Protecting your business from digital crime

We live and work in a world that has changed beyond recognition in the last ten years. It is now almost possible to live your entire business and personal life online. Increasingly we have been sold this vision; not only individuals, but the business world also.

Manufacturing companies suddenly turned themselves into cutting edge high technology concerns. Analysts and financial institutions put complete faith in technology investments. Small companies were told that unless they had an internet and e-commerce plan they were doomed. Dotcoms were the future – and everything else was junked, until of course the dotcoms themselves became junk.

But just like real life, this high-tech existence came with risks, and a dark shadowy side. The Council of Europe in their draft international treaty on cybercrime listed nine relevant digital criminal offences.

In simple terms, any of the above problems can (and do) affect accountants and their clients. However it is the hacker threat (illegal access) that is often perceived as being the major one of the digital age. Certainly, it is the endless number of hack attacks that grabs the media headlines.

However, hackers are just one of the groups that threaten you.

In April 2002 the Department of Trade and Industry estimated that the entire range of threats could be costing UK firms #10bn each year. Examples of digital crime that can affect any business are as follows:

In June 2000 AOL confirmed that hackers had accessed ‘a small number’ of its 23 million accounts that contain (amongst other things) credit card details. A Trojan Horse was used which was attached to e-mails sent to various AOL employees. Once opened a connection was created with the computer that sent it, giving it access to AOL’s system.

In 2000 a hacker broke into the website of the Australian Taxation Office and sent 17,000 copies of their bank information out. The hacker claims he took the information to prove how lax the security was. A subsequent audit of Australian government websites found that most had serious security flaws. The principal one being the Australian Radiation Protection and Nuclear Safety Agency Site, which had classified security documents ready to be accessed through the internet. There is now in excess of 60,000 computer viruses. Just one – Love Bug – remains the most financially damaging, costing $8.7bn (#5.6bn) productivity and clean up costs.

Internet and email fraud is abundant. Just one variant of it, Nigerian 419 illustrates the scale of the problem. US authorities receive at least 100 calls per day from victims or potential victims of this fraud and three hundred related pieces of correspondence (per day!). In 1998 a UK police squad collected 150,000 Nigerian letters/e-mails in the first four months of the year. But here’s the rub. For each 100 letters/e-mails sent, one recipient responds and another sends money.

So what advice can accountants give their clients, and what steps can the industry take itself to secure digital resources and assets?

The basic safeguards are very obvious and simple, unfortunately in many cases even these fundamental steps are not followed. Every PC, whether it a standalone one or part of a network must have three pieces of software: a virus checker, a firewall and a program to detect and remove ad or spyware.

But all of these are useless unless the user ensures that each of them is completely up to date. For individual PC users and small businesses good examples of such programs are available free by download from the internet. The site www.grisoft.com offers a remarkably good virus checker which is updated regularly as new threats appear. Also www.zonelabs.com provides an equally good personal firewall and www.lavasoft.usa gives access to the most overlooked part of this trio of essential programs – a piece of software that removes spyware (tracking software that has been downloaded to your system which relays your internet usage to a third party).

Because the world of digital crime is so vast as soon as one goes beyond these basic steps, the range of advice is immense and dependant on specific risks. However some overriding principles may be summarised in the following terms. Realise that digital security is a key issue in any type of business environment, thus both policies and procedures must exist to combat this critical area.

Staff are still a vital risk area so relevant procedures and controls are vital. Consider the following risk areas: information risks (is information classified and access controlled?); software risks (what procedures are in place when new software is commissioned, purchased and installed?); hardware risks (what happens when new hardware is purchased – and just as importantly old hardware disposed of) and physical security risks (digital security is pointless if there is no physical security).

Be aware of the numerous frauds that proliferate on the internet or by e-mail. Such fraudsters target small businesses, the self-employed and high net worth individuals. Just a few examples of current scams are non-existent banks, advance fee frauds, fraudulent business financing and high yield investment.

Finally the most important principle to grasp is the most basic one – that digital risks are very real, and ultimately can be catastrophic.

Earlier this year, Cloud Nine, an internet service provider in Basingstoke, shut down its business because of repeated cyber attacks against it. The company said: ‘All the directors are feeling absolutely gutted since we have all spent nearly six years building this company and its reputation to see it destroyed by a brazen act of cyber terrorism – well at this moment we can think of no words to express our true feelings.’

THE COUNCIL OF EUROPE’S KEY CYBER CRIMES

• Illegal access;

• Illegal interception;

• Data interference;

• System interference;

• Misuse of devices;

• Computer related forgery;

• Computer related fraud;

• Online child pornography and

• Copyright and similar rights offences.