechanisms with a view to including audit tools that can be used to identify ICT risk management and e-security skill needs.

Phase 3: Joint e-security developments with ICT training organisations

Building on these concrete steps, e-Crime Wales through the e-Crime Wales Unit will consider joint activities with ICT training organisations to promote e-Crime prevention. The e-Skills Wales group within e-Skills UK may be a useful forum for co-operating on this, since the third strategic objective of the e-skills Wales Action Plan, Developing adults and the existing workforce; focuses on the development and uptake of work-based IT skills development. Key activities Review of current provision Course development work Review and refine new Department for the Economy and Transport-Department for Children, Education, Lifelong Learning and Skills referral mechanisms Integration of ICT risk management and e-security aspects in existing training tools Integration of accreditation with e-business network activities Promotion of ITQ (the National Vocational Qualification in IT) and accompanying e-Skills Passport tool, together with any other relevant accreditations.

18

www.ecrimewales.com

e-Crime Wales of e-Crime Raising awarenessAction Plan

3. Raising awareness of e-Crime

e-Crime is a relatively new phenomenon and many simple steps that could be taken to protect against it remain unknown or unused by the majority of ICT users. A degree of basic understanding of technological developments and their impact on businesses will often be sufficient to prompt businesses into action and change their routine behaviours. Although e-Crime affects all parts of society, arguably it is the business community - both large and small companies, that feels the greatest impact from e-Crime. Whilst premeditated attacks carried out by hackers and viruses are clearly of great concern for all businesses, more often than not these attacks are targeted at well-known, large, corporate companies. It is rarer for small and medium sized enterprises to be singled out for a targeted, malicious attack; more frequently it is human error, or a collective failure by the organisation to protect itself that is the root cause of a security breach. Awareness-raising is thus needed at many different levels and should be tailored to suit the information needs of different target groups. Research has shown that businesses are inclined to give credence to the impact that serious breaches of security could have on their organisation, but despite this the majority of businesses remain confident that their current technical security processes, often based on conventional, off-the-shelf anti-virus and firewall software, provide sufficient protection11 . Sole reliance on these systems is, however, not sufficient to provide comprehensive protection from attacks by increasingly sophisticated hackers and virus designers who are able to bypass traditional security programmes. Making available up-to-date information and general guidance on how to tackle the latest threats is therefore necessary to overcome the dangerous over-reliance by businesses on conventional programmes. Added to this, while human error is responsible for most breaches in IT-security, only a limited number of businesses have a defined security policy for dealing with the potential threats posed by e-Crime through the back door12. Furthermore, if they are serious, security breaches may have consequences for compliance and company liability, but many companies are not aware of these risks and so do nothing to mitigate them. In order to improve the overall e-security situation in Wales, employees as well as their managers need to be made aware of the basic steps to protect electronic information, avoid security breaches and meet compliance requirements. The law enforcement agencies in Wales also need to be made aware of their vital role in combating e-Crime. Awareness-raising activities for law enforcement staff are therefore also required to foster a climate of mutual understanding in dealing with e-Crime.

Action 3.1 Over-arching PR & Communications Strategy

The e-Crime Wales Unit, in consultation with the e-Crime Wales Steering Group, will be responsible for developing and implementing an over-arching public relations and communications strategy. The aim of the strategy is to ensure that e-Crime Wales creates and takes advantage of all opportunities to make businesses and other organisations aware of the threats posed by e-Crime, and of the activities being undertaken under this Action Plan to combat it. The e-Crime Wales Steering Group will steer the communications strategy by ensuring that the activities and materials produced send a consistent and compelling message to target audiences in business, community, police, and government.

