Why you must report e-crime

Posted:

09:43 16 Sep 2003

This week's Security Special Report highlights the impossibility of getting a reliable picture of the true extent of e-crime and major IT security breaches in the UK.

While there have been various surveys and research from industry bodies such as the National Hi-Tech Crime Unit and the National Computing Centre, none of these statistics can be regarded as accurate.

At the heart of the problem is the fact that many organisations feel insecure about reporting incidences of computer crime. They are worried that news of an attack, whether by hacking or a piece of malicious code, will reflect badly on them as a company.

If news that an organisation has vulnerable IT systems makes it into the public domain it can cause untold damage to its reputation - denting customer confidence, and dragging down the company's share price.

ADVERTISEMENT

At the same time, the specialist law enforcement agencies that focus on e-crime and other IT-related malfeasance are chronically under-funded. To secure any significant funding, the likes of the NHTCU have to justify their existence - they need real evidence that internet-related crimes are being committed on a large scale. If organisations are reluctant to come forward, this evidence is difficult to obtain - it is a Catch 22 situation.

Of late the main law enforcement agencies have made it much easier for victims of such attacks to hand over details of security breaches. The NHTCU has introduced a confidentiality charter which states that companies reporting IT crimes are assured anonymity.

Meanwhile, Scotland Yard's Computer Crime Unit has been given additional powers to deal with hackers. In what is called a disruption operation, officers can impound computer equipment and generally make life difficult for a suspected hacker even if they do not have enough evidence to make an arrest.

But, of course, the initial crime has to be reported.

Companies are fighting an ongoing battle against increasingly sophisticated threats and it is in their interest to work with the authorities to ensure that the bad guys are kept at bay. It is time for businesses to bite the bullet and speak to the law enforcement agencies to enable them to get a better picture of the true extent of computer crime and to win the resources to deal with it.

After all, when your company is burgled, you do not try to live with it, or to keep it under wraps - you call the police straightaway. Why should IT crime be treated any differently?