A recent IT security survey by UCD's Centre for Cybercrime Investigation and the Information Systems Security Association found that nearly all (98 percent) respondents had experienced cybercrime; half of these were victim to financially draining incidents. The most common experience was in relation to computer viruses or malware (90 percent), while a startling 88 percent of companies surveyed reported "misuse" of their IT systems. IT asset theft and email phishing scams also plagued more than half of respondents.
In Issue 179, we looked at how to prepare for and prevent cyber attacks, but if a malicious assault or illicit use of company IT equipment does occur, there are some general guidelines to follow.
Be prepared
Conal Lavery is managing director of IT security specialist Entropy. He says preparation is the best defence against cybercrime, including laying down explicit IT policies and procedures. Following these policies after an event is equally vital. "Whatever the problem, there's no point either having a knee-jerk reaction and acting without knowing your options, or burying your head in the sand and not reporting a possible crime because of a fear of bad PR to clients and competitors," he advises.
He also points out that not reporting certain cybercrimes - such as those related to paedophilia or data protection - may be a crime itself, and a working knowledge of these legal issues can help prevent an uninformed reaction that could exacerbate an existing problem.
Lavery differentiates the types of cybercrime experienced by SMEs into IT-related 'hard issues' and people-related 'soft issues'. In his experience, the most common cybercrime issue faced by Irish SMEs is employee misuse of IT equipment. This can range from staff using office computers to store and distribute music and movies (sometimes for financial gain) or view pornography, to bullying or sexual harassment by email, illegitimate access to private data, or internal system sabotage.
"If staff are caught doing something they shouldn't, the reaction of many bosses is to fire them or scaremonger them into quitting," says Lavery. "[But] if IT aspects are not explicitly set out in HR policies, then an employee in this situation who knows their rights may legitimately challenge this reaction, and the whole thing could become a costly legal issue, as well as a business and technology expense."
Lavery advises SMEs to have IT policies clearly conveyed to staff; otherwise, a sacking on general grounds of gross misconduct may not stand up. He also warns SMEs to check their insurance policies on these points. Furthermore, general employment contracts should include specific mention of IT policy when a staff member leaves, because a former employee taking sensitive data to a new job - particularly to a competitor - could be disastrous, and hard to prove.
Internal audit
In terms of the 'hard' issues of cybercrime, a serious occurrence such as a denial of service attack on the network will be immediately apparent. However, more subtle, but potentially more problematic, is having your network or website hacked, as this type of attack can be more difficult to detect.
"It's not a bad idea to have an occasional IT infrastructure security audit done from time to time," says Lavery, who adds that a quick review by a specialist should identify any problems. "It is hard to get SMEs to do this because they see no discernable benefit, but it could end up saving them significant future costs."
Lavery points to examples like Nationwide Bank in Britain being fined nearly STG1 million because it didn't have security safeguards in place when an employee's laptop containing sensitive data was stolen last year, or US firm ChoicePoint, which was fined a meaty USD15 million for losing customers' private data.
While the Irish data commissioners and other agencies are currently unlikely to levy sanctions on SMEs on these issues, Lavery warns that bodies that prosecute for software piracy do tend to concentrate on smaller companies in order to make an example of them.
Good relationships
In terms of reacting to a digital security breach, such as a malware infection, Lavery advises bosses to at least have in place a relationship with local experts such as IT consultants and IT-savvy lawyers. "People who know your business will be more likely to offer the correct advice."
He also advises firms to enquire about the IT security set-ups of retained professionals such as accountants and solicitors, and to make sure they are registered with the Data Protection Commissioners.
If a company system does come under cyber attack, or data is corrupted, Lavery has one final piece of advice which he says should be acted on immediately. "If you are subject to an attack from a virulent virus, the best thing is to shut down the network's internet connection as soon as possible - quarantine - as you don't want to be seen as the source of corrupting your clients' systems."