Combating Cybercriminals

Computer criminals can cause huge damage, rob banks and steal industrial secrets - and they may already be working from inside your offices. Ron Condon reports on how companies can protect themselves against this new crime wave.

Running an IT system these days is a risky business. What with viruses and hacker and staff downloading lewd pictures off the Internet, it's almost tempting to turn the whole thing off and to go back to paper systems.

However, that is no longer a viable option. Information systems have become the bloodstream of commerce: turn them off and you turn off the business.

So what is to be done about viruses and hacker, and the indecent material? Well, the first thing is to grasp the full extent of what has come to be known as 'cybercrime.

According to Richard Boothroyd, principal security consultant with ICL, our notions of the dangers need to be updated. "Many people think the typical cyberpunk is a 13-year-old school kid with a virus toolkit," he says. "But these days it is as likely to be an organized criminal working in Eastern Europe."

He says organized crime is already making repeated attempts to suck money out of Western banks. How successful they have been so far is, for obvious reasons, a closely guarded secret. The development is indicative of the growing threat to computer systems from all quarters. Early computer viruses, for example, were often playful attempts to irritate and disrupt systems without causing too much harm. Now they are more likely to wipe files and inflict serious and long-term damage on their unfortunate victims.

Denial of service attacks against company websites is also becoming more frequent and devastating. This is where a hacker, or group of hacker, bombards a website with messages to the point where it collapses under the strain. For companies with significant on-line business, this is potentially disastrous. Industrial espionage is also a growing problem, with criminals aiming either to steal or - equally damaging - to corrupt information held by their victims.

Companies need to defend themselves against these and many other forms of attack, and technological weapons will clearly play a part in the battle. But according to Richard Boothroyd, technology should be seen as just part of a far wider security strategy that has the full backing of senior management.

"It is what I call SID - Security In Depth. You place a security umbrella through the company, from the top down. It is a mindset of how everyone in the company should be thinking about security," he says.

"You have first to convince the people at the top of the company that it is important to them. Failure to comply with existing legislation can make them liable to prosecution, and once they realize how many Acts cover computing, it does tend to focus their attention."

The next thing is to ensure the policy is enforced and constantly kept up to date. For example, anti-virus software must be regularly updated and software patches need to be implemented. "The most common security breaches occur because companies don 't keep their technical patches up to date. They assume they have built a fortress that will last forever more. But if you don 't keep it up to date, somebody who tries a published problem can get straight in," Boothroyd says.

Where is the threat?

True figures are hard to find, but most experts agree that the biggest threat to security comes, not from outsider, but from within the organization itself. The problem can range from staff sending libelous or indecent material on the internal e-mail system (for which company directors may be held liable), to full-scale fraud or industrial espionage.

The only way to counter this, according to Richard Boothroyd, is to create a culture of security and a security policy with built-in checks and balances.

"Ninety per cent of good security is just good common sense. It can be as simple as not letting people through the door without checking who they are. Just because someone is carrying a sink plunger and wearing a white uniform does not guarantee they are a plumber.

"You should not trust anybody or do anything unless you know who they are or what they are doing. Very secure organizations tend to split the functions so that one side validates the other. The IT security director will not be able to do anything on their own without someone else verifying what they have done .It is always a matter of checks and balances, across the whole organization."

Cybercrime: a definition

The term cybercrime covers criminal activity related to the misuse of both data and voice systems. It can be internal or external to an organization and carried out by individuals or groups of criminals

More information on Cybercrime and Cybercrime Legislation in the US:

Cybercrime Costs on the Rise in the U.S.
Legislation Urged to Protect Corporate Data, Theft of E-mail Addresses
Intellectual Piracy
Break Glass, Pull Handle, Call FBI