VSJ – December 2005 – Work in Progress

Ian JA Walker, FIAP starts a two-part article picking up on and developing the theme of e-Crime raised by Robin Jones in September’s Sounding Board.

I am no expert in criminality but it seems to me that ‘Johnnie Computer-Criminal’ has but a simple mission statement he shares with all criminals, namely to make as much money as possible with the least amount of work feasible and least risk of detection.

There’s not much in the way of rocket science behind that premise. In part perhaps, in our headlong rush for glory in the Information Age, we have made it far too easy for anyone from the discontented to professional criminals to tap into sensitive information or to commit crimes reaping huge rewards. Why else would they exchange their shotguns and ski masks for computer keyboards and Internet connections?

For an investment of no more than a few hundred pounds ‘Johnnie Criminal’ can reap a rich return on his investment and he need not leave his hovel to do so. Furthermore, he can even hide behind your identity and computer system to commit his actions apparently in your name.

Once equipped and connected, organised criminal gangs can exploit the vulnerabilities to be found in virtually every operating system from Windows to Mac OSX and from Linux to Sun Solaris. That leaves open many thousands of computers that lie, predominantly, in homes and small businesses throughout the UK, to crimes ranging from identity theft to extortion. It’s big business too.

In 1994 UK business losses to e-Crime were in the region of £80m per year. Last year (2004) losses had increased sixty-fold to about £2.4bn. Furthermore, these figures could be under-estimates because it is known that many companies do not report e-Crime incidents, either because they do not understand they’ve been targeted or because they do not have a penchant for admitting they are vulnerable.

Over the twelve months to June 2005, the United Kingdom achieved the doubtful accolade, according to the Symantec Half Yearly Internet Security Report (www.symantec.com) of topping the international league for spybot infections with an estimated 32% of systems infected. This figure is based on threats and events reported to Symantec between July 2004 and June 2005. Symantec’s report also says that in the latter six months of that period, the percentage of infected machines in the UK increased by 7%.

On average, it takes six days to exploit a security vulnerability in an operating system and 54 days to publish a patch to resolve it, leaving systems world-wide vulnerable for around 48 days. Indeed some systems may remain vulnerable for longer because there are significant numbers of people who are still yet to install MS Windows XP SP2, let alone any of the smaller vulnerability patches.

In my own view we have driven ourselves into this cul-de-sac where we are stranded for the present, bombarded by all manner of threats whilst we maintain a near-universal focus on the purchase price of computer systems by contrast to the Total Cost of Ownership equations. Whilst no one wants to pay more for computers, we have to come to the realisation that because purchase cost only accounts for 20% of the lifetime cost of ownership, it can be a false economy to reduce costs at that end of the equation. Perhaps the better way forward is to pay a more sustainable price for hardware. That’s a price bringing with it leading edge technologies designed to reduce costs during the lifetime of ownership, far beyond the savings to be made by buying that cheap computer from any cut-price source.

Few would dream of demanding constant reductions in the price of new cars, because they know that the price on the ticket includes those brand new safety features that reduce the risks of injury later on. Yet perhaps we need to drive society as a whole to think in this way about computer acquisition. Firms like IBM and Lenovo, for example, feature embedded client security solutions involving an unhackable chip and biometric security (fingerprints instead of passwords). Yet their products are highly competitive in purchase cost terms with those of others such as Dell. However, these other marques do not have the same levels of protection, without which the increased Total Cost of Ownership could be far higher than the saving made at time of purchase.

It is true that the attitudes and awareness of ‘Joe Public’ need to be improved and broadened. But the vast majority of people I come up against fall into two camps. Those in Camp 1are aware of but elect to ignore the issue because they perceive that to do otherwise may be accepting responsibility. Those in Camp 2 choose not to use the Internet for things such as e-commerce and therefore don’t perceive that there is any risk involved. They may say, “we only dial up once a week to collect and send emails, we cannot have been infected as we’re never online for more than half an hour”. The fact is that it takes less – often a lot less – than 20 minutes for the average inadequately protected computer system to be hacked or infected with some form of malware. Quite simply, too few people accept the responsibilities that reside alongside the benefits they gain in the use of a computer.

In far too many homes across the UK, computers are hidden in children’s bedrooms where parents would rather leave the safety and wellbeing of their child up to that “wonderful” £30 piece of software they bought that proclaims to keep children safe. Yet these children are learning very relaxed attitudes to their use, and abuse, of computers that, later on they will take into the workplace. There, such attitudes can lead to information theft and exposure of business to the effects of e-Crime.

So what can be done? Is this a job entirely for the IT Industry? I don’t believe so. Certainly, the IT Industry has a strong role to play, notably in reducing the time it takes to produce patches for security vulnerabilities. But I believe that everyone in our society has not just an interest, but a shared and individual responsibility to fulfil, if we are to avoid the impending meltdown of our information systems.

UK Government has taken a lead through the Home Office and the E-Crime Strategy, which this Christmas is scheduled to launch a simplified guide for ordinary computer users, explaining the risks and what can be done to reduce them. This is a start and, in the next issue, I’ll look deeper at other things that are being done and at some of the things we perhaps need to consider if we are to see a move towards successfully IT-led business models.

You can contact Ian at iwalker@sdandits.com

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.