Cybercrime policy statement A policy statement and settled working practices should be published by the board to ensure that every employee knows the standard required of them and the company stance in relation to cybercrime. Such a statement needs to be explained to every employee and should, ideally, be included in contracts of employment and supply and in outsourcing agreements. The policy statement should be clear about the action that the company will take in the event that an act of cybercrime is detected. The statement should clearly express the company’s policy towards cybercrime and its determination to deter fraud generally. It should be made clear that the company:  will investigate and report to their local police or other appropriate authority any suspected acts of cybercrime;  will assist the police in their investigations and prosecution of a cyber-criminal if appropriate;  will take civil action where possible and recover assets that have been stolen, or pursue a cyber-criminal for damages;  expects employees to report any incidence of cybercrime of which they are aware, and assumes that each employee, irrespective of their level of seniority, has a responsibility for reporting cybercrime;  will treat internally perpetrated cybercrime as seriously as cybercrime perpetrated by an outsider;  has particular procedures that should be followed in the event that a cybercrime occurs. The DTI report1 says the increase in cybercrime is partly because companies give employees access to the Internet and their own work email addresses. It may also be of merit to include guidelines and company policy statements in relation to employee Internet and email use in their employment contracts. Example of such guidelines include highlighting the danger of opening emails with attachments from unknown sources, or listing sites that are prohibited from use, or explaining company policy in relation to Internet and software piracy (another common form of cybercrime).

Managing the prevention, detection and response to cybercrime

Cybercrime management should be dealt with throughout the organisation and the importance of employee awareness should be emphasised at all levels. Cybercrime needs to be treated as a business risk and an organisation therefore needs to carry out a risk management assessment procedure to ensure that the steps taken to prevent cybercrime are effective in relation to the practices peculiar to that organisation. Anticybercrime procedures should be tailored to match the type of business in which an organisation is involved. For example, an e-tailer is more likely to be concerned with establishing the identity of the individual attempting to carry out a ‘card-not-present’ transaction to make an online purchase as this type of business is more prone to the risk of identity theft and credit card fraud. In this case the fraudster is more likely to be an outsider. A businessto- business company that trades online may be more concerned with establishing procedures and controls that reduce the risk of e-procurement fraud and may wish to employ fraud detection methods such as data-mining or require procedures for the making of etenders. In the case of e-procurement fraud the fraud is far more likely to be perpetrated by an insider and the methods of detecting the fraud need to reflect this fact. Risk management of the threat of cybercrime should be approached as follows. The company should:  identify the areas within the business that are most vulnerable to cyber-attack;  establish the controls that they already have in place to address these risks;  identify any further controls that may assist in reducing the risk;  monitor pre-existing controls to ensure that they are being implemented effectively;  assess the controls to account for any changes or developments made in the operation of the organisation;  ensure that procedures and controls are workable and supported by a sufficient level of resources;  establish a regular review procedure.

Whistle-blowing policy All organisations should establish a culture of cybercrime awareness, and part of doing so is to ensure that employees know that whistle-blowing is a necessary part of the fight to prevent cybercrime. Employees should have available to them a simple procedure for reporting any suspicion that cybercrime is taking place. This may include an internal email address to send details to, or a hotline to enable them to report their complaint quickly and, if the employee wishes to do so, anonymously. It should also be made possible for the employee to report to management in different departments or management with no direct responsibility for that employee, given that the employee may fear that their direct manager is somehow implicated in an act of cyberfraud. It should be made clear to employees that all reports will be treated as confidential. Where such reports are made in good faith, the employee would normally be protected under the Public Interest Disclosure Act (PIDA) 1998. This is particularly relevant to incidences of cybercrime where, as discussed earlier, a good proportion of the problem arises from the unlawful conduct of insiders and employees. The objective of the PIDA is to ensure that employees can inform their employers of wrongdoing within a company without fear of repercussions, allowing problems to be identified and resolved in as little time as possible.

The repercussions referred to cover different types of detriment that an employee may suffer having made such a disclosure, including denial of a promotion or training opportunities, or of facilities that the employee would have been offered had it not been for the disclosure. The employee is protected by PIDA if he makes a qualifying disclosure of information that he reasonably believes (and the employee can show that he reasonably believes) tends to show that one of the following offences or breaches have, are being or will be committed, irrespective of whether the employee is later shown to have been incorrect:  a criminal offence;  a breach of a legal obligation;  a danger to the health and safety of any person;  environmental damage;  intentional concealing of information that demonstrates that any of the above have occurred. The disclosure is protected if the employee makes the qualifying disclosure to his employer either by company procedures authorised by the employer or directly to the employer, or by making the disclosure to another person whom the worker reasonably believes to be solely or mainly responsible for the relevant failure. The employee must also make the disclosure in good faith. If the employee wishes to make the disclosure to a prescribed body or person then he is protected if he makes the qualifying disclosure in good faith, he reasonably believes that any allegation or information is substantially true and reasonably believes that the matter falls within the remit of the prescribed person or body. For example if the information relates to a fraud the employee might reasonably think that the Serious Fraud Office would be the correct body to make the report to, or in the case of an offence relating to the environment, that the Environment Agency was the correct body. Where a company does not have the resources to set up a whistle-blowing mechanism internally, it is possible to outsource this service. For serious cases of cyber fraud, it is possible to report the offence to the National Hi-Tech Crime Unit.