An inside job?

Cyber crime against businesses is a growing threat. It's carried out by geeks, hackers... and those closer to home. Gareth Chadwick reports
Click to follow

Cyber crime is a uniquely modern threat to business. Computers and digital telecommunications dominate the business infrastructure of the world's leading economies to an unprecedented extent. Without them, much of the global economy would simply grind to a halt.

Cyber crime is a uniquely modern threat to business. Computers and digital telecommunications dominate the business infrastructure of the world's leading economies to an unprecedented extent. Without them, much of the global economy would simply grind to a halt.

And yet very few of us actually understand how computers work. Faced with a PC-related problem, most people's technical knowledge stretches to telephoning the nearest IT consultant and pleading for help in getting the computer fixed in time to meet the looming, job-threatening deadline.

It's this reliance on computers and, increasingly, the electronic communication networks they plug us all into, such as the internet, that makes our vulnerability to cyber crime so alarming.

"Internet attacks are fundamentally about an exploitation of trust. They exploit the assumptions that people who use the internet routinely make, whether for business or at home," says Jonathan Care, principal consultant at IT security consultancy Vistorm.

"It's why most e-mail virus messages are designed to look as if they are from somebody you know, or from an organisation that you would normally regard as trustworthy, such as a bank. It is about getting people to actually read the e-mail or to open the attachment. They are seeking to exploit that level of trust," he says.

Everybody from the Government down to the small business user is at risk. James McElroy, a student at Exeter University, was convicted in February of hacking into the computers of the US Department of Energy's Fermi National Accelerator Laboratory in Illinois.

He was sentenced to 200 hours' community service. The cost to the Fermi Laboratory could be substantially higher, however, as it was forced to close down its IT system for three days.

There's an image of hackers being teenage computer nerds, causing havoc from the bedroom, but it is a dangerous misconception to think that cyber crime is just about computer-obsessed kids causing trouble over the internet.

Take the growing problem of "phishing". Attackers set up a fake website, typically a copy of a bank or other financial service provider's site. They send out millions of e-mails to customers of that organisation (called "phishing expeditions"). The e-mails request that users visit the website to confirm their account details. The criminals simply wait for the details to be entered. Once entered, they visit the genuine website and clear out that person's account. Police say that the number of reported phishing cases has increased by 600 per cent in a year.

"The Web has always been plagued by the online equivalent of vandals who cause trouble for fun. But what we are seeing now, with the huge rise in commercial transactions done over the internet, is serious involvement from the professional criminal fraternity. There are viruses which lie dormant on a computer until the user visits an online banking site, at which point they activate themselves, record the keystrokes and pass them back to the originator of the virus," says Jonathan Care.

It is difficult for even the experts to keep up with the speed at which security risks develop, as cyber criminals constantly develop new ways to perpetrate their activities. A recent phenomenon has seen criminals combining virus attacks with hacking.

The virus is distributed via e-mail and unobtrusively installs itself on the target's computer. Once in place, it works at exploiting any security vulnerabilities on the target's Web server. Once a security breach has been established, it automatically notifies its sender, who hacks into that server undetected through the entry point established by the virus.

"The internet and e-mail makes everything so much more accessible. As a result, the risks posed by cyber criminals are much greater. There are statistics that suggest that almost 90 per cent of companies' business documentation is held in digital form. Almost half of these are estimated to be in the e-mail system at any one time. It raises serious questions about security," warns Sarah Lyons, a computer analyst with computer forensic investigators Synergy Professional.

But the high-profile cases of highly trained criminals mask the most potent cyber threat to small businesses - their own staff.

Disillusioned employees or disgruntled former employees are guilty of the vast majority of computer-related business crimes in the UK. Siphoning off funds from the company's account online or stealing a copy of the customer database might not have the glamour of a co-ordinated attack from a gang of Russian internet crime barons, but the potential for damage is just as high and the likelihood of such a scam is considerably greater.

According to computer forensic consultants Ibas, over 65 per cent of British professionals admit to having stolen commercially sensitive information from previous employers. Information routinely taken by departing staff includes e-mail address books, sales presentations and technical product information.

Take Edward Bowe for instance, an in-house accountant for a Merseyside-based chain of garages called Leaders. A trusted senior employee, he had worked for the company for over a decade under the supervision of a financial director. When his superior left, Bowe was left in sole charge of the company's accounts.

He had access at work and also from home via the online service. He used that access to gradually withdraw £600,000 from his employer's account over five years. He was only discovered when his employers dismissed him after a missed VAT payment.

Cyber crime already costs UK businesses a huge amount. According to a survey by the National Hi-Tech Crime Unit (NHTCU), over 83 per cent of businesses questioned had suffered some sort of computer crime in the previous year, costing them almost £200m. Virus attacks alone cost businesses over £27m.

According to a Department of Trade and Industry report, the average cost of an organisation's most serious security incident was about £10,000. For larger companies, the figure rose to £120,000.

Only around one quarter of firms reported such crimes to the police however, leading detective chief superintendent Len Hynds, head of the NHTCU, to put the real cost of cyber crime far higher.

"While it is too early to put an accurate figure on the total financial impact for UK businesses, indicators suggest that we're talking about billions rather than millions of pounds," he said.

The online crime busters

The National Hi-Tech Crime Unit (NHTCU) was set up in April 2001 to combat national and international hi-tech crime in the UK.

Its remit includes software piracy, hacking and virus attacks, fraud, blackmail and extortion, online child abuse and class A drug trafficking.

"We deal with serious and organised hi-tech crime, such as extorting money over the internet," said NHTCU spokesperson Felicity Bull.

Since its foundation, the NHTCU has arrested 180 people and carried out 73 operations. A recent success came in July this year, when in a joint operation with its Russian counterpart, three Russians were arrested in connection with an internet protection racket targeting online betting services.

The men are believed to have been responsible for attacks that paralysed gambling websites and cost the betting industry millions of pounds.

The online betting industry is an attractive target for fraudsters. There are an estimated 1,700 gambling websites and around £49m is expected to be gambled online this year.

The Russian gang targeted prominent betting firms, including William Hill, Paddy Power, Blue Square and Canbet. The firms were advised that the attacks on their computers would be stopped if they paid the hackers up to $50,000 (£27,000).

The first victim in the UK, Hampshire-based, was advised by police to pay the demand in order to help trace the source. The trail led to Russia, where the three men were taken into custody.