Cybercrime - an inside job

The biggest threat to e-security is from within. Bill Goodwin meets up with the cybersleuths to find out why

The biggest threat to e-security is from within. Bill Goodwin meets up with the cybersleuths to find out why

Half-dismantled computers were strewn over the work-benches in the badly-lit basement.

Peter Yapp, the laboratory's director, gestured towards the case of a single PC propped up against a wall. "It belongs to a suspected paedophile."

Yapp, a former forensic investigator with Customs & Excise, and his colleague, Stuart Mort, previously a security specialist with the Ministry of Defence, head up the small team of IT experts in Control Risk Group's forensic IT lab. They are on hand to advise businesses on how to protect their systems from viruses, hackers and computer-literate fraudsters.

Cybercrime is a recent departure for Control Risks Group, which acquired its IT expertise when it took over IT security company Network International in May.

The group is better known for its private investigation service and for the security advice it gives to companies that are trading in the world's trouble spots. But the rapid growth of the Internet has put IT security firmly on the agenda for Control Risks' clients, which include some of the City's large financial institutions.

Although many organisations turn to Control Risks, for advice in securing systems from hackers and viruses, the biggest threats to security actually come from within an organisation, rather than from outside.

About 80% of security breaches are caused by a company's own staff, claimed Yapp. Disgruntled former employees, people who are careless with their passwords, and dishonest staff with a little IT knowledge, can be far more devastating to a business than an external attack.

In one notorious case, hackers were able to gain access to highly sensitive data on the systems of one large UK company, after a casual employee copied passwords left lying around the office on sticky notes.

Even when passwords are not written down, most can be easily guessed, said Yapp. It is surprising how many employees use their favourite football teams, the name of husbands, wives, children, telephone numbers and car registrations, to protect sensitive data.

Disgruntled employees can be a major risk, particularly if they understand IT. Yapp and his team were able to locate and defuse a software time-bomb, left in a computer system by an employee who had recently lost his job.

Forensic evidence gathered from the computer system enabled Scotland Yard's Computer Crime Squad to bring a successful prosecution against the employee who had been using the software bomb to attempt blackmail against the company.

Forensic evidence from a computer system also helped a company prosecute an employee suspected of transferring company money to his private bank account.

"We were given this person's computer to look at and a set of likely account numbers belonging to him and his relatives," said Yapp. "We went through all the deleted files and found nothing, but then we found one of the accounts appeared in a Windows swap file. The fact that it was there at all was enough to justify a full-scale investigation."

Despite the risks posed by incidents like this, many companies fail to make adequate background checks into their employees - particularly their IT staff - who may have greater access to sensitive data than anyone else in the company. IT directors need to make sure that recruitment agencies vet potential recruits thoroughly, particularly temporary IT staff who many only be with the organisation for a few months, said Yapp.

They should also be very careful with outsourcing contracts, Yapp warned. Unless the terms and conditions are carefully-worded, IT directors may find they have little control over the quality of staff hired by outsourcing partners.

"We discovered a contractor using Back Orifice [a hacking tool] in one outsourcing firm. Perhaps, to be charitable, he might have been using it as a network management tool. But it was certainly not in line with company policy," said Yapp.

Firms like Control Risks can provide full background checks on employees, but even careful inspection of a CV can be enough to ring some warning bells.

Although Yapp and his team can help companies clear up the mess when security breaches do take place, he agrees that prevention is by far the better option

Watch out for 'creative' CV writing

  • Exaggerated qualifications like MCSE

  • Claims to membership of a particular body

  • Misleading statements about salary and position

  • Employment referees - are they genuine and relevant

  • Inconsistencies in life history

  • Incomplete dates or absence of dates

  • Gaps and unaccounted periods of time

  • Residency and telephone details - do they tie in with career history?

  • Mistaken identity - are they who they say they are?

  • Over-stated technical knowledge. Expand on the interviewee's technical skills in the interview to confirm their knowledge

    Source: Control Risks Group

  • Read more on IT risk management