Science: The threat that comes from within: Computer crime by staff can destroy small businesses. Steve Homer reports

Click to follow
The Independent Online
If your company uses a computer, there is a good chance your business could be at risk. Hundreds of companies every year are being attacked from within. The agents of damage are formerly trusted staff. Small companies are particularly vulnerable. The most common problem is an employee stealing data. This can either be for greed or revenge, to sell to a competitor, or for them to set up on their own. The means is so straightforward that staff need no specialist knowledge.

'People just underestimate the importance of data these days. I've seen grown men cry when their businesses collapse before them,' says Detective Inspector John Austen, in charge of the Metropolitan Police Computer Crime Unit. 'Computers themselves are quite cheap and so they don't think about the contents.' However, information from a company that has spent years building up its contact list or developing a product on computer can be invaluable to a competitor. On rare occasions, staff not only steal the information but also clean it off the originator's computer.

DI Austen, who formed the Met's Computer Crime Unit 10 years ago, believes many of the problems could be avoided. The most important and simplest safety measure is to make staff understand that tampering with company information is a criminal offence. The 1990 Computer Misuse Act introduced three offences that made prosecution of computer crime easier. Unauthorised access to computer data, aggravated access where there is intent to commit an indictable offence such as kidnap or blackmail, and modification of computer material are all now criminal offences.

The law has proved powerful, but too few businesses are aware of it. To help combat this and raise awareness of computer security in general, the Metropolitan Police teamed up with IBM to produce a computer crime leaflet called 'Don't let them get away with IT]', highlighting simple preventive measures.

These fall under four headings. Protecting your data is the most important. Regular backups mean that if the unthinkable happens at least you will have an up-to-date copy of information. Preventing unauthorised access can be helped by using passwords where these are available. Prevention and detection of virus infection are important, with warnings about using untested discs. And, finally, PCs should be made physically secure and identified with security markings to deter theft. (Special care needs to be taken with portable computers.)

DI Austen adds his own three tenets of safer computing. First, let staff know about the law. A notice that says unauthorised data access is a criminal offence can be programmed to appear on screen every time a user logs on. 'Just creating an understanding that computer misuse is a criminal offence can really make people stop and think,' DI Austen says.

Second, define a formal policy for staff use of computers. 'Every organisation from the local scout group to a large business should have a written policy about how data on computer should be managed. That policy preferably should be in the form of an employment contract,' he says. 'Some employees write their own letters on a company machine - that is fairly common and entirely innocent - but if that is allowed by the data owner, it should be stated that it is allowed and certain work areas (within the computer) designated for the purpose.'

Many employers are afraid to specify this in an official contract, DI Austen says. They may state that computers should be used only for company business but then turn a blind eye. This can allow people to explore the computer system at will, which can result in problems later.

DI Austen's third tenet, which he describes as 'more technical', is probably the most watertight. Small businesses are particularly vulnerable because they quite often use stand-alone computers. DI Austen advocates the use of local area networks (LANs), systems where two or more computers are connected together using special operating systems. 'If there are a number of stand-alone computers in an office, it is more efficient but, more importantly, more secure if they are joined together by a LAN. On a LAN you can put in more security control and record who has accessed certain files with the date and time.' If users know that their access to every file is logged, this can act as a great deterrent for would-be criminals.

In general, DI Austen feels the Computer Misuse Act has given him all the tools he needs to fight computer crime. Bar one. At present there is no offence of being equipped to commit offences under the Computer Misuse Act. This would be the equivalent under the Theft Act of being equipped to steal and makes the burden of proof much more difficult. The biggest problem is with those who access systems from remote sources, colloquially called hackers. '(It) means we have to go to extraordinary lengths to prove they are the person concerned as opposed to just where the location of the problem is coming from.' But DI Austen's workload could be considerably reduced if businesses realised how important their data was and then acted accordingly.

For a copy of the 'Don't let them get away with IT]' brochure, contact the Computer Crime Unit on 071-230 1177. For advice on protecting your computer equipment, contact your local crime prevention officer.

(Photograph omitted)