The Police Crime Technical Support Unit responsible for computer crime says SA loses hundreds of millions of rand every year through computer crime, even in certain years exceeding the total lost though cash-in-transit heists.
This, according to Gary Middleton, security business development manager of Dimension Data, is not surprising. Many local businesses are still not paying enough attention to computer security: employees - the biggest perpetrators of computer crime - operate within corporate firewalls, and hackers have definite advantages over a company`s security professionals.
The annual FBI/CSI 2000 Survey found that 70% of surveyed companies in the US had suffered security breaches, 81% of which were originated by disgruntled employees.
What makes insider fraud relatively easy is that employees sit on the right side of the firewall - and too many companies still believe that a firewall is enough security.
Compounding the problem is the fact that hackers have the upper hand. According to a paper by Brent Stackhouse of the US-based SANS Institute, hackers have a number of advantages, including relative mobility; a high level of knowledge-sharing; intensity; a relative lack of assets; the advantages of attack such as surprise, and the general complacency on the part of ISPs and software vendors.
"Unlike those employed to stop them, hackers do not need large infrastructures, and there are high levels of knowledge-sharing among them," says Middleton. "The Internet is riddled with sites with explicit information on how to hack and there are freely downloadable tools which enable even inexperienced kids to hack.
"Hackers also have a lot of time to spend going after particular targets, and have the advantage of being on the attack," he says. "If you are on the defensive, you are always on the back foot, as you do not know where the next attack is coming from."
To help companies assess their security requirements and protect themselves from computer crime, Dimension Data has recently launched Information Security Consulting Services (INSECS).
"The group offers a number of services," says Middleton. "INSECS can look at a customer`s current situation, assess technical and organisational risks, and help the company to produce a corporate IT security policy. They can then set up technologies and procedures designed specifically to meet the requirements of the security policy."
The first service takes the form of a one-day workshop, the deliverable being a report that gives a snapshot of the current security situation. It enables the company to understand strong and weak areas, and where it stands in relation to BS 7799, the British information security standard allied to ISO.
The next stage is to specify risks in terms of technology and the organisation. To perform technological risk assessment, the INSECS team tests the IT environment - using a number of sophisticated scanning tools - for more than 1 800 vulnerabilities. It produces a report detailing the vulnerabilities, and including recommendations on how to resolve these.
In the assessment phase, a portfolio of studies and analyses is conducted to comprehend the readiness of the security infrastructure for specific business applications. These assessment services will be delivered and supported over Dimension Data`s Global Services Operating Architecture (GSOA).
"It is not enough, however, to look only at technological risk," says Middleton. "Companies must also assess what happens within the organisation. Too many still have no guidelines or strategies on what to do if a security breach takes place. This phase of the service looks at organisational aspects such as processes, policies and backup. The resulting report highlights risk areas where there is a lack of control around information security."
INSECS is then in a position to produce a corporate information technology security policy to address the uncovered risks.
"The security policy is a broad umbrella document that provides guidelines for securing infrastructure," says Middleton. "It should be constantly reviewed as new risks or technologies may mean that new security solutions need to be put in place.
"INSECS then looks at implementing the security policy and here there are 15 sub-policies, such as internet usage, access control and firewall policies, all of which are more specialised and restrictive.
"Lastly, the team puts detailed procedures into place which determine who is allowed to do what and when," he says. "For example, the security policy may state that the company must check the content of all incoming e-mails to ensure that they do not use up too much valuable bandwidth. The content checking procedure may specify that all incoming MP3s and JPEGS be automatically deleted. Thus, a very comprehensive security structure is put in place."
Share
Dimension Data Holdings plc, is a leading global technology company that represents a new category of systems integrator providing network and multi-channel e-business solutions to deliver the complex integration and connectivity requirements of global corporations.
Founded in 1983 as a specialist supplier of technology and services, Dimension Data`s strategy has evolved with the emergence of the intelligent network as the most important enabler in business today. Dimension Data`s global presence combined with its expertise and extensive skills base in network infrastructure and e-business solutions environments enables its customers to ascend into the global marketplace through 100% connectivity and integration.
Listed on the London Stock Exchange, Dimension Data is a member of the FTSE 250 index, employs over 12 000 people and operates in over 30 countries on six continents. Dimension Data has achieved a three-year compound annual growth rate in US dollars of 73% in revenue and 36% in basic earnings per share. For more information, please go to www.didata.com.
Editorial contacts