The expectation: experience equation Whatever we do, we cannot claim to have ‘e-trust’ and ‘e-confidence’ unless we have genuinely got it. Remember that many so-called ‘hackers’ carry out attacks just to be able to say that they have got through a specific organisation’s defences. You may claim to be secure – they may well try you out! To have an Information Security (Assurance) Management System (ISMS or IAMS) in place and working properly will provide you with the assurance that you require to make such a claim in the first place. But that is not the reason to have such a system – you need it in order to conduct business electronically, whether you go public about having it or not. So the answer to the question ‘do we publicise our security, or do we keep quiet about it’ matters not; you need it to carry out business, even if you only intend to tell your stakeholders (clients, suppliers and staff included).

But what can happen? Viruses, worms, trojans, deliberate attacks (external hackers, internal hackers, recent leaver-hackers, hactivists), random attacks from the same communities and errors (as all the above can be ‘let in’ by mistake) and, in addition, simple human error can, in a poorly protected system, wreak havoc. The cost in terms of economic damage from the above sources for just the first 9 months of 2002 is estimated to be between US$32 –39 billion for overt digital attacks only – not including the errors. And just in case you are saying to yourself, ‘Okay, but I am/we are not likely to be targets’ (which totally ignores the random nature of viruses etc and the potential for internal attacks), let us look at some actual examples.

1. The ‘mistake’ (or ‘I didn’t mean to destroy your

livelihood’) Recently a ‘hactivist’ (someone who believes that their hacking is ‘ethical’ because they only break into sites and systems that are owned or run by organisations that they don’t agree with) destroyed a company that was totally innocent, even of the so-called ‘crime’ that the hactivist was so worked-up about. Unfortunately for the company its original founder had chosen a name that was similar to the name of a business that was connected with the use of animals for their fur – not the same name; not the target name; and the business certainly had nothing to do with the practice so hated by the hactivist. The company was totally innocent – and is now totally out of business. A ‘simple case of mistaken identity’ was how it was portrayed, but the end result was catastrophic for the owners and all of the workers, simply because someone who was so full of their own ‘rights’ made an electronic search for any company that had a similar name and attacked them without any further check.

2. The ‘game’ (‘I wanted to prove that I could “take

someone out”’) Even more recently an Internet Service Provider (ISP) – not exactly an organisation without ‘e’-technical nous – suffered a total ‘distributed denial of service’ attack. This meant that none of their customers could use their services for over a week – they went out of business as a direct result.

3. The ‘idiot’ (or someone who thinks that they are ‘above

all of this’) A large IT company had a very costly virus attack; despite the fact that it prides itself on assisting many areas of ‘UK plc’ to solve technology challenges. How could anything get past its sophisticated protection systems? Simple: the CEO did not believe that the rules applied to them, and brought in a disk created on their son’s home PC – complete with a highly unpleasant virus. Due to an earlier mistake the virus was ‘inside’ their firewall – and made hay! The cost was well over £10,000,000, just to their internal systems.

4. The ‘good idea’ (or ‘let’s do this using “e”’ – without

thinking) A company offered free internet advertising to clients of another service. Someone ‘hacked in’ and changed the prices shown. Apart from the nightmare of sorting it all out, the reputation of the company was badly shaken when the object of the exercise was the complete opposite!

5. The ‘unhappy employee’ (either as a cause or as a

victim) Consider two scenarios. The first involved a person who saw a pornographic scene on another employee’s PC screen. They sued the company, and won considerable damages – nearly into six figures – for sexual harassment. The second involved someone who was, appropriately, fired from their job. Their employer was excellent in providing new employees with passwords etc – but not at all good at removing them when people left, even in bad circumstances. The ex-employee decided to ‘get even’ and logged into the company system using their old password, and altered many detailed items in areas such as personnel records, payroll, and costing and pricing. The trouble was that no one knew exactly where that person had accessed, and the cost of redressing the ‘vandalism’was measured in man-years. The marketing effects? The costs were considerable, not only with their existing clients and prospects but also in the job market where the company gained a poor HR reputation.

Summary It is marketing’s job to control communication about information security, inside and outside the organisation. A company’s approach to security will directly affect its marketing positioning and organisational differentiation. Security failure can destroy a company’s reputation – or even the company itself. Information security is not a cost, it is a marketing investment. Everyone is a potential target and you cannot afford to ignore this subject. E-business and e-government demand the electronic exchange of ever-more important information. Marketing should identify and promote the internal and external advantages of having appropriate information security. It should work with IT to achieve a perceived ‘trusted status’, and take responsibility for creating detailed positioning and differentiation messages. Marketing should create two communications plans: one internal, one external. Finally, marketing must ensure that all communications are written in suitable language for each target audience – internal and external – otherwise the messages will not be understood. Michael Harrison Dip.M., F.C.I.M. is Chairman of Harrison Smith Associates Limited and Chairman, UK, of the ‘Protecting Critical Information Infrastructures Initiative’. For further information contact: Michael R Harrison, Chairman, Harrison Smith Associates Ltd, Third Floor, Diamond House, 36–38 Hatton Garden, London EC1N 8EB. Tel: +44 (0)20 7404 5444; Fax: +44 (0)20 7404 8222; Website: www.hsaltd.co.uk

Stamping out the bugs Tony Neate has spent a total of 27 years as a detective, 13 years of this working in commercial fraud and eight years in computer crime, so he knows all about crime – cybercrime and other forms. He is the Industry Liaison Officer at the NHTCU and the fact that he has such extensive experience demonstrates how much importance the unit places on its relationship with business. The NHTCU, which became operational in October 2001, has a multi-agency approach to tackling problems raised by the use of computers and the Internet for criminal activity of various types. The unit, based in Docklands, East London, is headed by Detective Chief Superintendent Len Hynds, a career detective from the National Crime Squad. The unit comprises representatives from the National Crime Squad, The National Crime Intelligence Service (NCIS), HM Customs & Excise and the Military. It also has strong links with Computer Crime Units (CCUs) in all police forces throughout the UK and with other law enforcement agencies across the country. The NHTCU conducts operations at national and international levels. It has responsibility for making strategic assessments and developing intelligence; supporting local law enforcement with advice and co-ordination; developing best advice for law enforcement and business practice on computer crime prevention. It also liaises closely with the IT industry, including Internet Service Providers (ISPs), telecommunications companies and software houses.

Tony Neate says: ‘The aim of the NHTCU is to assist in the policing of cybercrime nationally and transnationally, and to add to the capabilities already existing at a local level. By its very nature cybercrime does not recognise national borders. It is a global problem and needs a global solution. The NHTCU is just one part of the joined-up approach being taken by the police around the world that has been necessary to deal with its unique new crime. ‘The idea is to create a partnership between law enforcement and industry. We can provide industry with strategic and practical intelligence examples of attacks so that they are aware of the problems and can put the necessary policies and hardware in place. What we do we do together, not alone. We want to make business aware that there is highly capable expertise locally, and on top of that there are well-trained officers, who are experts in dealing with serious and organised crime, that have turned their attentions to hi-tech attacks. We deal with incidents sympathetically, in partnership, and in a way whereby the businesses do not lose control.’ Computers and the Internet present great benefits to society. However they also present opportunities for crime, much of it simply conventional crime using new technology. Computer crime takes many forms and is grouped into two broad types of activity: existing offences that can become more complicated to prevent and detect with new technology; and new offences that can only be committed with the use of such technology. As Tony says, ‘Anything that can happen in the real world can happen in the cyberworld – theft, deception, extortion, whatever.’ Cybercrime covers fraud of many types – hacking, industrial espionage, ‘viruses’ and ‘denial of service’, organised paedophilia, intellectual property theft (ie the illicit copying of video, other recordings and software), money laundering and crimes of violence such as kidnap. Tony says: ‘Viruses are the scourge of business. Time is paramount to most businesses; when a virus attaches itself to a company’s critical system, the system can be taken down for hours or even days. “Denial of service” attacks can lead to major extortion demands.’ In order to explain the nature of a denial of service attack, Tony uses the delivery of a traditional letter by way of example. ‘A postman may deliver two or three letters a day; similarly with emails, you might expect several a day. But can you imagine what would happen if your postman delivered millions of letters to your postbox every second. You wouldn’t be able to move; and similarly with a denial of service attack, millions of pieces of data being received by your computer in seconds would very quickly use up all your available bandwidth and you can’t do business.’ Part of the problem for business is that many are aware of cybercrime, which may put them off embarking on an e-commerce strategy. But if businesses are aware of the problems they can profit as long as they put the right safeguards in place. ‘Businesses need to be aware of the problems. One part of a simple strategy is setting up firewalls. A simple firewall, properly configured, can cost as little as £50–60; for far bigger businesses, an intrusion detection system may cost thousands of pounds – it really is horses for courses.’ And it is not just about dealing with the threat from outside.

Companies also need to look inside, to internal threats from employees. ‘It is important that employees are aware of the company’s policies and procedures and that the contracts of employment clearly state what these are. Companies need to put security protocols and emergency responses in place. Employers must also keep up with the new and changing laws and regulations in this area, so that they are aware of their responsibilities.’ Of course one of the problems with cybercrime and how it affects business is that quite often, due to commercial sensitivities, businesses do not want word getting out that they have been hit. The NHTCU is sympathetic to these concerns and has put in place a confidential reporting system and is prepared to enter into a non-disclosure agreement. ‘We want to build up trust, but that trust will take time. We are fully aware that if we break that trust then industry will lose all confidence in us.’ It is for this reason that Tony couldn’t provide any good-news stories on how the unit had worked with industry in this way, but did say that the fact that he couldn’t was in itself good news. What he could say was that they were working closely with all sectors of industry – manufacturing, services, finance and transportation – and that within those sectors the NHTCU have helped a number of businesses. To find out more about the National Hi-Tech Crime Unit see www.nhtcu.org or contact Tony Neate, Industry Liaison Officer at admin@nhtcu.org.