Cybercrime unit recruitment: How to attract top talent and retain skilled professionals

By Lee Lerussi

In today’s digital age, cybercrime units within law enforcement face increasing challenges due to the rapid growth in both the complexity and volume of cyber-related offenses. The rise in cybercrimes, including ransomware, identity theft, and financial fraud, has significantly increased the workload of these units. The FBI’s Internet Crime Report highlighted a substantial rise in cybercrime complaints and financial losses in 2020. [1]

Personnel attrition is a critical issue, with high turnover rates and a global shortage of cybersecurity professionals impacting the effectiveness of cybercrime units. Solutions like role clarification, job satisfaction enhancements, competitive compensation and clear career pathways are essential to retain skilled personnel. Effective intake procedures, managed by dedicated specialists, streamline case management by triaging and imaging devices, freeing up other personnel for detailed investigations.

Escalating workloads in cybercrime units

The workload on cybercrime units has increased dramatically in both volume and complexity due to several factors. Cybercrime has grown exponentially in frequency and sophistication. In 2020, the FBI’s Internet Crime Report noted 791,790 complaints and over $4.2 billion in reported losses, a 69% increase from 2019. [2] This reflects a global trend of diversifying cyber offenses, including ransomware, identity theft, and financial fraud, with cybercrime costing the global economy about $600 billion annually. [3]

The spectrum of cybercrimes has broadened, with ransomware attacks rising by 62% in 2020. [4] The increase in cybercrimes has led to a 120% rise in digital evidence submissions to forensic laboratories over five years, overwhelming resources and creating backlogs. [5] For example, the UK’s Metropolitan Police Service reported a 157% increase in digital forensic submissions between 2015 and 2020. [6]

The exponential growth in digital storage capacity further complicates forensic examinations. Modern devices hold terabytes of data, requiring advanced tools and more time for comprehensive analysis. The global datasphere is expected to reach 175 zettabytes by 2025, increasing the challenge for cybercrime units. [7]

Investigations now often involve multiple devices per case, including smartphones, tablets, IoT devices, and cloud storage solutions. Each device type has unique data structures, access methods, and encryption technologies, compounding the complexity of forensic tasks. Integrating and cross-referencing evidence from diverse sources requires sophisticated tools and skilled personnel, with Europol reporting that 65% of cybercrime cases in 2020 involved multiple devices. [8]

The challenge of personnel attrition

Personnel attrition remains a profound challenge in cybercrime units, exacerbated by the global cybersecurity workforce shortage. The field of digital forensics is nearing a crisis with a significant loss of personnel, particularly skilled staff moving to more lucrative private sector jobs. The turnover rate impacts not only the immediate capacity of these units to respond to incidents but also affects the progression of cases and the quality of investigations. Innovative solutions such as role clarification, enhanced job satisfaction and strategic increases in staffing are crucial to address these challenges effectively.

According to the Police Executive Research Forum (PERF), police retirements increased by 45% in 2020 compared to the previous year, and resignations increased by 18% during the same period. [9] Additionally, the number of new applications for police positions has seen a significant decline. PERF reported a 63% decrease in applications from 2019 to 2021. [10] This trend is not isolated; similar statistics are seen across various states. For instance, the New York Police Department (NYPD) experienced a 75% increase in retirements in 2020, and the Los Angeles Police Department (LAPD) saw a 20% drop in recruitment in the same year. [11] This drop in personnel severely impacts the operational capacity of cybercrime units, as they rely heavily on both experienced and new officers to manage the increasing workload.

Improving retention and recruitment of personnel

Enhanced job satisfaction in cybercrime units can be achieved through role clarification, professional development, recognition and incentives. Clearly defining roles and responsibilities fosters a sense of purpose and belonging among employees. Continuous training and development opportunities keep personnel current with technological advancements and forensic techniques, enhancing their skills and demonstrating the agency’s investment in their growth, which boosts job satisfaction and loyalty.

Implementing recognition programs and providing incentives for outstanding performance can motivate personnel. Regular acknowledgment of achievements, through formal awards or informal praise, can boost morale and encourage retention.

Competitive compensation packages, including salary adjustments, benefits and rewards, are essential to attract and retain skilled personnel. Law enforcement agencies should regularly review and adjust salaries to remain competitive with the private sector. Enhancing benefits packages, including healthcare, retirement plans, and additional rewards such as flexible working hours or remote work options, can make public sector positions more attractive.

Career advancement opportunities, such as clear career pathways and mentorship programs, are also crucial. Establishing clear career pathways allows personnel to envision a long-term future with the agency. Opportunities for promotion and lateral moves to specialized roles keep employees engaged and committed. Implementing mentorship programs where experienced staff guide and support newer employees can enhance job satisfaction and professional development, fostering a collaborative environment and building a keen sense of community within the unit.

