COMPUTER CRIMES

Computer crimes encompass unauthorized or illegal activities perpetrated via computer as well as the theft of computers and other technological hardware. As firms of all sizes, industrial orientation, and geographic location increasingly rely on computers to operate, concerns about computer crime have also risen, in part because the practice appears to be thriving despite the concerted efforts of both the law enforcement and business communities to stop it. But computer experts and business consultants alike note that both international corporations and modest family-owned businesses can do a great deal to neutralize computer "viruses" and other manifestations of computer crime.

Many analysts believe, however, that small business owners are less likely to take steps to address the threat of computer crime than are larger firms. Indeed, many small businesses admit that they are passive about the threat because of costs associated with implementing safeguards and the perception that computer "hackers" and other threats are far more likely to pick on bigger companies. But as Tim McCollum flatly stated in Nation's Business, "companies increasingly are falling prey to hackers, computer thieves, software viruses, and, in particular, unauthorized and often illegal activities by their own employees. In fact, chances are that sooner or later most companies will become victims of high-tech crime …[and] when computer criminals strike, small-business victims can suffer relatively more than large corporations, whose bottom lines are more resistant to damage from any single theft of equipment or information."

Indeed, computer crime statistics in the United States are sobering. In 2000, for instance, a study commissioned by the Federal Bureau of Investigation (FBI) indicated that 85 percent of business respondents—which included companies of all sizes and orientations—said that they had been victimized by at least one computer-related crime in the previous year. These crimes ranged from problems of epidemic proportions, such as virus infection, to less prevalent but still serious problems like Web site defacement, denial of service attacks, financial fraud, sabotage, and network break-ins. The financial losses associated with computer crime more than doubled between 1999 and 2000 to reach $265 million. Other experts offer similarly grim evaluations of the hardware theft problem. A computer-insurance company in Ohio called Safeware, for instance, estimated that American businesses lost $1.4billion in 1996 to the theft of computers.

THE BIRTH OF "HACKING"

Early use of the term "hacker" was applied to computer hobbyists who spent their spare time creating video games and other basic computer programs. However, this term acquired a negative connotation in the 1980s when computer experts illegally accessed several high-profile databanks. Databases at the Los Alamos National Laboratory (a center of nuclear weapons research) and the Sloan-Kettering Cancer Center in New York City were among their targets. The introduction of relatively inexpensive personal computers and modems helped make this pastime affordable; the use of regular telephone lines as accessways made it possible. Over time, the designation "hacker" came to be associated with programmers and disseminators of computer viruses, and the public perception of hackers continues to be one of lone computer experts with a taste for mischief or mayhem. But "hacking" has come to encompass a wide range of other computer crimes as well, many of them primarily grounded in efforts to make money. Indeed, the vital information kept in computers has made them a target for corporate espionage, fraud, and embezzlement efforts.

INTERNAL AND EXTERNAL THREATS

As criminologist and computer-insurance executive Ron Hale indicated to Tim McCollum of Nation's Business, one of the most unsettling facts about computer crime is that the greatest threat to information security for small businesses is their employees. As McCollum noted, "a company's employees typically have access to its personal computers and computer networks, and often they know precisely what business information is valuable and where to find it." The reasons for these betrayals are many, ranging from workplace dissatisfaction to financial or family difficulties.

Computer crimes perpetrated by outsiders are a major threat too, of course, but whereas employees often abscond with sensitive information or attempt to benefit financially when engaging in illegal activities, outsiders are more likely to engage in behavior that is simply destructive (i.e., computer viruses). Some security experts believe that the continued threat of outside "hackers" is due at least in part to the growing number of employees who engage in "telecommuting" via modem and the swelling ranks of company networks hooked to the Internet. These connections can be used to infiltrate computer systems. The damage wreaked by outside intruders can be significant and wide-ranging. As Scott Charney, chief of the U.S. Justice Department's section on computer crime, told Nation's Business, many companies never find out that information has been stolen, while other businesses are heavily damaged by the incursion. Yet many companies do not report thefts and other security breaches that they do discover because they fear that the publicity will result in a loss of prestige and/or business.

VIRUSES The most common outside threat to a business's computer network is the virus. Indeed, the National Computer Security Association (NCSA) estimated that in 1996, two out of three U.S. companies were affected by one or more of the estimated 16,000 computer viruses that were floating around the country at that time. "Viruses infect your machine by attaching themselves to programs, files, and start-up instructions," wrote Cassandra Cavanah in Entrepreneur. "There are two main types of computer viruses: macro and binary. Macro viruses are written to attack a specific program…. Binary viruses are either actual programs designed to attack your data or attach themselves to program files to do similar destruction. Binary viruses are the ones to be concerned with; they can reformat your hard drive, wipe out data and stop your operating system from working. The best way to fight these bugs is to avoid them—but in today's word of Internet downloads and e-mail file exchanges, this is an impossible task." Luckily for small business owners, a wide variety of anti-virus software programs are available at computer stores and on the Internet (the latter can be downloaded).

