What to do when cybercrime is detected It is necessary to maintain a procedure for dealing with any report of cyber-fraud. The procedure to be implemented will vary depending on the size of the business and the scale and seriousness of the cybercrime being investigated. A firm may wish to appoint one person as responsible for investigating the cybercrime. They will in turn be responsible for researching the best methods of investigating a specific type of cybercrime. This individual may also be given responsibility for assessing the in-house skills available for investigating cybercrime. For example whether the firm has anyone with the computer science skills to enable electronic evidence to be detected and preserved. It will also be necessary for that person to establish contacts with specialist lawyers and investigators. Damage mitigation is another issue that must be addressed by the firm. It should be decided how it is possible to stop a particular cybercrime from happening again, and whether improved techniques of risk management are necessary. It must be considered how the firm intends to secure and gather the evidence without alerting the criminal. The firm must address the question of how it intends to deal with a suspect and when it should contact the relevant authorities such as the National Hi-Tech Crime Unit. As with all frauds, it must be considered when it is appropriate to inform the public that a cybercrime has occurred, bearing in mind the damage that such an announcement can have on a business compared to the value of the crime itself.

If an organisation does intend to prosecute a cybercrime it must bear in mind the following:  speed;  strategy;  surprise. Money is transferable by one email, telephone call or fax. It is therefore vital that not only is any investigation or analysis conducted in utmost secrecy but that action is taken before the fraudster has an inkling that he is being investigated. At the very earliest opportunity an analysis should be carried out to assess:  whether there has been any fraud;  the extent of the fraud;  whether it is viable to try and recover the losses sustained. To do this it may be necessary to examine computer server logs and individuals’ computers. Consult the list of ‘Dos and Don’ts’ at the end this article before taking any action, otherwise vital evidence needed for civil recovery or criminal action may be destroyed.

Third party disclosure as to assets and whereabouts The English Courts provide invaluable assistance to victims of fraud in that, in certain circumstances, they grant orders that enable the victim, without notice to the fraudster, to discover:  the extent of the fraud;  who is responsible; and  who was involved in the commission of the fraud and therefore could be liable as well. The Court would, for example, grant orders against third parties who have been unwittingly involved in the fraud, whether such fraud has been committed electronically or in the physical world. For instance, the court will require disclosure of relevant information by an internet service provider or a bank through whom money stolen from the victim has passed. Such orders for disclosure can be combined with what is called a ‘gagging order’, which prevents the party giving disclosure from notifying the fraudster. Breach of such an order will amount to a contempt of Court, which is punishable by prison. Once the extent of the fraud has been assessed, decisions need to be taken as to whether it is commercially sensible (and whether there is an obligation) to pursue the fraudster and, if so, to what extent. No victim, however large or small, should fail to assess the significance of publicity, given the fact that it has been the victim of fraud, which is often caused by inadequate security measures or lack of judgement.

Recruitment, training and personnel policies The majority of financial crime is perpetrated by insiders and employees. Cybercrime is no different. It is therefore essential for organisations to take appropriate steps to ensure that their computer and physical security is adequate. Personnel should be carefully vetted. References should be checked, and this includes temporary and contract staff. The procedure for vetting and checking should become more stringent when employees are promoted to greater positions of responsibility, and the greater the amount of personal, financial or sensitive data to which the employee is privy. Employers should consider multi-level security, including biometric fingerprinting of employees and implementing similar security procedures of this nature to ensure that employees are only permitted access at an appropriate level to their role or seniority. Access levels should be reviewed on a frequent basis. Employees who leave a firm (for any reason) should immediately be removed from the security clearance lists and any access to an organisation’s database should be removed. Security lists should regularly be reviewed to ensure that those who do have access should have access, and whether access is necessary to the level that is permitted. Employers should consider monitoring emails and communications in order to prevent fraud and other forms of cybercrime where it is warranted, but they should inform employees in general that this is likely to occur.

Collaboration with government agencies and

professional advisory bodies Organisations should consider collaborating with governmental and professional advisory organisations to report how they manage information security and cybercrime threats, and work with suppliers and users to co-ordinate information on incidents. This will assist businesses in plugging the knowledge and information gaps, assessing where risk management procedures are lacking and where a business’s vulnerabilities lie. In connection with this, organisations may find it of great assistance to collaborate with government and industry advisory bodies to produce educational materials on the nature of cybercrime, why it has posed a problem for their particular business and how they have obtained information and guidance on the subject. Ultimately, reviewing existing guidance and producing further guidance on basic information security requirements and good risk management practice to combat cybercrime could be used to produce a ‘superhighway code’. This would ideally take into account BS 7799, organisations established by the Information Systems Audit and Information Control Association and also the work of the IT Governance Institute in the United States. The aim is to eventually raise general awareness among industry, accountancy and the legal professions of the law relating to cybercrime and its effective precaution.

