Story Mark Abernethy Getty Images 
 
The mention of IT security immediately brings to mind images of hard-core hackers inflicting mayhem on corporate villains. In reality, the biggest threat to an organisation, be it large or small, lies much closer to home.  
 
If information is power, it’s no wonder that global information technology (IT) systems have become targets for every thief, fraudster, saboteur and industrial spy who thinks he’s in with half a chance. From personal laptops to bank mainframes; from small business servers to the ‘intelligent’ computer grids of the Health Insurance Commission; and from PDAs to road warriors’ laptops, the concentrated storage of so much digital information in one place has proved impossible to resist for the hackers, phishers and IT thieves who lurk online.  
 
For example, police in the US recently cracked an organised crime gang that was invading companies’ hard drives, locking the files, and demanding $2000 to unlock them again.  
 
Focus on security 
In 2004, 83% of respondents to Deloitte’s Global Security Survey admitted their systems had been compromised in some way over the preceding year. Now that the developed world’s economies run on IT platforms, and the advances in computing power and transmission speeds have become almost ridiculous, the focus of organisations large and small has turned to securing their files for the sake of their customers’ privacy and the lifeblood of their business.  
 
“You’ve had a period where all the talk is about more power, more speed, more storage, more functionality,” says forensic consultant Brett Warfield of Warfield & Associates. “Now, we’re into a phase of ‘how safe are the files?’, and ‘who can access them?’” He says the two broad areas of information theft are internal and external: from employees who steal customers databases, pricing lists, discount lists, blueprints, strategy documents, designs and money; to external thieves – commonly known as hackers - who have the same targets.  
 
Both internal and external can have motives beyond stealing money and information, Warfield says. They can be spying, or they can be intent on sabotage, such as when hackers make ‘denial of service’ attacks on banks and government departments by using Bot Nets - armies of enslaved PCs that can be used to attempt to log-on to a bank site or a government site and essentially crash it.  
 
The human culprit  
According to Warfield, there are two truths in securing IT systems and the information kept on them: the smaller the organisation, the more vulnerable they are; and humans - not technology - are almost always the culprit.  
 
“Put those two together, and you have a situation where a firm with 30 or 40 employees has a lot of their business on IT platforms but they still have only one IT person who’s an all-rounder. They don’t think they’re big enough to get a specialist security consultancy yet they’ve got employees operating remotely over wireless. These are the vulnerable firms.”  
 
Warfield says there is a technology application for just about every security threat to an IT system, but it is human ignorance or laziness that gets in the way. Sometimes, it is a need to get business done faster that creates a security failure.  
 
“We’re seeing a lot of cases now where firms are using wireless connectivity for their employees - so people are connecting back to the server while they’re in an airport lounge, or they’re emailing a document to a client from a cafe. Most people don’t know how easily the signals can be intercepted.”  
 
Again, big business does better at protecting itself: organisations with corporate telecoms accounts have VPNs, or Virtual Private Networks, as part of their remote computing suites. These run on encryption keys and keep the remote computer user within the secure VPN environment, Warfield says, while independents are highly vulnerable to interception.  
 
He adds that large services organisations such as investment banks, accounting, consulting and law firms are issuing their talent with BlackBerries, PDAs and other smartphones that are emailers, MS Word writers, organisers and phones. “These devices gained big storage capacity very quickly; bankers and lawyers are using them as remote offices and they keep all these emails and Word documents on them. If you lose your BlackBerry, you don’t know who’s reading that confidential email to a big client.”  
 
Bluetooth is also problematic since without the right set-up in a device, it will talk to any other Bluetooth, Warwick says. It’s a favourite techie trick to walk around Martin Place with a Bluetooth-enabled device and see where they can pick up a signal.  
 
The known threat  
Warwick says the big threat to file security is usually closer to home - employees who steal customer databases and either sell them to a competitor or use them to start their own business; and former employees who still have remote access to the server.  
 
 
“This comes down to having proper security protocols, and following them. If you have different access levels for different staff, enforce them. If someone leaves, delete their access rights, and don’t turn off the audit trail on your server. Too many times we go back to see where the theft has happened, but the owners have turned off the audit trail software because it was using too much memory,” says Warfield.  
 
