e-Crime the real story

Imagine for one moment that you are the Chief Executive of an international investment business and you have a problem, a very big problem. An organised crime group has picked your business to be the victim of a Denial of Service (DDoS attack), similar to that experienced by Microsoft with ‘Blaster’ in August. The exploit is directed against the company’s servers running with vulnerable ports and the objective is to bring down the company’s on-line trading activities for thirty minutes each week.

Unlike Microsoft, you can’t simply switch your servers during the attack. Outside of the damage to reputation, the cost of thirty minutes loss of trading to your business, is over a million dollars and following the first incident, you receive a phone call from the gang, telling you that the problem will continue unless a million dollars in ‘consultancy fees’ is transferred to a bank in Columbia. What do you do next? Make a call to the National Hi-tech Crime Unit (NHTCU) and report the crime or buy more security software, learn a harsh lesson and quietly pay the criminals off?

This is the nature of the problem facing the police and business today and one of the scenarios being prepared for discussion at next year’s eCrime Congress. Without accurate figures and with no financial institution willing to discuss the subject, it’s only possible to present an estimate of the levels eCrime in Britain today. In many cases, companies believe they stand to lose more in terms of damage to their brand and customer confidence than they stand to gain by reporting an incident to the police.

Earlier this year, a survey commissioned by the NHTCU and conducted by NOP, revealed that security incidents had cost UK business an estimated £143 million over the previous twelve months.

The survey exposed three thousand different incidents among the one hundred and five organisations surveyed and the results included information theft, virus attacks and the loss of hardware other than laptop PCs.

From a business perspective, grasping the true size and nature of the problem is a difficult one. By including hardware and virus-related incidents, the ‘big ticket’ crime problems remain largely hidden n the statistics. It’s rather like being offered the tonnage of allied shipping sunk as a measure of U-Boat success in the second world war, it doesn’t tell you what you really want to know, how many ships were actually sunk?

Chris Potter, Information Security Partner at PriceWaterhouseCoopers points to two surveys carried out by the company. Potter comments, “One of the big issues with e-crime is the definition. The DTI Information Security Breaches Survey 2002 indicated that nearly half of all UK companies have suffered malicious information security incidents, but most of these relate to virus infection and web-site hacking attempts. Relatively few incidents to date have involved electronic theft or fraud, with surveys showing only 6% of UK businesses affected so far.”

Potter adds, “The cost incurred for an individual electronic theft or fraud is often much greater than for other security incidents. The recent PwC Global Economic Crime Survey 2003 estimated the average loss from a cybercrime incident as $800 thousand. Secondly, most businesses expect the prevalence of cybercrime to rise significantly over the coming years. As more business is done electronically, more economic crime will become e-crime”.

At the CBI, Jeremy Beale, Director of eBusiness, identifies a number of different problems facing companies where eCrime is involved: “Firstly, business can rarely tell if a crime has committed and if one has, who they should contact, the local police force of the NHTCU”. “Secondly”, says Beale “Is that it is too early to scale the exact size and nature of the problem but what is clear is that it is significant and government needs to bring its efforts together to create a single point of contact, though a central sponsor for information assurance”.

Few companies are aware of the NHTCU’s confidentiality charter, which is designed to protect a business from any potential damage or loss of confidence that might arise as a consequence of publicity. Companies can now report eCrime on an intelligence basis only, which the Police will work around and use as part of an information gathering exercise, which might possibly lead to the conviction of a third-party in the future or as part of suitably sanitised ‘threat assessment’ that might be shared with similar organisations. Alternatively, a company can report a crime with a view to having it investigated, in which case an application can be made to the trial Judge for public interest immunity in order to protect the name of the business involved.

According to Tony Neate, Industry Liaison Officer at the NHTCU,”More and more sections of industry are reporting crimes and the increase in successful arrest and prosecutions is leading to a more informed view of what is happening”. However, the NHTCU concedes that even greater efforts need to be directed towards educating the business community over the process of reporting. For those that don’t know, this involves contacting a first approach to regional computer crime unit, which will then escalate a report to the NHTCU if it demands national attention.

Jeremy Beale acknowledges the reporting problem and adds that the CBI is working with the NHTCU on a programme to inform small and medium sized businesses about the dangers of eCrime. “More”, says Beale, “Needs to be done to raise board level awareness of the responsibility of protecting business assets and we need to have more collaboration between industry networks and early warning systems”.

As far as Beale is concerned, the eCrime debate is still “treading water”, while the police struggle to gain an accurate impression of the size of the problem and business gradually realises that it is an issue that has to be recognised and understood at the most senior levels.

eCrime is here to stay and there is every indication that it will continue to grow at a steady and alarming rate unless business and law-enforcement can collaborate more closely. Head of the Hi-tech Crime Unit, Len Hynds agrees that at present, a great deal of energy is devoted to ‘scoping the problem’ and then addressing the issues that arise as a consequence. “You would be surprised”, he says “At how even the conduct of more conventional crimes, such as drug-trafficking are expanding into the digital environment, which illustrates the serious nature of the problem facing society".

For business, now appears to be the time to accept that being mugged can happen as easily in cyberspace as it can on Clapham Common but being warned isn’t enough. If you listen to the CBI, PWC and the Police, being prepared and a little paranoid might offer all of us a better business strategy for the future.

The next eCrime Congress will take place in London 24th – 25th February 2004

More Comments on eCrime

“One area of concern is the rise in identity theft, where criminals gain access to individuals' financial information. Financial services call centres are a particular risk, since many call centre systems will let the operator see the full account and password details for the caller. The operator can then pass these details onto criminals who can then pose as the caller and access their account”. Chris Potter – Information Security Partner - PWC.

“The relationship between law-enforcement and industry is fundamental to the growth of e-business in this country. For the police it’s a matter of changing tactics to meet the challenges of a digital environment” Detective Chief Superintendent Len Hynds – Director NHTCU

“We need to examine roles and responsibilities in dealing with eCrime. Is it the banks, the NHTCU or even Microsoft? All of us need to be behind a collective programme that deals with the problem”. Stuart Okin – Chief Security Officer Microsoft (UK) Ltd


Popular posts from this blog

The Nature of Nurture?

Civilisational Data Mining