11. DTI: Information Security Breaches Survey 2004, p.3 12. DTI: Information Security Breaches Survey 2004, p.9

www.ecrimewales.com

19

e-Crime Wales Action Plan

Key activities Ensure e-Crime Wales is understood by influential and relevant opinion formers, and has the platform to articulate its activities and viewpoints Encourage and influence relevant organisations, including e-Crime Wales stakeholders, to reinforce/echo the messages developed for e-Crime Wales Generate compelling and informative content for the Welsh business community via the e-Crime Wales website, newsletter and other vehicles Provide concise and consistent materials to stakeholders for use in other forums

Action 3.2: e-Security Business Awareness Campaign

A campaign to raise awareness of e-Crime is key to combating e-Crime in businesses in Wales. The campaign will target business leaders and employers across Wales - particularly within SMEs, but also the employees of Welsh SMEs. An important issue, debated at successive e-Crime Summits, is the lack of awareness among companies of the risks involved in periodic online working, which can expose them to overt attempts to extract information fraudulently, such as phishing e-mails, and to less immediately-evident threats, such as viruses or the activities of hackers. Firms also need to be aware of the security issues that arise as technological advances make it cheaper and easier for them to conduct business via dispersed, on-line collaborative networks, or digital business eco-systems. Currently the majority of small and medium-sized firms are relying on off-the-shelf security software to protect their data and systems from e-Crime. The business awareness-raising campaign will tackle this misconception by alerting the workforce and employers to the increased risk of e-Crime that comes with greater and more sophisticated use of on-line working. The campaign will help organisations understand the threats posed by e-Crime, and will advise on what measures can be taken to combat them. Among SMEs, lack of awareness of the risks leads to reluctance to commit resources to tackling the problem. Without hard facts and figures, and evidence detailing the impact that e-Crime may have on a company, it is difficult for SME owners and managers to justify investing additional resources in e-security. The campaign will therefore also impress on SMEs the urgency of making e-security an issue for senior management, and will provide companies with the evidence they need to push e-Crime and e-security up the strategic management agenda. In terms of overall responsibility, the e-Crime Wales Steering Group will oversee the campaign at a strategic level. The Steering Group will be responsible for the strategic aspects of raising awareness, such as which types of companies are targeted and which information is presented, ensuring that the information provided to companies is correct, up-to-date and relevant. At a more operational level, the e-Crime Wales Unit will be responsible for negotiating with e-Crime Wales stakeholders to secure e-Crime Wales branding of all information used for the campaign, managing the production and distribution of material, organising and staging the awareness-raising workshops, and generally raising the profile of e-Crime Wales and its activities.

20

www.ecrimewales.com

Raising awareness of e-Crime

Implementation tasks Phase 1: Development of material for use in the campaign

Before embarking on the campaign itself, to complement Phase 1 of the e-Crime Wales website, the e-Crime Wales Steering Group will commission a review of awareness-raising activities currently in place and opportunities for developing new material targeted at Welsh businesses. This will require a mapping exercise to identify all relevant awareness-raising material currently produced for businesses by support organisations working either within Wales or across the UK. The Unit will ensure that this information is made available via the e-Crime Wales website. Any new information, guidance and advice developed will be made easily accessible by displaying hard-copies at strategic locations13 and making it available on-line via the e-Crime Wales website. New material is likely to include fact sheets and case studies, and it will be produced in a range of formats to ensure the e-Crime Wales website is publicised widely as the first port of call for information and advice.

Phase 2: Workshops and Information Days

In the second phase of the campaign, the e-Crime Wales Unit will organise a series of regular themed workshops and information days for managers and employees within Welsh businesses. The workshops will take place on a bi-monthly basis and will run for the duration of half a day. The Unit will undertake all the necessary organisation for these events and be responsible for advertising and publicising them accordingly. The workshops and information days will address key e-Crime issues14 relevant to businesses and will ensure that, by the time they leave each event, companies have a better understanding of what e-security is and what the implications are for the way they do business. Participants should also be able to make a strong case to their colleagues for treating e-security as a strategic issue that requires oversight by senior management and adequate investment. The e-Crime Wales Unit will refresh the programme of events and general awareness-raising material regularly, taking into account any new information and points of debate. The e-Crime Wales website is expected to become an important source of information and opinion in this regard, particularly as greater numbers of organisations begin to use and contribute to it. Likewise, the Unit will encourage support organisations and ICT professionals working with businesses to contribute their ideas and experiences. At a strategic level, the e-Crime Wales Steering Group will monitor the operational activities of the e-Crime Wales Unit to ensure that the awareness-raising programme continues to grow and remains relevant to the needs of companies.