The integrity of IT systems is a big enough issue that there is a federal organisation called the Australian High-Tech Crime Centre, run by the Australian Federal Police (AFP) and including secondees from state and territory police forces, Customs and the major banks. Director of the Centre, AFP’s Kevin Zuccato, says the security of computer systems has become a huge issue in the developed world because of the reliance of governments and big business on IT platforms and the telecom networks that connect them.  
 
“We have responsibility for the National Information Infrastructure, which means we’re charged with having readiness plans should financial institutions or government agencies ever be taken offline, and having readiness for incidents on the systems that control infrastructure such as water, power and sewage.”  
 
Zuccato says the security of computer files is almost entirely dependent on “how safe your computer is, and that depends on how safe you make it”. The major way that outsiders can access files is by ‘trojans’. Some enable a server to collect your key strokes and collect information such as date of birth, PINs and driver’s licence numbers. Other trojans enable the criminal to open the hard drive from the inside and access any file.  
 
The victims of these trojans are usually small business people and personal computer users who click on a hyperlink in a spam email, or open a document that has malicious code hidden in macros. Some people do it by running infected floppy discs and essentially enslaving the computer to an external person.  
 
Either way, Zuccato says, the error is human. The hygiene aspects of owning a computer system - virus scanners, firewalls, automatic operating system updates, spam filters, automatic patching, internet controls and regular password changes – are the basics for securing a system, but poor education and management can undermine it. “You need what we call ‘defence in depth’ - technology, monitoring and education,” Zuccato says. “It still amazes me how many organisations allow their employees to check their personal email on web-based services like Yahoo! and Hotmail.  
 
It takes away layers of control. There’s also the issue of passwords; most employees use passwords that have some meaning for them, and the criminals know this. You should always use a mix of numbers and letters.”  
 
Password protection  
At the AFP, the computer system makes users update their password every 30 days and won’t allow them to use the same one. Zuccato says these password renewal programs come standard on most small business servers, and owners should use them. He believes there should also be awareness programs to make people keep their passwords secret and not stick them to their PCs on a Post-It note, as happens in so many organisations.  
 
Zuccato says that sadly, much of the information theft from large and small organisations comes from disgruntled or dishonest employees. He says to combat files being stolen and handed to third parties, there are ‘tagging’ protocols that mean whole families of files can be marked so they can’t be downloaded and saved. If these files are attached to an email the email will be unable to send. And just to make sure, most of the thousands of computers and laptops in use by the Commonwealth Government don’t even have a-drives.  
 
Not only does this thwart theft, but also the temptation to send work to a home computer in order to do after-hours catch-up. “What if your home computer has a Bot Net or a Key Log in it?” he asks. Zuccato recommends that business owners treat their IT system like a car, and give it regular check-ups from an expert.  
 
Julie Priest, Deloitte partner in the government services group, says governments around the world have become particular targets for hackers, thieves and saboteurs that are attracted to the concentrated repositories of huge amounts of personal information. Agencies like the Health Insurance Commission and the Australian Taxation Office are usually targeted for economic gain, while Defence and Treasury hold information that spies can sell or hand on to other governments.  
 
“Australian governments have some of the best security technologies and protocols in the world,” says Priest. “But it still comes down to people. You have to have a good employee education system.”  
 
She believes the Australian Federal Government sets an example that SMEs could follow. It has strong policies on email use, database security and passwords, and has established the roles of chief security officer in each department. And the New South Wales Government ‘Premier’s Directive’ implements the standard called ‘7799’ – the security information standard. Both federal and state governments collaborate well with the private sector in order to identify vulnerabilities to critical infrastructure, Priest says.  
 
In the end, however, she says the most successful hackers and information thieves are the ones who aim for “low-tech human error. Look at these phishers. They send an email pretending to be your bank and ask you to verify a password or PIN. Educating people who use computers is still the best starting point.”  
 
Disclaimer: Information on these pages is for guidance only. Obviously in an article of this length, it is not possible to cover all issues that should be considered. The ICAA does not expect or invite any person to act or rely on any statement, view or opinion expressed in this