Printer Friendly

Computer crime: detection and prevention.

Computer Crime: Detection and Prevention

Computer hackers, the white collar criminals of today, are infiltrating the corporate world, tampering with confidential files and creating a real nightmare for many companies. These hackers know data processing and use their technical skills to break into a computer system, either for fun or for profit. Computer crime includes not only outright theft of vital information, but also unauthorized access to files, misuse of data, and manipulation of company funds.

The average cost of computer crime reported between 1985 and 1987 ranged from $76,000 to $92,000. Most computer crimes, however, were estimated at $10,000 or less.

The cost of computer crime is highest among banks, government, and industry. Businesses are twice as likely to experience computer crime if their company employs a large number of people with widespread access.

Computer systems contain the company's most important data: sales, inventory, receivables, payroll, financial statements, and customer lists. These records are valuable, confidential, and dangerously vulnerable. But what methods can be used to prevent computer crime?

Types of computer theft

Before planning computer security, it is important to understand the different types of computer abuses and the security systems available. * Program theft. Computer programs themselves are subject to theft. A great deal of property and information theft is a result of what is known as the "differential association" theory. This theory explains that the perpetrator's acts are reinforced by his or her associates because they differ only slightly from accepted and common business practices. Most feel that it is not a crime to take pens from the office. And so it is with program theft.

Programmers rationalize these "borrowings" and to some extent they become accepted practices within individual firms. Whether a program will be of value to anyone else or not, its continued use is often vital to the owner of the program. * Theft of services. Theft of services, sometimes called theft of computer time, is different from that of property theft, however, because there is no physical loss. For example, several years ago, two programming supervisors employed by a large computer company used the company's computer to program detailed orchestral arrangements. These programs were then sold to bands and music stores. Over three years, the company lost more than $144,000 worth of computer time. This type of theft, which is intangible, is a serious offense. Companies have lost hundreds of thousands of dollars due to such crimes. * Vandalism. Computer crime is not always committed by corporate employees. Often hackers are youngsters in their early teens. Students are learning about computers in elementary school and are becoming skilled technicians, using computers to play mischievous games.

Software sabotage can alter or erase important data. Miniprograms, like "worms" and "viruses," use very little memory and are, therefore, virtually invisible. These programs infect the computer and can alter a system's fundamental operations. Such programs are easy to create and would take a novice approximately 20 hours to write. * Embezzlement by computer. Perhaps the greatest and most widely recognized computer crime is financial fraud and theft. In 1983, the Federal Bureau of Investigation solved 7,811 bank fraud and embezzlement cases involving $282.1 million - almost seven times more money than was stolen that year by bank robbers.

Computer crime is on the rise because there is a lack of risk involved. Many companies fear adverse publicity, lawsuits by persons whose records have been exposed, and charges that their computer systems are not secure. Therefore, only a few companies choose to press charges against computer trespassers.

There are other reasons why companies are reluctant to report computer crime. Some companies take the "head in the sand" attitude because of the dollars and cents involved. Instead of thinking of the vast sums that could be better protected, they tend to focus on the costs involved in improving their computer security.

Another reason a company may play ostrich is the fear of unfavorable publicity. If word gets out that a bank or insurance company has been robbed by computer hackers, it might make that company look less secure to the public.

Protecting data

Companies that plan to improve their computer security systems have a wide range of choices. There are several options that can be used to protect computer systems, including federal law, offsite storage, auditors, software packages, and voice identification. Each offers different benefits to the company. * Computer crime legislation. On June 3, 1986, a law was passed by the U.S. House of Representatives which made it a federal crime to trespass into federal interest computers, such as banks and brokers, and which imposed harsh punishments of $1,000 or more in damages. It became a misdemeanor to traffic computer passwords, as is often done with computer bulletin boards. However, the bill poses a problem in that it only covered government systems.

More than 40 states also protect businesses from unauthorized and illegal use of computers. With these federal and state laws in place, perpetrators may be hesitant to commit computer crimes because of the legal consequences. * Offsite storage. To protect records from perpetrators and natural disasters, many companies choose to store backup information in vaults outside of their offices. Construction details and security practices together can make a corporation's records fireproof, burglar proof, and vandalism free.