13. For example, at meetings of business fora, or at specific locations such as Business Advice Centres 14. Issues covered will include legal obligations and liability risks in e-security; data protection advice; strategic importance of e-Security for businesses; the use of risk management and information security protocols.

www.ecrimewales.com

21

e-Crime Wales Action Plan

Timescales and Responsibilities Commission and carry out a mapping exercise of relevant awareness raising sources to identify gaps in provision Negotiate usage rights and branding with owners of current e-Crime material Develop new material to fill gaps identified in mapping study Identify strategic locations for placement of hard-copy information Develop information material in both hard-copy and electronic format Feed information electronically into e-Crime Wales website Develop material for use at workshops and information days Organise workshop series

Action 3.3: Law Enforcement Awareness Programme

The e-Crime Wales Unit, supported by the e-Crime Wales Steering Group, will work with the Welsh police forces and the National Policing Improvement Agency (NPIA) to develop an awareness-raising programme for Police Officers and Police Staff. The programme is intended to prepare the ground for more focused activities at a later stage, such as provision of training for police officers and staff on how to deal with e-Crimes, and steps to improve the recording of e-Crime in police reporting systems. The awareness-raising programme will have two objectives: to raise police force awareness of the size of the threat of e-Crime; and to heighten police officers and staff members awareness of the sensitive nature of their interactions with companies. The awareness-raising programme will be tailored so that it is relevant to all Police Officers and Staff, from those working in front desk or call centre roles to senior personnel. The programme is expected to include a series of e-learning modules, enabling Police Officers and Police Staff to fit learning around their main duties. Where necessary, the e-learning modules may be complemented by face-to-face workshops. Using existing research results, the programme will raise police force awareness of the size of the threat and its potential impact on the Welsh economy. The programme will also emphasise the important contribution that accurate police reporting of e-Crime makes to ensuring Wales is a safe place to do business online, explaining that the statistics help improve overall understanding of e-Crime and its effects.. As well as equipping police officers with the necessary skills and knowledge about e-Crime, the programme will raise their awareness of the difficulties and sensitivities that businesses face when considering whether to report e-Crime. Case studies of Welsh companies affected by incidents of e-Crime will be developed for use alongside existing police materials in order ensure that police officers who deal with e-Crime understand the concerns that businesses are likely have, for example about preserving customer and supplier trust, or protecting commercially sensitive information . The e-Crime Wales Steering Group will be responsible for ensuring that all stakeholders in e-Crime Wales have an opportunity to contribute to development of the awareness-raising programme, and that the goals of this Action are met.

22

www.ecrimewales.com

Raising awarenessAction Plan e-Crime Wales of e-Crime

Within the Steering Group, representatives of the law enforcement bodies will be actively involved in this Action. They will work closely with the e-Crime Wales Unit, and be responsible for the specific operational elements of the awareness-raising programme. This will include organising the production and dissemination of awareness-raising information across the police forces in Wales. This may take the form of e-learning modules developed in collaboration with the NPIA, or workshops arranged directly for Police Officers and Police Staff in the Welsh police forces.

Implementation tasks Phase 1: Design of the awareness-raising programme

A key initial action will be organising the most appropriate content and delivery formats for the awarenessraising programme. This process will be led by the e-Crime Wales Unit and police force representatives of the e-Crime Steering Group, who will draw on the expertise of the NPIA and that of the High Tech Crime Units within the Welsh police forces. The e-learning modules will cover themes and topics relevant to police officers in their day-to-day contact with businesses and e-Crime, and will include case studies that highlight the experiences of Welsh companies affected by e-Crime. Any workshops organised will also include case studies, but will be structured around speakers, presentations, and discussion groups that will allow Police Officers and Police Staff to raise concerns and issues relevant to them.

