Like so many other aspects of our lives, major fraud has gone high tech. In fact, fuelled by excited media comment, computer crime and fraud are regarded as synonymous by many. But it’s important to remember that it’s not the computers that commit crimes - it’s the people that use them, and the cost of their crimes to business is immense.

To address the problem, then, it is essential to look at the human factors involved. The first challenge with combating fraud is calculating the size of the problem. We know that it’s a serious issue for businesses around the world, but it is almost impossible to state exactly how big it actually is. After all, some frauds can remain undiscovered for lengthy periods, or are never reported at all. And, understandably, many companies that have been victims of fraud are reluctant to publicise the fact.

But we do have some close approximations available. The authoritative CSO Magazine eCrime Watch Survey estimated that the cost to US organisations alone was $666 million in 2003. Based on these figures, it’s probably safe to say that a total bill of one trillion dollars a year is a conservative estimate.

It’s also said that the average American company loses six per cent of its revenue to crime, fraud and theft - most of it by electronic means. In the UK, and elsewhere, the figure currently stands at around three per cent.

Although many attacks come from outside the organisations, some are ‘insider jobs’ - carried out by employees who have access to systems within the company’s defences. Something the Sumitomo Mitsui Bank in the City of London found out in 2005. Fraudsters attempted to steal approximately £220 million from the bank by entering the building as cleaning staff and connecting hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes to reveal account details and other information.


The human factor

We are used to the idea that technology should be deployed to beat IT-enabled crime. World class firewalls, for example, can help fortify an organisation - rather like thick castle walls that prevent the bad guys from getting in. Inside those walls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can monitor applications and services and raise the alarm when access is attempted by an unauthorised stranger, or when unusual behaviour is discovered.

But if we use technology to counter IT problems, we also need to use people to counter human crimes. If employees are vigilant, and if they understand what is expected of them, then security will be enhanced. Organisations need to establish a culture in which their people are all jointly responsible for defending the company against attack. That requires everyone to know how to behave responsibly, be alert to potential problems, and understand the best course of action when confronted by a malicious attack.

Set the scene