SECURITY MEASURES

Computer security is concerned with preventing information stored in or used by computers from being altered, stolen, or used to commit crimes. The field includes the protection of electronic funds transfers, proprietary information (product designs, client lists, etc.), computer programs, and other communications, as well as the prevention of computer viruses. It can be difficult to place a dollar value on these assets, especially when such factors as potential loss of reputation or liability issues are considered. In some cases (e.g., military and hospital applications) there is a potential for loss of life due to misplaced or destroyed data; this cannot be adequately conveyed by risk analysis formulas.

The question most companies face, then, is not whether to practice computer security measures, but how much time and effort to invest. Fortunately, companies looking to protect themselves from computer crime can choose from a broad range of security options. Some of these measures are specifically designed to counter internal threats, while others are shaped to stop outside dangers. Some are relatively inexpensive to put in place, while others require significant outlays of money. But many security experts believe that the single greatest defense that any business can bring to bear is simply a mindset in which issues of security are of paramount concern. "Firewalls, security scanners, antivirus software, and other types of security technology aren't enough to prevent high-tech crime," said Nation's Business. "Real prevention begins by formulating a company security policy that details—among other matters—what information is valuable and how to protect it."

PROTECTION FROM INTERNAL THREATS Whereas big corporations typically have entire departments devoted to computer system management, small businesses often do not have such a luxury. "In a small business, the system administrator could be anyone from a secretary to the CEO," wrote Lynn Greiner in CMA—The Management Accounting Magazine. "Whoever it is, you can almost guarantee it'll be a busy person who has the duties tacked on to his or her job description. And you can also almost guarantee that this unlucky soul will have few if any resources, and probably no training to help with the burden of keeping the corporate systems running. Fortunately, the technology has advanced to a level that allows administrators to ensure the stability and security of their computer systems, without spending too much time or money."

Common-sense measures that can be taken by managers and/or system administrators to minimize the danger of internal tampering with computer systems include the following:

• Notify employees that their use of the company's personal computers, computer networks, and Internet connections will be monitored. Then do it.
• Physical access to computers can be limited in various ways, including imposition of passwords; magnetic card readers; and biometrics, which verifies the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, neural networks (the pattern of nerves in the face), DNA fingerprinting, retinal imaging, or voice recognition. More traditional site control methods such as sign-in logs and security badges can also be useful.
• Classify information based on its importance, assigning security clearances to employees as needed.
• Eliminate nonessential modems that could be used to transmit information.
• Monitor activities of employees who keep odd hours at the office.
• Make certain that the company's hiring process includes extensive background checks, especially in cases where the employee would be handling sensitive information.
• Stress the importance of confidential passwords to employees.

PROTECTION FROM EXTERNAL THREATS Small businesses also need to gird themselves against out-side intruders. "As with employee crime, the best protection against attacks by outsiders are matters of common sense," said McCollum. "Companies can buy a technological barricade called a firewall and position it between their internal networks and external ones, but hackers often can get in anyway because the firewall hardware and software are poorly configured or are not activated. One way to avoid these problems is to pay outside experts to carry out these complex configuration and installation chores." Of course, good firewalls tend to be expensive (some cost $20,000 or more), but lower cost alternatives have made their way into the marketplace in recent years.

The single greatest scourge from the outside is, of course, the computer virus. But business owners can do much to minimize the threat from viruses by heeding the following basic steps:

• Install and use anti-virus software programs that scan PCs, computer networks, CDROMs, tape drives, diskettes, and Internet material, and destroy viruses when found.
• Update anti-virus programs on a regular basis.
• Ensure that all individual computers are equipped with anti-virus programs.
• Forbid employees from putting programs on their office computers without company approval.
• Make sure that the company has a regular policy of backing up (copying) important files and storing them in a safe place, so that the impact of corrupted files is minimized. Having a source of clean (i.e., uninfected by viruses) backup copies for data files and programs is as important as it is elementary.

A variety of sources exist to assist small business owners with virus protection and Internet security measures. For example, several Web sites provide free virus warnings and downloadable antivirus patches for Web browsers. The Computer Security Institute provides annual surveys on security breaches. Another useful resource is the National Computer Security Association, which provides tips on Internet security for business owners and supplies definitions of high-tech terms.

Small businesses seeking to establish Internet security policies and procedures might begin by contacting CERT. This U.S. government organization, formed in 1988, works with the Internet community to raise awareness of security issues and organize the response to security threats. The CERT Web site posts the latest security alerts and also provides security-related documents, tools, and training seminars. Finally, CERT offers 24-hour technical assistance in the event of Internet security breaches. Small business owners who contact CERT about a security problem will be asked to provide their company's Internet address, the computer models affected, the types of operating systems and software used, and the security measures that were in place.

