|
Computer
Crime Prevention
Surviving
computer crime
It isn't just computers but the integral components that thieves
will focus upon. Computer crime is on of the UK's fastest growing
crimes, according to the Association of British Insurers; in 1995
a third of all commercial claims were computer crime related. It
isn't just the loss of a computer or related equipment that represents
the biggest loss; it is the costs of business interruption and important
or sensitive data loss.
There is a simple solution; prevent thieves from having access!
When budgeting for IT security we need to ensure the expenditure
is appropriate to the value of the IT assets at risk, not just the
replacement value but also other losses incurred.
A simple risk analysis can be deployed by calculating the harm to
your business as a result of theft or damage to such assets. Create
a 'what if' scenario and ensure you calculate every aspect from
loss of business, interruption to services and compensation to clients
including farming out work or bringing in other contractors for
damage limitation.
Then take this figure and consider the real likelihood of it happening;
taking on board prevailing threats and current climate.
This information shouldn't be taken lightly and should be used to
build an IT Security Policy Document. So in the event of such an
incident, there is a chain of command from top managers down the
ranks, a contact list of 24 hour telephone numbers and individual
responsibilities so that there is no room for 'I thought he was
doing that!' Each individual on the IT Security Policy Team should
have his or her own copy and a signed as read and understood copy
filed.
There should be a list of suppliers and back up systems including
all identification markings and asset control numbers. This can
only be achieved through formal training.
This could be a good time to call in your local CPO (Crime Prevention
Officer).
Commercial
premises that maintain large numbers of computers clearly face a
disproportionate risk from crime. If IT equipment is spread out
or scattered throughout the premises, it is more difficult to establish
a secure perimeter, than if the 'IT' area was concentrated in secure
pockets.
Let's take a look at the physical security of the actual building.
No matter how good the locks are on Entry/Exit Doors, if the door
and frame cannot withstand a violent attack, your premises are vulnerable.
Often Health & Safety and security don't mix, for example; Regulations
state that when the building is occupied, fire exit doors must be
able to be opened quickly in the direction of escape without the
use of keys. A perfect escape rout for thieves too!
·
Fire exit doors must not be overlooked. Regulations state that when
the building is occupied, these doors must be able to be opened
quickly in the direction of escape without the use of keys. Look
at alarming these doors so they comply with regulations but notify
the appropriate individuals that access has been made. Perhaps CCTV
cameras could be fitted too. When the premises are empty, however,
these doors can be secured like any other.
· If you occupy offices of multiple tenancies then the landlord
and appropriate tenants should address the security of communal
doors No one benefits if this area is deemed the responsibility
of the other.
· Look out windows, check either side for potential access
points, and look for flat roofs. Internal grilles should be considered
for all accessible windows, don't overlook skylights.
· If there is no reason for goods lifts to be used after
working hours they should be disabled at the end of the day. Perhaps
taking them to the top and switching them off.
· Talk to your Crime Prevention Officer about installing
an intruder alarm system linked to a central monitoring station.
This should be fitted in accordance with Association of Chief Police
Officers (ACPO) policy and Association of British Insurers (ABI)
guidelines.
· Be mindful that nominated key holders must be able to get
to the building within 20 minutes of being notified of alarm activation.
This allows police to check the premise if a forced entry is not
apparent. Consider using a reputable key-holding company if you
cannot meet this requirement.
· Keep the number of people able to arm and disarm the alarm
system to an absolute minimum and make sure that they are issued
with individual 'pin' numbers that can be monitored and their activity
is logged. This will facilitate better management of the system
and minimise in-house mischief or activity from disgruntled ex-employees.
· If employees work during periods of reduced occupation,
for example, overnight or weekends then personal attack buttons
will need to be incorporated into the alarm system. In these circumstances,
staff should never work alone always insure there is more than one
person on the premises in order that someone can raise an alarm.
· Consider revising name signs that might advertise the presence
of computers and never leave computer related boxes in public view.
Empty or otherwise, these cartons inform all passers-by that you
have new IT equipment on the premises..
Thieves
rarely rely on guesswork when selecting a commercial building to
break into. This isn't about 'walk-in' crime. Companies have had
new computers stolen the very same day as they have been delivered,
it not not pure coincidence or extreme bad luck! It is obvious that
intelligence is gained before the event inside information or poor
security measures. It cannot be over-stressed how important it is
to control access during office hours as well as when closed.
If possible, restrict access to the building to one entrance/exit,
with all other access points being controlled.
Is your front of house staff, whether it be security or receptionist,
fully aware of staff that have left - voluntary or otherwise? All
personnel should be identifiable. This begins at the reception point
where a visitor should be registered and supervised by an authorised
member of staff. It extends to the active vigilance of employees
- fully aware of the defined procedure for challenging strangers.
If visitors sign in or are issued with security tags, does anyone
check to see that they actually leave the premises? Is anyone tasked
with an end of the day procedure for checking the building to ensure
that no one is hiding in it?
We
mentioned at the beginning about creating a perimeter for access
control. If that perimeter is breached, look at the measures below
will help to reduce your losses.
· House your IT equipment carefully, away from the perimeter
and behind obstacles that slow and frustrate the intruder, in locked
rooms for example.
· Mark property with your full postcode in a permanent and
prominent way. Heat branding or chemical etching can do this.
· Anchor equipment to solid furniture and building fixtures
with an enclosure unit designed to resist dismantling. Choose a
product that has been certified to Loss Prevention Standard 1214.
· If an enclosure unit is not in use, special security screws
are available that replace the standard back cover screws and help,
to some extent, to prevent quick entry to the computer's interior.
· Safes and security cabinets can be obtained which allow
the computers to be used during the day and locked away at night.
· Smoke generating devices, activated by the intruder alarm
system, work to create conditions where intruder penetration is
severely hampered.
· Computer alarms that detect tampering can be fitted to
units. These are suitable for buildings either during office hours
or when an on-site response can be generated at night.
· Lap-top computers need to be locked away when they are
not being used. Security instructions should be issued to personnel
for care of equipment when used away from the office.
· Key security - keys to security devices should be kept
in the custody of authorised personnel only and either removed from
the premises when they are left unattended or put in a locked safe.
· Asset control - make sure that an up-to-date inventory
is in existence so that full details of any equipment that is stolen
can be given to the police and insurance companies.
Health
& Safety News UK
|
|