Phase 2: Conducting activities within the community

Building on this basic awareness, individual police officers will progress to being actively involved in conducting awareness-raising activities for businesses and communities, including schools. The aim of these sessions will be to reinforce police officers own understanding of the issues surrounding e-Crime and business and to use contact with businesses to upgrade police officers first-hand knowledge and experience of the issues. This will also allow useful links to be built up with the local business communities in which the officers operate, fostering the trust relationships crucial for effective tackling of e-Crime issues amongst businesses. Key activities The key activities that are shown below outline the steps required for implementation of this action. Develop material for use in e-learning modules and workshops Research and develop case studies for e-learning modules and workshops Make e-learning modules available to Police Officers and Police Staff Organise and stage workshops for Police Officer and Police Staff Identify police officers and/or staff suitable for a community-awareness raising role Identify communities, businesses and schools suitable to participate in Community Events Develop material for use at community events

www.ecrimewales.com

23

e-Crime Wales Action Plan

24

www.ecrimewales.com

Reporting and monitoringAction Plan e-Crime Wales of e-Crime

4. Reporting and monitoring of e-Crime

Accurate reporting of e-Crime is crucial for creating an impetus for action by a wide range of organisations, and for providing data to inform their activities. Many organisations will benefit from improved data on e-Crime including companies that deliver services via the Internet and need e-Crime information in order to prevent service disruptions, software developers who need to identify security weaknesses in their software, and businesses that need information to guide their interactions with customers and structure their internal IT safety procedures. Individuals, including entrepreneurs and business intermediaries, also need to appreciate the size of the threat from e-Crime in order to motivate them to take steps to prevent it. Last but not least, policy makers and law enforcement agencies need detailed information in order to help them decide how much resource is required to create an adequate framework for preventing and combating e-Crime. Reporting is also crucial to developing a monitoring environment capable of measuring progress in preventing and combating e-Crime. In a performance assessment culture, the selection and definition of appropriate targets for performance assessment will influence decisions on the ground. Improved reporting of e-Crime is therefore a prerequisite for successful crime prevention and investigation. Creating appropriate channels for the reporting of e-Crime is not a straightforward process, however. A multitude of organisations and interests have diverse reporting requirements and often face considerable conceptual barriers and sensitivities when it comes to reporting incidents of e-Crime. This creates substantial operational and technical complexities when it comes to processing reports of e-Crime. Identifying synergies between reporting requirements and embedding them in the wider framework of e-Crime Wales is thus crucial to make real progress on preventing e-Crime. Work in these areas is underway, but it has to a large extent been instigated by organisations operating at a UK national level and is often quite London-centric. A partnership initiative such as e-Crime Wales is a unique opportunity to create the momentum for the staged development of reporting practices that are gradually embedded into the day-to-day routines of different organisations. Policy in law enforcement and crime prevention is increasingly established on the basis of evidence-based assessments. However, incidents of e-Crime often go unrecorded, which means that resources are not made available due to lack of evident need. Limited resources mean that adequate reporting structures are not created, which limits the evidence available and leads potential victims to underestimate the immediate threat from e-Crime. There is something of a vicious circle at work, since the absence of adequate reporting structures also means that those businesses that do become victims are not able to report incidents that would provide evidence of need in the first place. By levering existing sources of information and intelligence e-Crime Wales will help create a strong rationale for a more thorough overhaul of e-Crime reporting procedures in the medium term.

www.ecrimewales.com

25

e-Crime Wales Action Plan

Action 4.1: Undertaking an e-Crime Impact Study

The main rationale behind the e-Crime Wales and the Action Plan is to ensure that Welsh businesses get maximum benefit from the application of ICTs without e-Crime hampering their success, and to make Wales a safer place to do business online. Without coherent reporting structures, there is currently a pronounced gap in the understanding of e-Crime patterns in Wales and of the impact that e-Crime has on Welsh business. In order for e-Crime Wales to accurately target those sectors and companies that are most at risk, a dedicated study will be commissioned at the outset of this Action Plan. The study, to be repeated in January/February each year, will build a detailed picture of the current impact of e-Crime on businesses in Wales. The study will provide an initial assessment of the impact of e-Crime on the Welsh economy, providing baseline information to guide and monitor activities and preparing the ground for more sophisticated reporting structures to be implemented at the Welsh level. The findings of the study will be used to lever the resources required to create improved reporting practices. The study will also inform several other strands of work to be undertaken in support of e-Crime Wales. Responsibility for undertaking the study therefore rests with the e-Crime Wales Steering Group as a whole, since all the organisations represented on the Group have a stake in particular aspects of the impact of e-Crime. The first task for members of the Steering Group will therefore be to develop and agree a research specification for the study.

