A twin-pronged approach in the fight against cybercrime

While everyone knows criminals are at large on the information superhighway - who is policing the web?

According to the SANS Information Security Breaches Survey 2001, an average 60 per cent of organisations have suffered a security breach in the last two years.

Meanwhile, it is estimated that unchecked viruses could cost businesses 907 billion worldwide by the end of 2002. Yet major companies and public sector organisations are not the only victims of cybercrime. With 11 per cent of personal computer users in Europe already having been subject to a virus, or other form of infiltration, and reports of hacking attacks constantly gathering pace, cyber policing is now a major global issue.

So, with such statistics appearing to call for action, does the answer lie in additional legislation?

The most recent development in the fight against cybercrime is the European Commission’s adoption of a draft framework on "Attacks against information systems".

This aims to address hacking, viruses and denial of service attacks through EU-wide agreement of criminal law in this area.

By putting in place a uniform line of defence, it is intended that cybercrime will be tackled effectively throughout Europe, so driving forward the fight against terrorism.

The framework underscores the gravity with which the subject is treated internationally. While the feeling of vulnerability to electronic attack may have heightened since September 11, initiatives to create a European electronic citadel considerably pre-date the Twin Tower attacks.

Motivated by the ability of cybercriminals to damage businesses’ profits and reputation, as well as consumer confidence in the European market place, the Commission issued a communication on cybersecurity and cybercrime in January 2001.

In November the same year, the Council of Europe Convention on Cybercrime also opened for signature.

According to one influential think-tank, the European Information Society Group (EURIM), more laws are not the way forward in fighting cybercrime.

Instead, the focus should be on up-dating existing laws. EURIM’s recommendation that the government work in partnership with industry to review existing UK legislation is likely to be welcomed by businesses which, while keen to avoid attack, are equally eager to avoid further red tape and expenditure.

Certainly legislation alone - whether new or up-dated - is not enough. Cybercrime also needs to be addressed on a practical level.

It must be recognised that security breaches are often caused by poorly implemented internal processes, a lack of staff awareness or lax control. Around 70 per cent of computers do not have up-to-date bug patches installed.

Therefore, businesses need to implement their own cybercrime crackdown.

The starting point for any business is to inform, educate and manage the "human" side of their IT systems.

By putting in place a security policy, businesses promote best practice in relation to the use of their systems and access to their information.

The next step is to match "attack" technologies with appropriate "defence" expertise.

Tools are available to prevent unwelcome intrusion, secure e-commerce infrastructure and protect communications between businesses and third parties.

To beat the blight, cybercrime must be tackled at all levels.

Spoofers, sniffers and cyberterrorists may sound exotic but, in reality, they are simply criminal individuals making use of the internet to cause anything from corporate mischief to global harm. While the authorities establish deterrents and penalties to fit the crime, businesses across the board must ensure their IT security is not a spoof to be sniffed at.

Leigh Lawrie is a solicitor specialising in intellectual property and information technology with Shepherd & Wedderburn.

[email protected]