HARDWARE THEFT

Although computer viruses and other high-tech threats cause the most dread within the business community, the most common type of computer crime actually involves the theft of computer hardware. Unfortunately, employees are often the culprits with this type of crime as well, especially if they work shifts after business hours. Other losses are attributed to outsiders who abscond with computers through elementary breaking-and-entering means. Security experts, though, say that companies can do a lot to cut down on such losses simply by maintaining accurate and up-to-date equipment inventories; locking up hardware that is not in use; locking computers and monitors to desks; and attaching electronic tags to computers. The latter device emits a radio-frequency signal that can activate video cameras or set off alarms when the computer is removed from the premises. Finally, companies should make sure that they purchase adequate insurance.

Business travelers, meanwhile, need to keep a close eye on their notebook and desktop computers, which are highly coveted by thieves. Indeed, the allure of these portable computers is so great that thieves sometimes work in teams to get their hands on them. Airports and hotels are favorite haunts of thieves looking to make off with these valuable items. Security experts thus counsel business travelers to be especially vigilant in high traffic areas, to carry computer serial numbers separately from the hardware, and to consider installing locks, alarms, or tracing software.

NON-CRIMINAL SECURITY THREATS

Of course, not all threats to computer well-being come from parties with criminal intent. Savvy small business owners will make sure that their computers—including data as well as hardware—are protected from environmental disaster (power surges, floods, blizzards, fires, etc.) and operator incompetence alike.

Any computer security program should include elements that reflect an understanding of the basic environmental conditions a computer requires in order to operate properly. Ensuring that the system receives adequate power is paramount. Drops in voltage or blackouts can occur due to utility switching problems, stormy weather, or other difficulties at the utility company. In such instances, computers may lose unsaved data or fall victim to "disk crashes." Computer systems can also be endangered by sharp increases in voltage, known as "spikes," which can seriously damage hardware. A variety of voltage regulators, surge protectors, grounding techniques, and filters exist to combat these problems. In the 1990s, intense activity centered on the development of uninterruptible power systems that use storage batteries to ensure a smooth transition between power sources in the event of power failure. Local area networks as well as individual computers can be protected by these devices.

Fire is another important threat to computer systems. Their susceptibility to fire damage is exacerbated by the flammability of paper supplies likely to be stored in close proximity. Plastics used in the manufacture of computers can produce explosive gases when exposed to high temperatures. Moreover, common fire prevention measures such as water sprinklers can further damage computers, especially if the computers are under active power. The use of fire-resistant construction materials, fire walls, vent closure systems, etc., are standard ways to mitigate the threat of fire. Carbon dioxide and Halon 1211 gas extinguishers are suitable for use near electronic equipment because they do not leave a residue.

Other physical security concerns include protection against excessive heat, humidity, and water, which can be introduced by flooding, burst pipes, and other unfortunate developments. Of course, computers and other electronic equipment also suffer damage from less dramatic sources, such as spilled coffee, airborne particles, and cigarette smoke, so coverings made of plastics and other materials have become standard in many firms that rely on computers. But these safeguards will be of little use in the face of more serious situations. Organizations vitally dependent on data processing facilities should prepare contingency plans for disasters such as hurricanes, earthquakes, or blizzards. Ideally, backup facilities should be located far enough away so that they will not be damaged along with the original system in the event of catastrophe.

FURTHER READING:

Avolio, Frederick M. "Building Internet Firewalls." Business Communications Review . January 1994.

Belsie, Laurent. "Firewalls Help Protect Internet from Attack of the Hackers." Christian Science Monitor . April 29, 1994.

Cavanah, Cassandra. "Get the Bugs Out: Cure Your Computer's Ills with Anti-Virus Software." Entrepreneur. September 1997.

"Develop a Company Policy." Nation's Business. November 1997.

Gibson, Stan. "Hacking: It's a Mad, Mad, Mad New World." eWeek. January 1, 2001.

Greiner, Lynn. "Small Business: Managing Your System." CMA—The Management Accounting Magazine. September 1996.

Karp, Josh. "Small Businesses Often Target of Cybercrime; Lack of IT Expertise Leads to Vulnerability." Crain's Chicago Business. February 19, 2001.

McCollum, Tim. "Computer Crime: The Era of Electronic Innocence Is Over." Nation's Business. November 1997.

Morgan, Lisa. "Be Afraid …Be Very Afraid—Malicious Attacks Are on the Rise, and Trends Are Harder to Predict." Internet Week. January 8, 2001.

Steffora, Ann, and Martin Cheek. "Hacking Goes Legit." Industry Week . February 7, 1994.

SEE ALSO: Internet Security