Like so many other aspects of our lives, major fraud has gone high tech. In fact, fuelled by excited media comment, computer crime and fraud are regarded as synonymous by many. But it’s important to remember that it’s not the computers that commit crimes – it’s the people that use them, and the cost of their crimes to business is immense.
To address the problem, then, it is essential to look at the human factors involved. The first challenge with combating fraud is calculating the size of the problem. We know that it’s a serious issue for businesses around the world, but it is almost impossible to state exactly how big it actually is. After all, some frauds can remain undiscovered for lengthy periods, or are never reported at all. And, understandably, many companies that have been victims of fraud are reluctant to publicise the fact.
But we do have some close approximations available. The authoritative CSO Magazine eCrime Watch Survey estimated that the cost to US organisations alone was $666 million in 2003. Based on these figures, it’s probably safe to say that a total bill of one trillion dollars a year is a conservative estimate.
It’s also said that the average American company loses six per cent of its revenue to crime, fraud and theft – most of it by electronic means. In the UK, and elsewhere, the figure currently stands at around three per cent.
Although many attacks come from outside the organisations, some are “insider jobs’ – carried out by employees who have access to systems within the company’s defences. Something the Sumitomo Mitsui Bank in the City of London found out in 2005. Fraudsters attempted to steal approximately £220 million from the bank by entering the building as cleaning staff and connecting hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes to reveal account details and other information.
The human factor
We are used to the idea that technology should be deployed to beat IT-enabled crime. World class firewalls, for example, can help fortify an organisation – rather like thick castle walls that prevent the bad guys from getting in. Inside those walls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can monitor applications and services and raise the alarm when access is attempted by an unauthorised stranger, or when unusual behaviour is discovered.
But if we use technology to counter IT problems, we also need to use people to counter human crimes. If employees are vigilant, and if they understand what is expected of them, then security will be enhanced. Organisations need to establish a culture in which their people are all jointly responsible for defending the company against attack. That requires everyone to know how to behave responsibly, be alert to potential problems, and understand the best course of action when confronted by a malicious attack.
Set the scene
So how can this kind of culture be established?
The first step is to make it clear why security measures are needed: if this is not widely understood, then employees are far more likely to see precautions as an unnecessary nuisance than a business-critical activity.
The message that effective security is a business enabler and a useful sales tool – something that inspires customer confidence and can help close important deals – needs to be communicated. Unfortunately far too many people are still only aware of what they have to do and not why they have to do it.
It’s also important for people to be aware of the potential cost of security breaches and fraudulent activity that results. Take the UK as an example. The annual cost to industry is around £32 billion with a further £8 billion being spent on fraud prevention. That £40 billion total is equivalent to more than half the annual cost of the country’s National Health Service.
With sums like this involved, fraud prevention and security is clearly a board-level issue and not just something for the IT department to sort out. And that means that top managers need to be visibly engaged in the fight against e-crime.
It’s true that technology can go wrong on its own, but a crime can only be committed if a human being plays an active part. Therefore organisations need to make everyone aware of the consequences of any behaviour that breaches the rules, whether from outside the company or from within it.
For large multi-nationals that incorporate numerous languages and cultures, this is no mean task. Nor is the problem merely one of linguistics and getting lost in translation. It’s likely that most employees won’t speak the language of the security team so the message needs to be free of jargon and tech-speak to make it as effective as possible.
In addition, senior executives need to have a clear view of how far their personal liability extends, particularly with a stricter regulatory regime and greater awareness of the need for exemplary corporate governance. It’s still not unknown for members of the board to regard security as a negative cost centre. They need to be persuaded that it can enhance RoI from all IT investments and boost the bottom line of the business.
Middle managers, particularly those in sales and marketing, also need to understand how an effective security policy helps close deals thanks to greater customer confidence.
The general workforce should also be made aware of risk and encouraged to lock both the company’s electronic and physical doors. There are the obvious measures like checking the alarm is set when they leave the building, and ensuring people don’t leave their passwords lying about. But, in our increasingly mobile age, it also includes protecting laptops, smartphones and PDAs – indeed any device which connects to the network and which is all too easily left behind.
As about 80 per cent of all e-crime is caused by people making a mistake, organisations need to develop programmes aimed at prevention, education and raising awareness. This might involve obligatory Computer-Based Training (CBT) packages to be taken at regular intervals; company-wide security clinics; or even global road-shows to ensure awareness is maintained. Organisations may also wish to consider a 24/7 helpdesk to provide support and advice, and to capture details of any incidents that occur.
It’s also vital that a company’s business processes are designed to re-enforce its security policies. The City of London Police believe that only a quarter of crime is reported. However, organisations can implement policies that force its people to inform the necessary officials if they spot, or are the victim of, an offence. So, if a car is damaged or a laptop stolen, it cannot be replaced or repaired without a Crime Reference Number that will trigger an appropriate system.
There are also a number of formal bodies that organisation can work with to minimise the amount and the impact of fraud, including accredited Computer Emergency Response teams who can help trace anyone illegally trying to access systems, as well as the UK’s High-Tech Crime Unit and its international counterparts. This improves the likelihood of tracking down and successfully prosecuting criminals. Equally importantly, it sends a clear message to the hacking community that they will be relentlessly pursued and the equipment confiscated should they attempt to ‘break in’ to that particular organisation’s systems.
However, helping the police with their inquiries really should be the last resort. With the correct ‘human factors’ in place, such extreme measures should not be necessary.