People Power Combats Cyber Fraud
by Andy Hodgson - VP of Security for BT Global Services - Monday, 2 January 2006.
With sums like this involved, fraud prevention and security is clearly a board-level issue and not just something for the IT department to sort out. And that means that top managers need to be visibly engaged in the fight against e-crime.

Train everyone

Itís true that technology can go wrong on its own, but a crime can only be committed if a human being plays an active part. Therefore organisations need to make everyone aware of the consequences of any behaviour that breaches the rules, whether from outside the company or from within it.

For large multi-nationals that incorporate numerous languages and cultures, this is no mean task. Nor is the problem merely one of linguistics and getting lost in translation. Itís likely that most employees wonít speak the language of the security team so the message needs to be free of jargon and tech-speak to make it as effective as possible.

In addition, senior executives need to have a clear view of how far their personal liability extends, particularly with a stricter regulatory regime and greater awareness of the need for exemplary corporate governance. Itís still not unknown for members of the board to regard security as a negative cost centre. They need to be persuaded that it can enhance RoI from all IT investments and boost the bottom line of the business.

Middle managers, particularly those in sales and marketing, also need to understand how an effective security policy helps close deals thanks to greater customer confidence.

The general workforce should also be made aware of risk and encouraged to lock both the companyís electronic and physical doors. There are the obvious measures like checking the alarm is set when they leave the building, and ensuring people donít leave their passwords lying about. But, in our increasingly mobile age, it also includes protecting laptops, smartphones and PDAs Ė indeed any device which connects to the network and which is all too easily left behind.

As about 80 per cent of all e-crime is caused by people making a mistake, organisations need to develop programmes aimed at prevention, education and raising awareness. This might involve obligatory Computer-Based Training (CBT) packages to be taken at regular intervals; company-wide security clinics; or even global road-shows to ensure awareness is maintained. Organisations may also wish to consider a 24/7 helpdesk to provide support and advice, and to capture details of any incidents that occur.

Itís also vital that a companyís business processes are designed to re-enforce its security policies. The City of London Police believe that only a quarter of crime is reported. However, organisations can implement policies that force its people to inform the necessary officials if they spot, or are the victim of, an offence. So, if a car is damaged or a laptop stolen, it cannot be replaced or repaired without a Crime Reference Number that will trigger an appropriate system.

There are also a number of formal bodies that organisation can work with to minimise the amount and the impact of fraud, including accredited Computer Emergency Response teams who can help trace anyone illegally trying to access systems, as well as the UKís High-Tech Crime Unit and its international counterparts. This improves the likelihood of tracking down and successfully prosecuting criminals. Equally importantly, it sends a clear message to the hacking community that they will be relentlessly pursued and the equipment confiscated should they attempt to íbreak iní to that particular organisationís systems.

However, helping the police with their inquiries really should be the last resort. With the correct 'human factors' in place, such extreme measures should not be necessary.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th