Implementation tasks Phase 1: Commissioning of research

The e-Crime Wales Steering Group will develop a specification for a study of the impact of e-Crime on the Welsh economy. The e-Crime Wales Unit will take the lead in developing a first draft of the specification, and commission with the support of the e-Crime Steering Group Drawing on existing research resources at Welsh universities, the study will investigate the impact of e-Crime on the Welsh economy and how businesses in Wales assess this impact. Furthermore, it will consider how businesses identify and protect themselves against e-Crime, looking in at the risk assessment procedures businesses have in place concerning e-Crime, and identifying those that could be shared as best practice examples. The study will also consider the tools businesses use to report incidents of e-Crime, looking both at the reporting tools operated internally by some of the larger companies, and at the tools used by SMEs and larger companies that do not have their own internal reporting instruments.

Phase 2: Reporting and further analysis

The results of the e-Crime impact study will feed into several other strands of the Action Plan. The data collected will be used to refine approaches and target groups for the awareness-raising materials, help design business support tools, and inform workforce development activities. The study will also be used to develop an initial understanding of e-Crime reporting in Wales; it will identify what activities are currently undertaken by different organisations, what tools and processes these organisations use to collect information, and what incentives exist for them to contribute to a reporting partnership. These results will be achieved through the analysis of actual research results on the one hand and a series of exchanges with relevant stakeholders using the research results as a stimulus for discussion. These discussions will create the momentum to further bind different organisations into the e-Crime process.

26

www.ecrimewales.com

Reporting and monitoringAction Plan e-Crime Wales of e-Crime

Phase 3: Refreshment of the Study

The e-Crime Wales Unit will ensure that the study is refreshed in years 2 and 3 in order to update stakeholders understanding on the threat posed by e-Crime and to inform the design and delivery of activities taking place in these years. Key activities Commission e-Crime Impact Study Analyse implications of study findings for task of identifying target audiences and developing materials for awareness-raising Analyse implications of study findings for development of business support tools and advice services Analyse implications of study findings for development of workforce training Workshops with reporting stakeholders to refine and verify understanding Commission annual updates of the e-Crime Impact study

Action 4.2: Cross-Sector Reporting Partnerships

The focus of activity under the e-Crime Action Plan is on e-Crime prevention. Effective reporting structures will play an important part in ensuring that the Actions set out in this Plan are a success. The reporting structures that are developed to support the Plan must spring from a sound appreciation of what motivates private companies to participate in activities intended to improve the quality of e-Crime data. Welsh police forces have limited scope to act improve the reporting of e-Crime in the short term because existing reporting structures are not currently flexible enough to capture all incidents of e-Crime. In order to allow the true picture of e-Crime to emerge, police intelligence and information systems need to be further developed alongside those of new and existing partners. The Regional Business e-Crime Officers15 will help in achieving this by improving the collation and analysis of information about e-Crime. They will gather information directly from their interactions with businesses, supplement this with data from police reporting systems, and be responsible for sharing this with the e-Crime Team Supervisor. Working with the e-Crime Team Supervisor, the Regional Business e-Crime Officers will also act as a channel for cultivating innovative crime prevention and detection practices across the Welsh police forces, for example by identifying where police forces could quickly improve the quality of their e-Crime data by making simple changes to reporting and recording procedures. Over time, the Regional Business e-Crime Officers will become a valuable source of evidence on e-Crime, providing information to ensure appropriate police training, resources and response are made to problems. The development of integrated reporting procedures will need to take a phased approach, beginning with basic co-ordination of current activities and progressing towards more sophisticated technological and conceptual integration. This process will involve creating joint working platforms to bring together the diverse organisations involved, and forging consistent approaches to overcoming specific barriers to reporting e-Crime.

15. Created in Action 1.2

www.ecrimewales.com

27

e-Crime Wales Action Plan

The partnership approach adopted by the e-Crime Action Plan will build on the existing activities and relationships of stakeholders. For example, the High Tech Crime Units of the four Welsh police forces will bring their knowledge and understanding of e-Crime as experienced at Wales and UK level; the Department for Children, Education, Lifelong Learning and Skills brings its understanding of skills needs, whilst the Department for the Economy and Transport contributes its close links with the business community in Wales and in particular its portfolio of e-business support schemes. Each member of the e-Crime Wales Steering Group will provide leadership in its own constituency and will identify members for a working group charged with taking forward the joint reporting activities. In addition, members of the working group will be responsible for ensuring two-way communication between those regional-level organisations with strong knowledge of businesses and others needs, and those organisations responsible for ensuring that such needs and activities are integrated at pan-Wales level. Once established, the working group will be responsible for carrying out the actual development work and will report on a regular basis to the e-Crime Wales Steering Group.