Budgetary benefits of retaining trained and certified personnel

Cost savings on recruitment and training can be substantial. High attrition rates necessitate continuous recruitment, which is costly and time-consuming. Retaining personnel reduces the frequency and costs associated with recruitment processes, including advertising, interviewing, and onboarding. Training new hires to reach the proficiency levels of experienced staff requires significant investment. Retaining trained and certified personnel minimizes these training costs, allowing for more efficient resource allocation.

Retaining skilled personnel also increases operational efficiency. Experienced staff manage complex cases more effectively, leading to better outcomes and faster case resolutions. A stable workforce provides continuity in operations and maintains institutional knowledge, which is crucial for long-term strategy development and building strong collaborative relationships.

Enhanced morale and productivity are additional benefits. Long-term retention fosters team cohesion and collaboration, as personnel develop strong working relationships and a deep understanding of each other’s strengths and weaknesses, enhancing overall productivity. A stable and satisfied workforce contributes to a positive work environment, further reducing turnover and attracting new talent. A positive work culture where employees feel valued and supported is crucial for long-term success.

Focusing on retention strategies and maintaining a trained and certified workforce enables cybercrime units to achieve significant budgetary efficiencies and enhance operational capabilities. This approach addresses immediate personnel attrition challenges and ensures the long-term sustainability and effectiveness of the unit.

Technology

On-demand webinar: Securing the shield: Critical response tactics for PDs undergoing a cyberattack

Engage in a virtual tabletop exercise to understand the readiness, response protocols and inter-departmental coordination required to mitigate the effects of a cyber breach

August 26, 2024 03:20 PM

Watch now!

Intake procedures for cybercrime cases

Effective intake procedures are crucial for managing the flow of cases within cybercrime units. A model where Computer Forensic Specialists serve as “Case Intake” has proven effective. These specialists ensure the completeness of submissions and identify instances where a Special Agent might also be co-assigned to assist with investigative aspects. Additionally, intake specialists can perform triage of cases and devices, and forensic imaging, freeing up other personnel for more detailed investigative and analytical tasks:

• Initial submission: Cases are initially submitted to the intake unit where specialists verify the completeness and accuracy of the documentation and evidence.
• Triage and prioritization: Intake specialists perform a preliminary assessment to determine the urgency and complexity of each case, allowing for prioritization based on factors such as the type of crime, potential impact, and available resources.
• Forensic imaging: Intake specialists oversee the forensic imaging of digital devices, creating exact replicas for analysis while preserving the integrity of the original evidence. This step ensures that investigations can proceed without the risk of evidence tampering.
• Assignment to investigators: Based on the triage, cases are assigned to appropriate personnel, with simpler cases directed at junior staff or analysts and more complex cases allocated to experienced investigators and forensic experts.
• Collaboration and support: Intake specialists continue to support investigative teams by providing initial forensic insights and maintaining a repository of imaged evidence for further examination.

Benefits of role separation

Having dedicated intake specialists, the workflow becomes more streamlined. Specialists focus on specific tasks, ensuring high efficiency and accuracy in the initial stages of case handling. With intake specialists managing preliminary tasks, investigative personnel are freed to concentrate on detailed analysis and complex investigative procedures, reducing delays and bottlenecks in the workflow.

Efficient intake procedures enable quicker triage and assignment of cases, leading to faster case resolutions and improved response times to cyber incidents.

Utilizing non-sworn intake specialists for preliminary tasks is more cost-effective compared to deploying highly paid sworn officers for the same roles. This allows budgetary resources to be allocated more effectively, optimizing the use of funds for high-priority and complex investigations.

Role separation allows for targeted training and development programs. Intake specialists can receive focused training on forensic imaging and case triage, while investigators can concentrate on advanced investigative techniques. This specialized training approach is more economical and yields better results.

Specialized intake units can be equipped with specific tools and software required for initial case handling and forensic imaging. This avoids the need for duplicating expensive equipment across multiple investigative units, leading to significant cost savings. Higher Job Satisfaction and Retention: Role separation provides clear career paths for both intake specialists and investigators, enhancing job satisfaction and reducing turnover. Specialists can progress within their niche, while investigators can focus on their core competencies.

Distributing tasks based on specialization, the overall workload becomes more balanced, reducing stress and burnout among personnel. This balanced approach contributes to higher morale and job satisfaction, positively impacting retention rates.

Roles of sworn vs. non-sworn personnel in cybercrime units

In cybercrime units, the roles of sworn and non-sworn personnel are critical to the successful operation of investigations. Sworn officers manage the enforcement and investigative aspects, while non-sworn personnel, such as Computer Forensic Specialists (CFS) and analysts, provide the technical expertise necessary for complex data analysis and recovery. This separation of roles allows each team member to utilize their specialized skills effectively, contributing to more thorough and legally sound investigations.

Sworn officers: Sworn officers in cybercrime units are responsible for the enforcement and investigative aspects of cases. They engage in conducting arrests, executing search warrants, and leading field investigations. Their duties also include performing field imaging and assisting prosecutors by applying evidence from examinations to investigations. Sworn officers bring a unique perspective by combining traditional law enforcement techniques with cybercrime complexities. Their responsibilities involve executing legal procedures, conducting field investigations, and interviewing suspects, witnesses, and victims using their training in interrogation techniques.

