Major fraud has become synonymous with computer crime and the cost to business is staggering. But computers do not commit crimes – people do. The focus now is on ‘human factors’ to stop the rot. Because some of it can remain undiscovered for a long time or is never even reported, no-one knows the true cost of electronic crime to organisations around the world. But given that the authoritative CSO Magazine eCrime Watch Survey estimated the cost to US organisations to be $666 million in 2003, you might have to wait a long time for the auctioneer’s hammer to fall if you started the bidding at around a trillion dollars a year.
Facts are hard to come by because many companies are reluctant to admit they have suffered a ´hit’. However, it’s said the average American company loses six per cent of its revenue to crime, fraud and theft – most of it by electronic means. In the UK, the figure is half that and other countries find themselves in similar situations.
And while many attacks come from outside the organisations affected, some are facilitated by people within and others are the work of insiders or others who have access within the organisation’s defences. In 2005, for example, fraudsters attempted to steal an estimated Ј220 million from the Sumitomo Mitsui Bank in the City of London, entering the building as cleaning staff to connect hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes and transmitted the information to the fraudsters, revealing account details and other information.
The human factor
Technologies such as world-class firewalls can help protect a company´s electronic treasures from outsiders – a bit like moats helped to protect castles in days of yore. And inside the ‘moat’, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can monitor applications and services, raising the alarm when an unauthorised attempt is made to gain access or an unusual pattern of behaviour is detected.
Technology is, however, only part of the solution. Because it is people that are ultimately responsible for crime, security will always benefit if employees are vigilant and understand what’s expected of them. A culture is required in which employees share the responsibility of defending the company against attack – one in which everyone knows how to behave responsibly, is alert to potential problems, and understands what best to do when confronted by a malicious attack.
Set the scene
So how can an organisation gain the support of its employees in the fight against e-crime?
The first step is to understand that, if they don’t know why they are needed, employees may see security precautions more as a nuisance than an essential of business. Unfortunately, security people sometimes have to prevent others from doing what they want to do, or what it would be easiest to do, in the interests of keeping the organisation secure.
The reality, of course, is that effective security is a business enabler and a useful sales tool – something that inspires customer confidence and has been known to help close many an important deal. The problem is that this is often not communicated, with the result that people are aware only of the ‘what’ and not of the ‘why’.
It’s also important for people to be aware that security breaches can have a massive impact on a company´s bottom line. In the UK, for example, industry loses around Ј32 billion a year to fraud while spending another Ј8 billion on fraud prevention, making a total of Ј40 billion – more than half the cost of the country’s National Health Service.
That makes security a board-level issue and not just something for the IT department to sort out. And it makes it important for top managers to be visibly engaged in the fight against e-crime.
While technology can go wrong on its own, a crime can only be committed if a human being plays an active part – either by intent or negligence. The answer is for organisations to make everyone aware of the consequences of negligent or deliberate behaviour that breaches the rules, whether from outside the company or from within it.
This can be a tall order in an international company where cultures and languages differ. And it´s not just spoken languages, but about getting the security message across in a jargon-free way to different levels of staff.
Senior teams need to know about their personal liability under international law and compliance to such things as Sarbanes Oxley (SOX) legislation that followed financial scandals including Enron, WorldCom and Arthur Andersen. Top people sometimes view security as a negative overhead and need to be persuaded that it can enhance Return on Investment (ROI) and boost the bottom line of the business.
Middle managers, particularly those in sales and marketing, need to know that an effective security policy can help to close deals as a direct spin-off of enhanced customer confidence.
The general workforce should be made aware of risk and encouraged to ´keep the door shut´ both physically and electronically. This includes everything from protecting their laptops and Blackberry devices, through to ensuring that they have the right passwords and checking the alarm is set when they are last to leave a building.
Statistics suggest that about 80 per cent of e-crime is caused by people who do not intend to do anything wrong but might do so by mistake. As a result, organisations need to develop programmes aimed at prevention, education and awareness training.
This might involve regular mandatory Computer-Based Training (CBT) packages, company-wide security clinics and global road shows to keep awareness high. Companies may also wish to consider a 24/7 helpdesk to provide help and advice to its employees, and to capture details of incidents.
It’s also important to make sure a company’s business processes are designed to re-enforce its security policies. For example, while the City of London Police reckon that only 25 per cent of crime is reported, organisations can implement policies that force its people to do so. For example, if a car is damaged or a laptop stolen, no item can be replaced or repaired without a Crime Reference Number that triggers the appropriate system.
Organisations can also work with accredited Computer Emergency Response teams to trace anyone trying to illegally access systems, and with the High-Tech Crime Unit and other forces around the world. Not only does this enhance their ability to track down and prosecute criminals, it also sends a clear message to the hacking community that the organisation will relentlessly pursue hackers and confiscate their equipment and is, therefore, best left alone.
Helping the police with their inquiries really is a last resort, however. With the correct ´human factors´ in place, such extreme measures should not be necessary. Technology does not cause crime, people do – and people can prevent it if they are properly trained and aware of the dangers.