As business data and hardware thefts continue to rise. Olga Wojtas reports on a Glasgow academic team's project to help companies combat computer crime
No reliable statistics exist on the effect of computer crime on business. Companies are understandably unwilling to highlight the inadequacy of their existing security measures in case this damages customer confidence. But recent surveys have revealed that computer related theft has increased from 29 per cent of all theft to 46 per cent, with Pounds 2.5 million worth of computer chips stolen from one Scottish factory alone. The average cost of computer fraud is Pounds 133,000, and there has been an almost five-fold increase in reported virus infections, which cost an average Pounds 4,000.
John Biggam and Alan Hogarth of Glasgow Caledonian University's department of computer studies aim to help Scottish companies combat computer crime in a project funded by the Scottish Business Crime Centre, a body set up by the Scottish police and the business community.
"All the reports say computer crime is a major issue, but the companies don't appear to be picking up the baton," says Biggam. "We don't think it's new science that will solve the problems. It's a people issue. Business has been given a lot of advice, but not in language it likes. Either it's too brief, or it's very mathematical, or it's highly technical, like cryptography, the science of coding and decoding information. Business folk simply don't understand it."
Biggam and Hogarth have found that while there has been a much work to help designers produce computer systems which meet the needs of users, computer security appears to be developing as a separate entity. It is often used to offer piecemeal solutions after a company has suffered a particular problem, such as hacking or a virus.
The GCU team's guide to protection against computer crime will be published this summer. They hope it will lead to companies seeing security as a core activity crucial to their work, rather than an addition.
"We are looking at developing a framework that captures a user's security requirements and produces a specification based on business objectives, not something produced in isolation in terms of 'you've been vulnerable to the following so this is what you should purchase to protect yourself'," says Biggam.
The plain language guide will suggest strategies combat three main types of computer crime: unauthorised access, unauthorised modification of data and programs, and theft of computer parts, including data and software. Companies should first pay attention to physical security, for example reducing the number of entrances to core computer systems, and securing mainframe and file servers in a locked room. Passwords should be changed regularly, with staff unable to gain computer access unless they comply, and invalid logon attempts being recorded.
Deterring physical and logical access minimises sabotage, and companies could have strategies to minimise its impact, such as off-site standby facilities, with the cost shared with other organisations. There will be advice on installing virus detection software on computer systems, and checking external disks through a central "sheep dip" system. There should also be simple procedures for reporting a virus attack, such as dialling a specific company number, rather than users tackling the problem alone.
The GCU team recently visited the FBI's computer crime squad in New York to learn about its approach. The FBI has encouraged businesses to report incidents promptly by guaranteeing them confidentiality. Squad members gather evidence as quickly as possible, copying data onto disks, and the business is quickly up and running again.
"That's something we would need to replicate here. Businesses don't know how to react when there's a security breach, and can actually unknowingly tamper with the evidence," says Biggam.
The GCU researchers will urge companies to create audit trails recording all computer operations. Audit software can help detect unauthorised activities such as file access or file deletions, and produce evidence to support a prosecution.
Legislation exists to cover computer crime, but companies must often take steps to ensure adequate evidence. To prove unauthorised access, for example, there must be evidence that access was deliberate and the offender knew it was unauthorised.
Companies are concerned about time and money, says Biggam, and he has witnessed the "strange contradiction" that they will drop a strategy if they think it takes too long or costs too much, no matter how much they could suffer as a result.
"We have to talk in business language, and talk about how they can respond to computer crime in such a way that it's not an inconvenience, and their business will benefit."