There's an exhibition and conference, Infosecurity, in London next week (26-28 April) about computer security. Naturally, it will talk up the terrific dangers present on the internet. Yet it is true that things have changed, and because networks of traditional criminals seem to have replaced the hacker having fun or acting with random malice, it has probably got worse.
Over the past year e-crime has cost UK business at least £2.4 billion, with 89 per cent of businesses having experienced at least one incident - although that could be just one virus attack. The figures have to be read with caution in that they come from a survey sponsored by the National High Tech Crime Unit (NHTCU) and that the 200 Dun and Bradstreet-listed companies quoted were medium and large businesses, some of them almost certainly e-retailers and natural targets for online crime. The report is summarised at www. nhtcu.org/media/documents/publications/ NOP_05. pdf.
The good-ish news is that small and medium businesses are less likely to be targeted, and although such companies fear a variety of attacks, from website vandalism through to fraud and denial-of-service, these did not happen very often. When they did, though, the cost of virus attacks and financial fraud (the two really significant types of online crime) each accounted for around £70 million in 2004. The figures for firms with more than 1,000 staff were higher.
Late last month a new generation of specialist malware was identified.
This is a malicious code known as 'rootkits', which takes over control of organisations' databases. Hitherto this has been largely a Unix problem, but it is now being deployed in attacking databases and web applications.
Needless to say, it can only be detected by proprietary software.
Apart from this, what has been worrying the security experts recently (and remember they have a vested interest in keeping us worried about security) is the proliferation of information and media technology. It is not just the fact that people bring it into the office, but that increasingly it is designed for seamless integration with standard office kit.
It is a relatively straightforward matter for IT managers to maintain their servers, desktops and even laptops inside a security structure, even when wireless networks have replaced wired ones. What is much more difficult to do is to work out how to deal with handhelds, mobile phones, smartphones, VoIP phones, iTune-like devices (essentially plug-in memory devices with music-decoding circuitry bolted on), at least one of which the average practice staffer will carry around as a matter of course.
What is the point of running heavyduty security against virus attacks down the phone line and cable - and over the wireless waves - when every staff member carries a means of penetration in their knapsacks?
There is a natural tendency for practice managers to throw up their hands in despair and rely on the fact that they have a firewall installed between their network and the outside internet world, that they have turned on the WiFi security buttons and regularly run anti-virus and anti-scumware cleaning sessions. What they have failed to do is a risk analysis.
It's not all that difficult to do. You set up a variety of scenarios involving possible online crime: denial of service, website defacement, data theft, unauthorised entry into the network, fraud, misappropriation of identity information, virus/Trojan/worm damage to the system, and so on. You then take a view about which ones are real business risks. Do you have any data worth stealing? Should you continue to provide outsiders with access to data, such as the company performance figures or the most recent building regulations? Is this data safe from some ex-employee altering critical figures and details covertly?
You set costs against these attacks - money, time, damage to reputation.
You take a view of the costs of guarding against the significant risks. And then you work out ways of guarding against them without spending much money.
Some firms rely on strict rules about staff never themselves installing applications on their office computers and about never inputting data from outside sources (once it was floppies, now it's CDs and DVDs) and MP3 player data, handheld data and phone data. But before you implement this kind of security, you have to ask whether such restrictions on staff interfere too grossly with their ability to use computers usefully. Computers should be an aid to people's work, not vulnerable points in an electronic security edifice.
One thing any responsible practice director will call for is a damage limitation plan. What does the practice do when the electronic unthinkable actually happens? Like a good fire-evacuation plan, the computer catastrophe plan needs to be worked out, rehearsed and drummed into staff. Do you just pull the plugs? Do you do an orderly close-down retreat?
What happens if the CAD people haven't saved the morning's work?
What happens if there is a fire and a computer catastrophe? Back to the drawing board.