Posted: Mon, December 13, 2004
Computers and Crime - What are the Risks to Your Business?
Sali Earls investigates the alarming new risks to business from technology crime
    
The internet is a boon for business, allowing companies to offer their products and services to new audiences around the world 24 hours a day, 365 days a year. But while the business potentials
are immense, the associated risks of computer security must be addressed. As organisations adopt new technologies to move their businesses forward, so criminals also find ways to use and abuse the
same technologies for their own means.
The National Hi-Tech Crime Unit was set up in 2001 with the mission to combat serious and organised hi-tech crime within, or impacting on the UK. In early 2004, the NHTCU conducted an IT
security survey through researchers NOP to discover the impact of hi-tech crime on UK business, and 83% of respondents had experienced hi-tech crime in the preceding 12 months. These attacks
included viruses, hacking and the theft of company data.
The survey found that businesses felt that they were most at risk from several sources of hi-tech crime, ranging from virus attacks to financial fraud.
Virus Attacks
These malicious programmes are designed to alter the operation of a computer system without the knowledge or consent of the user, and 77% of respondents to the NHTCU survey had suffered
from computer viruses during the previous year. They are self executing, often activating when a particular associated programme is used; and they are self replicating, copying themselves to other
programmes and computers across a network, or via email. The level of damage caused can range from jamming resources, to deleting files and programmes. Once infected, an organisation can be
attacked over 250 times per year.
Unauthorised Access
This is an area of threat where companies are at risk from both external and internal sources. Internal users may try to gain unauthorised access to applications or information, while external hackers
will access your system for a variety of reasons, ranging from simply testing your security, to malicious attacks. This is a particular area for concern if your organisation has something of particular value
or interest, such as online payment systems that could be breached; research and development data, possibly requiring patents or copyrights; or commercially sensitive information such as sales
prospects, business plans or personnel records.
Misuse of Computer Systems
This area of sabotage is one where the majority of the crime is committed in whole or in part by employees, and misuse can be as simple, and seemingly inoffensive as the uncontrolled use of internet
and email services by staff. The knock on effect is a loss of productivity and an increased risk of legal action for the company for any illegal activities carried out by employees using company
equipment. The other end of this scale is malicious misuse or corporate sabotage, where sensitive information is taken, abused or sold.
Fraud and Theft
While physical theft is still a concern for businesses, due to the expense of stolen items and the concern about compromised data, hi-tech theft and fraud are becoming increasingly problematic for UK
companies. Greater use of the internet has allowed criminals to target companies and individuals quickly and efficiently developing new frauds, as well as redesigning old ones to exploit
weaknesses in the technology. Phishing is a relatively new crime, but one that increased by some 4000% in the six months from November 2003 to May 2004 (Source: Anti-Phishing Working Group).
This fraud involves false emails sent to a wide audience often designed to look like communications from banks or similar organisations, requiring recipients to reply with data such as account numbers.
Identity theft is an old crime, but one that has been adapted for the internet age, with company websites "spoofed" to steal information as part of a seemingly legitimate transaction.
Data Corruption and System Failure
While companies acknowledge concerns about data corruption and system failure, a British Chambers of Commerce survey in early 2004 found that only 69% of those questioned routinely back up
data. External attacks to companies via the internet can bring about failures by flooding the system with data to prevent it from working. These "Denial of Service Attacks", and associated failures can
bring about extended periods of disruption to a company, which can have a serious impact on their ability to function. While 72% of those who took part in the same survey had reported that hi-tech
crime had impacted on their business, and 33% suffered a disruption to trading, many organisations do not have sufficient backup and recovery controls.
A new international standard has been developed in the UK to set up a code of practice for companies to adopt in order to secure systems. While the extent of this code may only be applicable to
public sector and multinational organisations, smaller companies can learn from this to develop their own security procedures and policies defining actions and responsibilities.
Companies need to take responsibility for securing their systems, otherwise they can exacerbate the problem - studies have shown that unsecured systems accessing the internet will be infected in
between 13-18 minutes, but new findings by the NHTCU have seen that systems can be compromised within 15 seconds. Adding appropriate security tools minimise that risk.
The internet has changed the way companies do business forever. For most, internet access is now a basic business requirement, and its use has brought about greater efficiency and improved
customer service with the 24/7 culture. These inherent benefits come with the negative side of increased exposure to security risks, which are getting increasingly worse, and becoming more difficult
to stop. The impact can be minimised with the combination of the right security policies, technology and user training. Organisations like the National Hi-Tech Crime Unit have been created to help
businesses fight these new threats, to act as a source of advice, and a force to combat hi-tech crime.
Ultimately, the potential impact of hi-tech crime on unprepared businesses is extremely serious. It is vital that companies become familiar with these new risks, in order to arm themselves with
appropriate internal measures, liasing with the authorities to report incidents. Businesses in Wales must take responsibility to protect themselves in order to continue to grow and prosper.
Useful Contacts:
The National Hi-Tech Crime Unit
The NHTCU was launched in 2001 as part of the government's national hi-tech crime strategy, and is the first UK national law enforcement organisation tasked to combat serious and organised
computer based crime.
http://www.soca.gov.uk
Department of Trade & Industry
A link to the IT Security section of the Best Practice website, offering a toolkit of practical business advice.
www.dti.gov.uk
BSI
BSI is a pioneer in the development and delivery of standards and best practice solutions within IT. This link provides you with further information about relevant standards including BS 7799 -
Information Security.
www.bsi-global.com
Microsoft
A link to the Security section of Microsoft's site, enabling you to keep up to date with the latest updates and best practice.
www.microsoft.com
IT Wales will run the seminar "Computers, Commerce & Crime" in early 2005 at locations in North and South Wales. This seminar, led by Clive Harper of Securion, provides detailed examples of
the risks to business, and suggests methods of addressing them. Not to be missed.
| 
Cymraeg
Subscribe to