E-business: Convicting the cybercriminals

The main concern of any company suffering a hack attack should be to identify the source of the breach and determine whether it is an internal or external problem, according to KPMG’s 2001 global e-fraud survey.

‘The immediate resolution of the problem by the internal system administrators and IT personnel will often compromise the integrity of the data, thus causing the evidence of the breach to be corrupted. As a result, the likelihood of the company to be in a position to recover assets or pursue legal action will be more difficult or impossible,’ the report says.

Alex Plavsic, fraud investigations partner at KPMG, advised that companies should work with a professional computer forensic team, as the police will give only limited assistance in building up evidence of a break-in.

‘Companies have to go to the police with an open-and-shut case. Therefore, the institution has to do most of the legwork,’ he said.

Taking legal action
Around 83% of the companies that suffered security attacks admitted they had not taken any legal action. This was put down to a lack of legislation, lack of evidence and out-of-court settlements. More than 1,250 chief executives and chief information officers in the largest public and private companies in 12 countries, including the UK and US, took part.

Only 9% of companies admitted to a breach in their e-commerce operations in the past 12 months, but the UK had the second highest number of incidents behind India. Fewer than 35% reported having security audits on their e-commerce systems. And it seems users have got their priorities all wrong when it comes to security. More than 50% said hackers were the main threat to internet systems, but fraud investigators and security consultants disagree.

Internal breaches
‘Often, breaches are internal in collusion with external parties. That is where the greatest threat lies. The problem is most organisations don’t like to think that their own people are ripping them off, but they need to table the risks and address them,’ said Plavsic.

The survey showed more than half the companies that had suffered an attack on their systems in the past year were able to identify the perpetrator.

Not changing default passwords from out-of-the-box security products and a lack of internal controls are two common problems, according to Paul Williams, partner and member of the ethical hacking team at Andersen.

‘We go into companies and find default passwords have not been changed. Any hacker will try these first.

‘When a system is being developed, many people are given wide access to it. But when the system goes live, no-one remembers to cancel those access rights,’ he said.

Legal action was not always taken when breaches occurred because of inadequate laws and a lack of evidence, according to the survey. A recent DTI survey found 60% of UK organisations suffered a security breach in the past two years and more than 40% came from internal sources, such as operator or user error.

According to the DTI survey, 62% of companies had transactional e-commerce systems, with almost two-thirds of those being business-to-business. The financial services sector made up 15% of respondents, followed by manufacturing, retail and then government institutions.

  • Andy McCue writes for Computing

Related reading