Why SMEs should report e-Crime

Computer crime is costing Welsh businesses around £300 million a year as criminals use new methods to commit old crimes - and your organisation could be the next target. It has reached such a scale that it has been described in some circles as an underground economy. Research suggests that even the shocking figures for company losses in Wales due to e-Crimes may be just the tip of the iceberg.

Whether or not an incident is a crime usually depends on what is done with information obtained and how it impacts on you. The key to tackling e-Crime is that business people add their weight to the fight and report anything that might be considered a criminal activity.

This online criminal activity may include:

• Theft of customer data by insiders or ex-employees: Theft of customer or employee data by insiders or ex-employees is one of the more common threats to a business. This is particularly the case in workplaces where people are paid by commission - such as in sales departments where valuable customer databases may be held, or in offices where sensitive personal information may be stored. The result of such a theft can be disruption to the business, a significant loss of sales to rivals armed with your key information, and public embarrassment at the loss of private and personal data.
  
  
• Theft of customer or employee data by an outsider: Although there may be no malice against your company you could still fall foul of a dispute completely outside of your control. Your business may be an entirely innocent party, but a row between one of your suppliers and one of their employees - or a disgruntled IT consultant with an axe to grind - could lead to complications and potential financial loss.
  
  
• Child abuse images found on a company computer: This type of incident is not a pleasant or simple one to manage. There is experienced help available, and it is essential that you follow the correct procedures as serious legal action may follow.
  
  
• Denial of service attack: This can take the form of an attack by outsiders on a company's email accounts or website - generating such an overwhelming flood of data requests that they paralyse the system. The targets are put out of action, potentially resulting in financial loss, damaged reputation and disruption to business planning, as there may be fear that another attack will occur. This has happened to some of the largest companies in the world. Although such incidents are rare, there is an increasing amount of malicious software in existence that can do serious damage to your IT system. An attack on you can be random or targeted - such as being launched by a disgruntled former member of staff or a business rival. It is also possible that extortion or blackmail could be behind such an assault on websites, as companies are threatened with disruption that can have serious commercial consequences.
  
  
• Website hacked and content changed: Websites will always be at risk from people with malicious motives. They could be commercial rivals or someone with a personal grudge who wishes to harm your business.
  
  
• Malware attack (e.g. viruses, trojans, worms): Viruses have been present on the internet since shortly after its birth. They are often created for nuisance value or just to show how clever the author is. But today, with so much dependency on communication via the internet, they are likely to be a far more serious threat to businesses. Viruses can disrupt your business or be related to even more serious criminality, such as extortion and blackmail. Many businesses remain unaware of the seriousness of this threat and how to combat it.
  
  
• Phishing emails: These usually take the form of false emails sent to large numbers of people in the hope that some will reply. They are often an attempt to obtain your bank details. Many can be professional in appearance and approach, often referring you to what appears to be a genuine website in order to prove their credentials.
  
  
• Spam e-mail: Spam is generally unwanted e-mail, including unsolicited advertising for gambling sites, fake pharmacies and improbable goods. They are a time-consuming annoyance that could be more dangerous and sinister than they first appear. They could contain attachments with offensive material, viruses or even be a precursor to phishing and its implications.
  
  
• Financial fraud (e.g. bank account or debit card losses): This is not strictly an e-Crime but is often perceived as one because it is committed using computers. It is an example of how the law remains the same but the methods of breaking it have become more sophisticated.
  
  
• Attacks through wireless networks: Wireless technology has become useful and economical, and is incorporated into many business ICT systems. But for all its advantages it has hidden dangers that research in Wales has shown to be widespread. It is a potential disaster zone if not properly managed.

Reporting e-Crime

Aside from reporting crimes when they happen, what is more important is understanding how your company can minimise the risk of e-Crime before it happens. A good starting point is to always bear in mind that: Your company's information should be viewed in exactly the same manner as personal belongings and valuables. It is just as important and that is why it may be at risk.

e-Crimes can be reported confidentially at www.ecrimewales.com/report.

Making time for IT Security Policies

Without such policies e-Crime is made easier, and resolving it is made more difficult.

Research into previous e-Crime incidents has shown the value of a regularly monitored policy on the use of the internet by people in your company. Many firms, particularly hard-pressed SMEs, may not have found the time or resources to do this. Their main focus will inevitably be on the day to day running of their business, but there are measures that can be put in place quickly and at relatively low cost.

Surprisingly, perhaps, it is often the case that members of staff do not maintain secure passwords on their computer terminals. This is an obvious security risk. Your IT security policy must address such risks and be backed by disciplinary procedures. The policy must state clearly what can and cannot be done with company information and internet access, and also the consequences of breaching these rules.

Ten tips to reduce the risk of e-Crime

1. Ensure you have a staff policy on computer use and internet access - and check that it is being followed
2. Regularly change access passwords for your IT system
3. Decide which staff should have access to your most sensitive information
4. Make sure your wireless IT system is secure
5. Back-up your important data and website - so if you lose them copies are available to get you up and running again
6. Invest in a good quality firewall and anti-virus software. Schedule regular system scans
7. Use a spam filter to minimise unwanted emails
8. Ensure that all emails are archived on your system server, so they can be recovered even if they are deleted from computer terminals
9. Devise an emergency plan for your business in case your IT system is closed down
10. Advise the police or other appropriate bodies if you are targeted by e-Crime - as this information will help in the ongoing battle against fraudsters and other criminals

About the Author
e-Crime Wales is a partnership of organisations and agencies committed to equipping Welsh businesses with the knowledge and tools to be aware, vigilant, informed and ultimately safe from the destructive effects of e-Crime in all its forms. For further information about the ways in which you can protect your business from e-Crime visit www.ecrimewales.com.

Send a comment about this article to editor@itwales.com.