Implementation tasks Phase 1: Development of a model for the creation of reporting partnerships
Drawing on the research results obtained from the e-Crime Impact study, the first step towards developing reporting partnerships will consist of stimulating regular exchanges between the different organisations involved. The initial meetings will be used to secure the commitment of organisations with a stake in reporting to participate in a working group that will oversee reporting tasks. The initial task for this working group will be to develop a conceptual model for joint reporting activities taking into account aspects such as each partners exact information needs and reasons for reporting; the incentives for and barriers to reporting, and potential ways of integrating reporting processes conceptually and technologically. The resulting model will be tested and refined by comparing and contrasting it with detailed information on current reporting structures and procedures and their underlying rationale, and with good practice examples in the development and use of joint reporting tools. This process will allow the working group to identify potential synergies between existing and desired reporting procedures and to assess the feasibility of developing joint integrated reporting frameworks that build on different target groups own interests in reporting e-Crime.

Phase 2: Rationalisation and expansion of existing reporting mechanisms

The conceptual model will be used to engage all relevant organisations16 in the reporting actions17 and to embed the common reporting framework in each organisations reporting structures and procedures. This will lead to the integration of individual reporting structures and procedures at a pan-Wales level.

16. To include large and multi-national businesses and organisations with a presence in Wales 17. Although the awareness-raising activities will go a long way towards achieving buy-in, ultimate success in securing participation by companies and other organisations in the task of reporting e-Crime will depend on being able to allay their concerns around issues of privacy, data protection, etc.

28

www.ecrimewales.com

Reporting and monitoringAction Plan e-Crime Wales of e-Crime

Phase 3: Integration of reporting structures

Once a coherent framework has been developed and implemented in all participating organisations, the integration of these reporting building blocks will be piloted. At this stage, simple solutions will be sought, for example, the exchange of information by e-mail, collection of information in simple databases and manual feedback loops. These will all serve to test the coherence of reporting relationships and to pilot particular procedures. This trial will be limited in size, for example to a particular category of e-Crime, or to a geographical area, or to a sample of organisations from target groups.

Phase 4: Development of e-reporting tools

Following the pilot phase, more sophisticated e-reporting tools will be developed that will allow all associated organisations in Wales to adopt and integrate these reporting procedures. The working group will develop a technical specification for the systems architecture of the e-reporting tools to be used and will commission development work, giving due consideration to synergies between the e-reporting tool and the e-Crime Wales website. The results of this second development phase will be piloted for one year, during which time the working group will collect feedback and respond to any technological or structural problems that may occur. The aim here is to ensure that businesses and other stakeholders are able to recognise what constitutes an e-Crime and understand what steps they have to take to report e-Crime to the relevant authorities. When fully up and running, the reporting tool will operate alongside the e-Crime Wales website, which will be the place where all stakeholders can share their experiences of e-Crime, find out what to do to avoid becoming a victim of e-Crime, and find out how to access any further support they may need.

Phase 5: E-reporting operations

Following the pilot phase, systems for the continuing operation of the e-reporting tool will be put in place. Operational responsibility may be transferred in a number of ways. For example, it could be passed to a group of public sector organisations, a separate public organisation could be created specifically for the purpose, or it could be contracted to a commercial provider. Key activities Formation of working group Development of conceptual model and work programme Development of reporting structure and procedures Dissemination of guidelines and implementation in individual organisations Awareness-raising vis--vis customers and partners Development of integration tools for reporting structures and procedures Piloting of integrated reporting procedures Development of e-reporting tool Piloting of e-reporting tool Assessment of options for operation of e-reporting tool Contracting of e-reporting tool operation

www.ecrimewales.com

29

e-Crime Wales Action Plan

30

www.ecrimewales.com

www.ecrimewales.com