The former head of the UK's Computer Crime Unit tells Ron Condon why it's time someone helped smaller companies protect themselves.
Simon Janes used to lead investigations into big IT crimes when he ran the Computer Crime Unit at New Scotland Yard. Now he is on a mission to help hard-pressed smaller firms recover from security breaches.
As recent figures from the DTI show, smaller companies are less well prepared to defend themselves against incidents, and are more likely to be hit hard by a breach. “SMEs are extremely vulnerable to internal and external security threats,” he says. “If a big company loses £10,000, it can afford to shrug its shoulders, but for an SME it is serious.”
Janes, who spent 22 years in the Metropolitan police before moving out into the private sector nine years ago to work at incident response specialist company Ibas, has worked on countless big cases and knows at first hand how damaging a security breach can be. “Big companies can afford to bring in a forensics investigation team to track down fraud, but SMEs don't have that luxury,” he says.
Hence his new venture, the Computer Forensics Alliance (CFA), a membership organisation designed specifically for SMEs – companies with fewer than 250 employees. For an annual fee, members get access to advice and guidance from a team of trained investigators, can access information on the Alliance website (www.computerforensicsalliance.com) and, where necessary, can actually have a full investigation done.
SMEs make up more than 95 per cent of all businesses in the UK, and employ around half the national workforce. By their very nature, they employ fewer IT specialists, and are unlikely to have anyone dedicated to security. “Computer forensics in the private sector is nearly all about people doing things they should not be doing with sensitive or valuable information,” he says. “They are usually in breach of their contract, and they're doing it for monetary gain. It can often involve stealing databases or customers, and giving them to competitors.
For example, he discovered employees running their own business on the side for a couple of years, snaffling customer details and proposals and undercutting their employer. “The company had been wondering why its profits had been going down during the period,” he says.
The cases he deals with rarely see the inside of a criminal court, due to shortcomings in the law, the cost of prosecution and the burden of evidence required.
For a start, in criminal law you can't steal information – yet. The Theft Act applies to property, tangible and measurable, and involves depriving the owner of it. In most cases, criminals merely copy data, so nothing is actually taken away.
The Computer Misuse Act might be applied, he says, “but getting your local police station to take this on as a criminal investigation is going to be pretty hard. So we have to resort to civil law, to try to recover losses from the other party.”
In the civil courts, the burden of proof operates on the balance of probability, rather than beyond reasonable doubt, so there is a greater likelihood of success – if it gets to court at all. “It is very difficult. If you have an incident, use IT forensics and get lawyers to go to a civil court, it's been estimated you need a contingency fund of £40,000. That's a hell of a lot for an SME. I've worked with victims to assess the damage they suffered. You ask them how much business they've lost and they say ‘we don't know'. It is hard to put a value on it. So it's hard for law enforcement to take it on for that reason.”
Nevertheless, the aim of Janes' new service is to help companies identify if anything untoward really is going on, to gather the evidence and stop it. Whether they take it any further is up to them.
Take the case of a small kitchen and bathroom company, which employed six project managers to carry out jobs for clients. Each of them operated by pulling in workmen and subcontractors on a project basis. It was only by accident that the owner discovered he had a problem. “A customer phoned in worried that her kitchen was not going to be finished in time for her daughter's wedding. By chance she got through to the boss, but he couldn't understand why it was taking so long because there were six people on the job. ‘No, there's just two, one called John, and another called Dave,' she said.
“The project leader was inventing subcontractors – on paper, he had six or seven – and was merrily sticking in fake invoices for the fake contractors.”
Janes was called in and covertly imaged the employee's laptop computer. This revealed two sets of books, one for the boss and another showing what was really going on, plus a collection of fake signatures that had been scanned in. He also took images of all the other project managers' systems and discovered two others were involved in similar scams.
Presented with the evidence, the men were given the chance to leave the firm immediately or face prosecution. “I've been surprised at how much crime isn't reported to the police, particularly in business,” says Janes. “The owner's view was that a court case would take up to nine months, with little chance of recovering his money. He said he just wanted to get on with the business.”
And at least he knew the remaining three project managers were honest. “It was as important to him as finding out who was on the fiddle.”
The only problem is that the offenders carry out similar frauds elsewhere. In Janes' experience, fraud is rife in certain areas of small business – such as employment agencies, where CVs can be sold to rivals – and hacking is so easy these days. “In the late 80s and early 90s, if you wanted to be a hacker, you had to be very technically competent, because there was nothing to help you,” he says. “The famous hackers of that era knew their operating systems inside out.”
“Now you just go on to a search engine, type in ‘hacking tools', and download whatever hacking tool suits your purpose. So anyone and everyone can do it.”
USB memory sticks are also a gift for anyone wanting to steal data, as is web mail, which allows people to by-pass the controls on the corporate email system, and send out file attachments.
On the plus side, all of these activities leave an evidence trail somewhere in the bowels of the OS, and the right forensic analysis can discover any abuses of trust.
But technology is not the complete answer. Breaking into users' systems and handing out accusations needs to be done with the greatest of care. “Your terms and conditions of employment should be explicit about the levels of privacy staff can expect,” he says. “The Human Rights Act says you have to be equal and fair. You have to apply the same level of tolerance to everyone, otherwise it is unfair dismissal. So it is absolutely essential to review policies, and see how terms and conditions apply when you want to respond and conduct an investigation.”
A thorough forensic investigation can bring benefits all round, even protecting the innocent employee against false accusation, as Janes once discovered.
“Two people in a company were both in the running for a senior position. One decided to get rid of the other by faking an email, making it look as if it came from his rival, and sending it to a female employee with inappropriate language in it. It was only by a forensic investigation that we uncovered the real culprit.”
Luckily, the owner of the company was aware of computer forensics, and had decided to do the investigation, as much to protect himself against any future claims of unfair dismissal as anything else.
“It's surprising how many cases we see where it is someone inside a company fabricating evidence against someone else. It's an interesting twist,” says Janes. “You have to wonder how many people have been sacked in similar circumstances while screaming their innocence.”
The Computer Forensics Alliance is being staffed with a mix of people, some IT experts and some professional investigators who have worked in law enforcement. As Janes says, it takes a special skillset to understand and present evidence to lawyers and courts, while combining an ability to spot clues and find the “smoking gun”.
“The vast majority are inside jobs, in some shape or form. They are very often discovered when an employee is just about to leave or has just left,” he says.
“The company owner might have a suspicion and want to know if the person is involved or not. We are often asked to get the forensic image covertly, so as not to alert the suspect or anyone else. If you go in and point the finger at someone and seize their computer, then everyone will know an investigation is taking place, and try to dispose of evidence quickly.”
Membership of the CFA looks like a good investment. The police do not have the resources to tackle this kind of investigation, and with the absorption of the NHTCU into the new Serious Organised Crime Agency, the focus is now on the most serious abuses of the internet, such as child pornography, money laundering and large-scale fraud.
SMEs have to protect themselves, and the CFA looks like a way to access valuable skills without breaking the bank.
“We work to the highest evidential standards,” says Janes. “What we produce will stand up in the Old Bailey or in an employment tribunal. Small companies no longer have to stick their head in the sand and hope it's not happening to them. They can face up to the situation and do something about it.”