Non-sworn personnel: Non-sworn personnel, including Computer Forensic Specialists (CFS), digital analysts and cybersecurity experts, focus on the technical aspects of cybercrime investigations. They are crucial in analyzing digital evidence and supporting sworn officers in building cases. Their roles include performing forensic analysis of computers, mobile devices, and other digital media to recover and interpret data relevant to investigations. They use specialized software to analyze large volumes of data, identify patterns and extract actionable intelligence. They also provide technical assistance during field operations, managing digital devices and ensuring proper evidence management.

Combining skills for enhanced effectiveness

Combining the skills of sworn and non-sworn personnel enhances the effectiveness of cybercrime units. Sworn officers bring law enforcement authority and investigative skills, while non-sworn personnel contribute specialized technical expertise. This collaboration ensures that both legal and technical aspects are thoroughly addressed. Delegating technical tasks to non-sworn personnel allows sworn officers to focus on enforcement and legal procedures, increasing overall efficiency. This division of labor ensures that the most qualified individuals manage each aspect of the investigation. Utilizing non-sworn personnel for technical tasks is often more cost-effective than training sworn officers in specialized fields, maximizing resource use and optimizing budget allocations.

The difference in compensation between sworn and non-sworn personnel significantly impacts the budget of cybercrime units. Sworn officers typically receive higher salaries and benefits due to their broader responsibilities and associated risks. Their compensation packages often include a higher base salary, comprehensive benefits, and opportunities for overtime pay and additional incentives for specialized skills or assignments.

Non-sworn personnel, while highly skilled, may have lower base salaries but competitive within the cybersecurity and digital forensics field. Their compensation packages include standard benefits and opportunities for certification and training in specialized forensic tools, often funded by the agency.

Employing a mix of sworn and non-sworn personnel allows cybercrime units to manage budgets more effectively. The lower salaries of non-sworn personnel enable agencies to allocate funds towards other critical areas, such as advanced forensic tools and training programs. The specialization of roles reduces the need for extensive cross-training, further optimizing resource utilization. By leveraging the strengths of both sworn and non-sworn personnel, cybercrime units can enhance their operational capabilities, improve efficiency, and manage budgets more effectively.

Conclusion

Optimizing resource allocation by combining sworn officers and non-sworn personnel enhances efficiency. Sworn officers bring law enforcement authority and investigative skills, while non-sworn personnel offer specialized technical expertise. This collaboration ensures thorough legal and technical investigations.

Addressing personnel attrition is crucial for maintaining operational capacity. Strategies such as enhanced job satisfaction, competitive compensation, and clear career advancement opportunities help retain skilled personnel, reducing recruitment and training costs.

Effective intake procedures, managed by dedicated specialists, streamline case flow within cybercrime units. This model ensures complete submissions, triages cases and devices, and performs forensic imaging, allowing other personnel to focus on detailed investigations. Efficient intake procedures lead to quicker triage, faster case resolutions, and improved response times.

References

1. 2020 Internet Crime Report. FBI Internet Crime Complaint Center (IC3). Retrieved from FBI IC3.
2. ibid.
3. Cybercrime: A Global Problem. United Nations Office on Drugs and Crime (UNODC).
4. Ransomware Trends 2020. Cybersecurity Ventures.
5. Digital Forensic Evidence Backlog. Major Metropolitan Police Department Reports.
6. Metropolitan Police Service Annual Report 2020. Metropolitan Police Service, UK.
7. Data Age 2025: The Digitization of the World. International Data Corporation (IDC).
8. Internet Organized Crime Threat Assessment 2020. Europol.
9. Police Executive Research Forum (PERF). Survey on Police Workforce Trends, 2021.
10. Ibid.
11. Ibid.

About the author

Lee Lerussi is a national security, cyber crimes and anti-terrorism expert with over 25+ years of leadership experience and a total of 38 years in law enforcement. He is the founder and owner of LeeLand Consulting, Inc located in Ohio. He has been working in the U.S. State Department’s Anti-Terrorism Program as a Subject Matter Expert (SME) and Instructor since 2013. Since 2019 Lee has served as an embedded mentor to Antiterrorism and Digital Forensic Units deployed overseas for Constellis, LCC a prime contractor to the US State Department. Lee served 23 years as a Senior Special Agent (retired) of the Ohio Bureau of Criminal Investigation. He frequently served as the Lead Agent, successfully completing several complex, high profile and lengthy investigations using an interdisciplinary team approach. He currently facilitates learning and mentoring in the areas of anti-terrorism, cyber investigations, and computer and mobile device forensics for the United States Department of State – Anti-terrorism Assistance Program. Lee holds a Bachelor of Science in Psychology from Heidelberg University and has numerous certifications and awards in his field.

| NEXT: Navigating the complex world of cell phone forensics: How multiple SIMs and eSIMs impact investigations