Compliance No procedure or control is effective unless properly implemented throughout an organisation. Regular checks must be undertaken in order to ensure that all necessary controls are being adequately implemented by employees at all levels, short cuts are not used in such a way as to dilute the effectiveness of controls, and that the controls remain effective in the light of changes in the law or in the development of the organisation’s business.

Dos and don’ts for computer based information Computer evidence or data is fundamentally different from, say, paper evidence. Just the act of turning on a computer can change a whole series of dates and times and invalidate its use in a court or tribunal. Therefore, a few basic principles need to be followed when dealing with potentially valuable computer evidence.

Do:  fully assess the situation before taking any action;  isolate the computer so that it cannot be tampered with;  record where the computer is based and all who had access to it;  consider securing all relevant logs (eg building access logs, server logs, Internet logs) and any CCTV footage at the earliest opportunity;  call in IT security staff or external consultants as appropriate. Then ask the relevant expert to:  disconnect the relevant computers from your network;  restrict remote access;  take an ‘image’ copy of the computer.

Don’t:  alert any of the potential suspects;  call in your own IT support staff (they often change evidence inadvertently);  turn on the computer if it is switched off;  turn off the computer if it is turned on;  move the computer if it is switched on;  make a copy of the computer;  examine electronic logs without first ensuring that they are preserved elsewhere. The Institute of Chartered Accountants in England and Wales (ICAEW) is the largest professional accountancy body in Europe, with over 122,000 members. For more information on its Fraud Advisory Panel email info@fraudadvisorypanel.org.

Security as standard By emphasising management systems, the British Standards Institute is hoping to help companies improve their security from the inside out. ‘Walls have ears’ – this slightly surreal cautionary wartime note was one of the first warnings about confidentiality that most of the British public had ever heard. But it presaged an imperative that was soon accepted by almost every organisation in every country in the world – the need for caution, thoroughness and foresight in avoiding the leak of business-critical information to enemies or competitors. In three decades the battlefront has moved from the waste bin and the pub to IT, telemetry and corporate governance. Of course, the stakes are now so high that information security has spawned a whole industry – and a rewarding one. But different organisations have approached it in different ways. Perhaps because matters of confidentiality and security are discussed only ‘on a need to know basis’. Perhaps because the technology of espionage and counter-espionage is so precious it’s kept close to the chest. And perhaps because bosses and IT managers don’t like to deal with outside authorities on matters so intimate. Varying standards of security equipment are permissible. You get what you pay for – and anyway there are British standards (BS) and international standards (ISO) to cover product and service quality aren’t there? But what about best practice in the organisations that wish to be protected? How do they know they’re following the right approach? Equally important, how can their suppliers and customers be reassured that their own confidential information and trading secrets are not being misused?

Establishing the standards Towards the end of the last millennium the British Standards Institute knuckled down to establishing an information security standard. Following extensive consultation with industries and organisations all over the world, they developed BS 7799 Part 1 Information Security Management – Code of practice for information security management and BS 7799 Part 2 Information Security Management – Specification for information security management systems. BS 7799 promoted protection for intellectual property, in the same way that material goods have traditionally been protected. It reminded us of how important a business reputation can be to customer confidence and, ultimately, to profits. Amongst its benefits, the promotional material listed ‘fewer crises’ and ‘less risk of litigation’. An Audit Commission survey of 900 UK organisations revealed that half of the public sector organisations interviewed and a third of private sector companies had been affected by IT fraud or abuse. The professional world was quickly coming to the conclusion that a simple lapse in information security can damage an organisation’s credibility, reduce customer confidence and, ultimately, damage profits. The whole point of establishing standards is to promote the widespread standardisation of working practice; so it was inevitable that such a significant business issue was recognised to be a universal problem – one demanding a worldwide standard. Thus, it was only a matter of time before the British standard BS 7799 Part 1:1999, became the internationally recognised ISO standard ISO/IEC 17799:2000, Code of Practice for Information Security.

In the few years between the development of the original BS 7799 and the ISO/IEC 17799 standards, there had been a sea change in BSI’s philosophy: the institution recognised that standards alone could be viewed as prescriptive and restrictive – that is, if you hadn’t got the working practices in place to meet the relevant criteria, the standard would be perceived as little more than a set of rules. The new enlightened view was that what businesses need is management systems – in short, the structure, philosophy and working methods that inherently meet the values defined by the standard. This led to the development and release of BS 7799–2:1999 and subsequently to the release of the revised standard BS 7799 Part 2:2002 – Information Security Management Systems: Specification with Guidance for Use. Part 2 of BS 7799 then becomes a basis for the organisation’s own information security management system (ISMS). By emphasising management systems, BSI was more able to help organisations to improve their efficiency from the inside out, whereas an emphasis on standards meant change from the outside in. BS 7799–2:2002 introduces a better way of working, based on a management system that, with its in-built facility for constant improvement, is selfperpetuating. Nowhere was there a greater need for consistent, focused working patterns and management practices than in the field of information security. It is a field in which care and attention have to permeate throughout the organisation – from the CEO to the casual cleaner. This was a management system that could not afford to be the concern solely of the quality manager or the CEO or the IT manager – it demanded commitment from everyone in the organisation. Both the BS and ISO/IEC standards address the issues related to conventional paperbased information systems, analogue communications, digital communications and ITbased information systems. It is worth noting that the original BS standard was conceived during the hysteria of the ‘dotcom bubble’ – it was, rightly, perceived that speed and prevalence of email and other digital communication posed a phenomenal risk to information security. Data was travelling faster and further than ever before, and could be readily copied and compressed into ever-smaller media.