An offsite storage firm should be located far enough away from a company's office to protect the information from disasters, such as earthquakes and fires yet close enough so that backup data can be obtained almost immediately. The building should not identify the company's name nor should the courier trucks transferring the documents. The vaults should be fireproof, temperature, and humidity controlled, and well protected from water damage.

Effective security practices can make these offsite storage houses better protected from unauthorized personnel. The vaults should be guarded at all times by security personnel. Companies might also consider card key access to computer rooms for authorized employees, as well as alarm systems and television camera surveillance.

Offsite data storage firms are a good alternative for small companies because they are relatively inexpensive. Monthly storage costs can range from 30 cents to 70 cents per cubic foot. Some companies offer small security lockers for personal computer users to store disks and other data. * The EDP auditor. After the Equity Funding fraud in 1973, a new profession was developed to help solve the problem of computer crime, that of the electronic data processing (EDP) auditor. Today, professional committees, such as the EDP Auditors Association and the Institute of Internal Auditors, are carrying out research and educational projects in EDP. The American Institute of Certified Public Accountants and large CPA firms are working on developing their training programs and auditing standards to catch up with that of the EDP auditors.

The problem with EDP auditors is that they must have extensive controls built into the data processing systems in order to perform their job. Yet, they are often unfamiliar with the jargon of the programmer and analyst. And, by specifying too rigorous controls, the auditors and line data processing functions may forfeit their independence.

To solve this problem; a team approach has been developed. The EDP specialist joins the accounting auditors and works side by side with them on technical problems. EDP auditing is an important method of security, not so much to eliminate computer crime, but to contain crime until a more technical solution can be developed. * Programmed software. Perhaps the most widely used security measure is that of programmed software. Ranging from simple password programs to the most detailed government protection software, these programs limit computer usage and record who uses the computer at any given time.

Some companies choose to protect their computer systems with identification and password requirements. By feeding the computer the proper series of numbers or letters, individuals are given access to information specified for the password. Currently 7 in 10 companies use software to access computer-based information.

"Tempest" is a government program that eliminates or muffles signals from machines used by defense contractors, military, and security agencies.

Manufacturers of computers and peripheral equipment use two methods to bring equipment up to "Tempest" standards. First, they build machines with special chips, wiring, and other components that do not give off as many emissions as standard components. This is known as suppression. Secondly, they enclose the machine in leakproof cases to trap radio frequencies. This step is referred to as containment. Currently, the Pentagon is spending over $200 million to protect its computer systems with "Tempest" programs.

Similar to "Tempest," but on a corporate level, is data encryption. This program puts an electronic lock on data. Data encryption hardware and software codes both store and transmit information so that it is unreadable. An algorithm muffles data so that only someone who has the decrypting code can decipher it. * Voice identification. The ultimate security program would be one of personal identification, using voice identification and recognition technology. Although it is not yet available, several blue chip corporations are developing such programs. Part of the computer circuitry would identify the individual's voice and unlock information available to him or her. It would be similar to the password program, but much more secure because it could not fall into the wrong hands.

Conclusion

With the increase of computers and data communications, computer crime is expected to rise. However, businesses are responding by tightening their security and investing in more sophisticated computer security.

There are many alternatives available. Most companies today are using access control software programs that respond to password identification. Others have chosen data encryption software by which a decoding key can decipher the data. Also on the rise are closed circuit television, card access control, and physical protection. But, whatever method, the choice of a security system should be based on the assessment of risk and the value of the data.

Jerome Gilbert is president and founder of Cornell Computer Corporation, Plainview, New York. The company has been providing the data processing community with systems and programming services since 1971.

The technical staff at Cornell numbers well over 300 professionals with an average experience exceeding 10 years. Engagements have ranged from EDP audits and feasibility studies to systems documentation and maintenance.
COPYRIGHT 1989 National Association of Realtors
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Gilbert, Jerome
Publication:Journal of Property Management
Date:Mar 1, 1989
Words:1703
Previous Article:The impact of slow growth.
Next Article:Creating spreadsheet graphics.
Topics:

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters