Companies' poor security policies hamper police investigations into computer crime

Police forces are having to abandon investigations into computer crimes committed by employees at work because employers are...

Police forces are having to abandon investigations into computer crimes committed by employees at work because employers are failing to enforce their security policies, a senior detective revealed last week.

Steve Santorelli, detective sergeant at Scotland Yard's Computer Crime Unit, said a significant percentage of police investigations fail to get off the ground because employers have not spelt out to staff what is and is not acceptable.

Cases where employees copy sensitive data by gaining unauthorised access to their employers' systems, or change the contents of web pages without permission, can be difficult to prosecute unless companies clearly lay down the boundaries.

"There is no point starting a major investigation of a system if the security policy has not been properly implemented. It gives people too many escape clauses. It is even more important when you have subcontractors coming in," said Santorelli.

Detectives at the Computer Crime Unit have been shocked by the state of some of the company security policies they have seen. In one case a company simply copied the security policies of another firm and forgot to delete its name from the document.

Businesses really need to design their own security policies from the ground up to reflect their individual needs, said Santorelli.

Common errors include failing to make sure that staff are aware of the policy, failing to ensure that they have signed up to it, and that they are regularly reminded what is and is not acceptable.

Many policies do not warn staff of the dangers of social engineering attacks from hackers looking to bypass security systems by conning people in to revealing important company information that will allow the hackers to access systems.

"You can have the best firewalls and the best intrusion detection protection systems but if someone can bypass them by putting in a phone call and using social engineering, security is circumvented," said Santorelli.

Richard Starnes, an IT security professional, said companies should make responsibility for good IT security practices part of employees' contract of employment. It should also feature in staff annual reviews, he said.

Where security policies fall down

According to the Scotland Yard Computer Crime Unit, employers are:

  • Failing to address the company's own security issues
  • Not making staff aware of the policy
  • Not ensuring that employees have signed up to the policy
  • Failing to remind staff regularly what is acceptable and what is not
  • Offering no warning to staff of the dangers of being conned by hackers into giving away access information.

Read more on IT risk management