What the international standard covers So what does the ISO/IEC 17799:2000 document address? It provides guidelines on how the various controls that are identified in BS 7799–2:2002 Annex A can be implemented by an organisation developing an Information Security Management System (ISMS). Although providing detailed information on these controls, it should be remembered that the end-user is advised to use the controls as appropriate to their business, and to identify and implement other controls that they may determine to be more suitable to their business. However, wherever possible the ISO/IEC 17799:2000 document should be used in parallel with, and as a supporting document for, any registration or compliance statement to BS 7799–2:2002. An ISMS, as defined in BS 7799–2:2002, must cover all of the following:  management responsibility including management commitment, and resource management;  management review of the ISMS including review input, review output and internal audits;  ISMS improvements including continual improvements, corrective actions and preventative actions;  a security policy – a document that demonstrates management support and commitment to the ISMS process;  security organisation – a management framework to implement and sustain information security within your organisation;  asset clarification and control – an inventory of assets, with responsibility assigned for maintaining security;  personnel security – job descriptions for all staff, outlining their security roles and responsibilities;  

physical and environmental security – a definition of the security requirements for your premises and the people within them;  communications and operations management – a method of ensuring that your communications operate within secure parameters;  access control – network management to ensure that only authorised people have access to relevant information, and to protect the supporting infrastructure;  systems development and maintenance – to ensure that IT projects and support activities are conducted securely, using data control and encryption where necessary;  business continuity management – a managed process for protecting critical business processes from major disasters or failures;  compliance – evidence of your commitment to meet statutory or regulatory information security requirements, for your clients, employees and relevant authorities. Most organisations will already have some of these in place, but few will be doing everything. BSI client managers are experienced in working with companies to evaluate their current system’s merits, and in guiding them through the steps necessary to develop their management system to the point where it can be registered under the standard. BSI have developed client service into a fine art – they can arrange training schemes to train clients’ staff, they can provide written and digital training materials for self-study and they arrange regular seminars all over the country to introduce thought-provoking and informative angles on BS 7799–2:2002 and other management systems. Through its intimate relationship with businesses all over the world, BSI has learned very graphically that standards – and, indeed, management systems – are not an end, but merely a means. But to what?

Benefits The benefits are expressed as ‘benefiting the bottom line’ – that is, supporting the private sector objectives of efficiency and profitability – although, clearly, non-profit-making organisations stand to benefit in other no less valuable ways. When you consider the health, education and police services, it’s obvious that BS 7799–2:2002 could be even more relevant to the public sector. The direct and indirect benefits of operating a management system based on BS 7799–2:2002 include:  improved employee motivation;  increased efficiency;  better use of time and resources;  cost savings;  increased competitiveness;  increased customer satisfaction;  confidence throughout the supply chain;  fewer crises;  less risk of litigation;  wider market opportunities;  increased profits. And there are further advantages. BSI point out that once an organisation’s ISMS is registered to BS 7799–2:2002, it’s in a good position to integrate this system with a quality management or environmental management system, to create an integrated management system.

Conclusion This article began with the slogan ‘walls have ears’. It should end with the slightly more sinister message that ‘knowledge is power’. Over the years, successive boardroom coups have demonstrated that information has a tangible value and a very powerful influence over the fortunes of organisations and individuals. In today’s broadband, satellite communication world, ISMSs shouldn’t need much selling. The need for them is obvious – you cannot be unaware of how much information flows to and from your desktop, your department, your domain. While the threats are often invisible, it’s reassuring that the solution is tangible and accessible. BS 7799–2:2002 and its supporting document ISO/IEC 17799:2000 are logical, practical to implement and easy to sustain. Are you going to go for it? Mind who you tell, or it’ll be all round the building… BSI is a group of complementary businesses, all working to the same vision of support for business improvement and trade worldwide. We believe in the universal adoption of best management practices, reduction of risk throughout the trading process and the harmonisation and acceptance of standards by consent as a means of achieving economic prosperity. For further information contact: BSI Group, 389 Chiswick High Road, London W4 4AL. Tel: +44 (0)20 8996 7720; Website: www.bsi-global.com