The high price of insecurity in our classrooms and offices

An Audit Commission report highlights a variety of computer abuses in schools and other public bodies that are costing the taxpayer dear. Paul Gosling reports
Click to follow
Students and teachers may be costing taxpayers hundreds of thousands of pounds a year accessing pornography sites on the Internet, according to a new survey conducted by the Audit Commission, which oversees audits of many public bodies.

Schools, colleges and universities suffer most from computer fraud because they have the most lax security controls with often poorly managed computer systems.

Pornography has become a serious problem for organisations, according to the Audit Commission, and 8 per cent of incidents of misuse of computers relate to unauthorised access and downloading of pornographic material from Internet sites. The survey, "Ghosts in the Machine", found that while three years ago only a few computer systems had access to the World Wide Web, now 95 per cent do, with many operating their own intranets. But security concerns prior to installing Internet access focused on installing adequate firewalls, to keep external hackers out. It is only now that the need for stronger controls over internal users has been underestimated.

"There has been a growth in computer use in education," says Paul Vevers, director of audit support at the Audit Commission. "Whether that means the defences are weaker - that may not be the same. But the growth in use is greater than elsewhere, and it is a less controlled environment, with a large number of students."

Vevers says it is not just educational institutions that need to re-examine their control systems. A third of companies and half public bodies report they have suffered from computer fraud and misuse. The fastest expanding problem is misuse of the Internet. Even those organisations that operate bars on accessing inappropriate Web addresses often allow their controls to lapse. "New sites are opening up every week," Vevers says. "You need to make sure you have someone responsible for keeping those defences up- to-date." Organisations should monitor what sites are regularly visited, especially those accessed outside of normal working hours.

But another big problem is that it is the managers themselves who are guilty of much of the fraud. De-layered organisations with fewer managers now maintain fewer checks and balances, and managers often have more scope for getting away with fraud and misuse. One manager got away with fraud by setting up a bogus staff identity and payee account because he was the sole person in charge of the staff payment function. The fraud would have been avoided if the organisation had simply appointed a second person to be involved in the operation.

"People at the top can't just hope that people lower down the organisation should just get on with things," Vevers says. "It needs a lead from them. Encouraging staff to whistle-blow is one of the best ways to stop fraud. Managers now operate a much wider span of control, with power and control concentrated across fewer hands." Another issue in many organisations is the mismatch between knowledge and seniority. "At the top of organisations there is fear of IT, but lower down there is over-familiarity with it and complacency," Vevers explains.

One result that is particularly worrying in the public sector is that far too many staff have access to a wide range of private information. Many employers still fail to restrict staff access to confidential records on a genuine "need-to-know" basis.

Hacking, too, is becoming a worse problem, with many former employees using their old passwords to gain access to computer systems after they have left. In some instances this has allowed them to corrupt information files, sometimes to gain sensitive information, and occasionally to leave abusive messages. Not all organisations speedily delete password authorisation after an employee has departed, while some computer systems do not properly accept instructions to delete passwords. Social harassment of staff by e-mail, accessing colleagues e-mail addresses, is another growing problem.

There is particular concern at local authority computer systems that are susceptible to hacking because of the sensitivity of information such as children at risk registers. But it can also be very costly. One council was hacked into from New York, enabling the hacker to make international calls over a weekend at huge expense to the council.

Perhaps the most stupid oversight by managers is that the most common problem is virus infections, often transmitted inadvertantly by staff who bring in disks they have worked on at home and are unaware that their home computer has been infiltrated by a virus. A virus infection will typically cost pounds 1,700 to overcome, but software to prevent it costs just pounds 25.

`Ghost in the machine' is published by the Audit Commission at pounds 15.