Security: No place to hide

We live in insecure times. Last month firms were brought to their knees by Blaster and SoBig. Last week an IT expert was jailed...

We live in insecure times. Last month firms were brought to their knees by Blaster and SoBig. Last week an IT expert was jailed for nine years for downloading details from 9,000 credit cards.

For IT chiefs these matters are more than headlines - they are real-life threats. Here, IT leaders and virus specialists contribute their views to help the industry deal with the issues.

Imagine for a moment that you are the chief executive of an international investment business and you have a problem, a big problem. An organised crime group has picked your business to be the victim of a distributed denial of service attack, similar to that experienced by Microsoft in the Blaster worm attack last month. The activity is directed against the company's servers running with vulnerable ports - and the objective is to bring down its online trading activities for 30 minutes each week.

Unlike Microsoft, you cannot simply switch your servers off during the attack. Apart from the damage to your reputation, the cost of 30 minutes lost of trading to your business is more than £1m and following the first incident, you receive a phone call from the gang, telling you that the problem will continue unless a £1m consultancy fee is transferred to a bank in Colombia. What do you do next? You have three options:make a call to the National Hi-Tech Crime Unit (NHTCU) and report the crime; buy more security software and learn a harsh lesson; or quietly pay the criminals off.

This is the nature of the problem facing the police and business today and one of the scenarios being prepared for discussion at next year's e-crime congress, which is organised by the NHTCU. Without accurate figures and with no financial institution willing to discuss the subject, it is only possible to present an estimate of the levels e-crime in the UK today. In many cases organisations believe they stand to lose more in terms of damage to their brand and customer confidence than they would gain by reporting an incident to the police. Earlier this year, a survey commissioned by the NHTCU and conducted by polling firm NOP revealed that security incidents had cost UK business an estimated £143m over the preceding 12 months.

The survey exposed 3,000 incidents among the 105 organisations surveyed, including information theft, virus attacks and the loss of hardware other than laptop PCs.

From a business perspective, grasping the true size and nature of the problem is difficult. By including hardware and virus related incidents, the "big ticket" crime problems remain largely hidden in the statistics. It's rather like being offered the tonnage of allied shipping sunk as a measure of U-boat success in the second world war, it does not tell you what you really want to know - how many ships were actually sunk.

Chris Potter, information security partner at PricewaterhouseCoopers (PwC), points to two surveys carried out by the company. "One of the big issues with e-crime is the definition," he says. "The DTI Information Security Breaches Survey 2002 indicated that nearly half of all UK companies have suffered malicious information security incidents, but most of these relate to virus infection and website hacking attempts. Relatively few incidents to date have involved electronic theft or fraud, with surveys showing only 6% of UK businesses affected so far."

Potter adds, "The cost incurred for an individual electronic theft or fraud is often much greater than for other security incidents. The PwC Global Economic Crime Survey 2003 estimated the average loss from a cybercrime incident as $800,000 (£504,000). Second, most businesses expect the prevalence of cybercrime to rise significantly over the coming years. As more business is done electronically, more economic crime will become e-crime."

At employers' body the CBI, Jeremy Beale, director of e-business, identifies a number of problems facing companies where e-crime is involved. "First, business can rarely tell if a crime has been committed and, if one has, they do not know who they should contact - the local police force or the NHTCU.

"Second it is too early to scale the exact size and nature of the problem. What is clear is that it is significant and government needs to bring its efforts together to create a single point of contact, through a central sponsor for information assurance."

Few companies are aware of the NHTCU's confidentiality charter, which is designed to protect a business from any potential damage or loss of confidence that might arise as a consequence of publicity. Companies can report e-crime on an intelligence basis only, which the police will use as part of an information gathering exercise, that might lead to the conviction of a third party in the future, or as part of a suitably sanitised "threat assessment" that might be shared with similar organisations. Alternatively, a company can report a crime with a view to having it investigated, in which case an application can be made to the trial judge for public interest immunity in order to protect the name of the business involved.

According to Tony Neate, industry liaison officer at the NHTCU, "More sections of industry are reporting crimes and the increase in successful arrests and prosecutions is leading to a more informed view of what is happening." However, the NHTCU concedes that even greater efforts need to be directed towards educating the business community about the process of reporting. For those who do not know, this involves making a first approach to a regional computer crime unit, which will then escalate a report to the NHTCU if it demands national attention.

Beale acknowledges the reporting problem and adds that the CBI is working with the NHTCU on a programme to inform small- and medium-sized businesses about the dangers of e-crime. "More needs to be done to raise board-level awareness of the responsibility of protecting business assets," says Beale, "and we need to have more collaboration between industry networks and early warning systems."

He says the e-crime debate is still "treading water" while the police struggle to gain an accurate impression of the size of the problem and business gradually realises that it is an issue that has to be recognised and understood at the most senior levels.

E-crime is here to stay and there is every indication that it will continue to grow at a steady and alarming rate unless businesses and law-enforcers can collaborate more closely. The NHTCU head, Len Hynds, says that at present, a great deal of energy is devoted to "scoping the problem" and addressing the issues that arise as a consequence. "You would be surprised at how even the conduct of more conventional crimes, such as drug-trafficking, is expanding into the digital environment, which illustrates the serious nature of the problem facing society," he says.

Businesses must accept that being mugged can happen as easily in cyberspace as on any high street, but being warned is not enough. If you listen to the CBI, PwC and the police, being prepared and a little paranoid might be a better business strategy for the future.

The next e-crime congress will take place in London on 24-25 February 2004. The NHTCU's website is at

Read more on Hackers and cybercrime prevention