How to tackle cybercrime attacks

CITIBANK, ARSENAL Football Club and the software vendor Symantec share one modern malady - all have suffered the malicious attentions of computer hackers and virus writers. The attacks on these businesses are known, but there is a growing school of thought that such cases represent only the tip of the iceberg. And the survey by accountants Ernst & Young of more than 100 large UK companies, indicates three-fifths of senior management believe they are ripe targets for illicit software, hacking and invasion of privacy.

Fraud: The Unmanaged Problem, which also questioned firms worldwide, revealed only 25 per cent of company boards understood the potential damage hackers and viruses could inflict on their businesses. "It does not keep executives up at night," says Jan Babiak, information systems security managing partner at Ernst & Young. "But it does give them wake- up calls when their IT managers phone them in the middle of the night after a hack attack. Many people end up putting measures in place only after the horse has bolted."

And when the horse does bolt, the results are serious. The London-based security software company mi2g, reckons global losses this year from major virus attacks will exceed $20bn, including the ones named Melissa, Explore.zip, and Chernobyl.

Citibank was the victim of the hacker Vladimir Levin. In the first publicly known case concerning a bank, an American court sentenced the 30- year- old Russian to three years in jail in February last year, after he admitted defrauding the bank of nearly $4m. The case shows successful attacks are a serious threat, causing significant damage, financial losses, or breakdown in the supply chain.

This month, Hiscox Insurance Company launched a product to insure firms against the increasing number of reported attacks. "I am aware of a lot of claims but companies generally discover they areuninsured," says Robert Goldhawk, senior underwriter of the financial services division at Hiscox. The policy, called Cyberliability, contains three elements, covering breach of rights, so-called cybervandalism, and fraud. Claims of up to pounds 10m can be made. "There has been a lively interest already and that is before the marketing campaign has really begun," says Mr Goldhawk. "We believe it is the first complete product in the UK, although there are four similar offerings in the US. It is very much a new risk for us."

Hackers and viruses pose different threats. The activity of hackers is generally targeted, although hacks can also originate from automatic computer programmes that first seek weaknesses in online systems. Perpetrators might have a grudge against society or commerce. Or they may see penetration of a supposedly secure system as a challenge, a chance to impress peers, or gain notoriety or to entertain themselves. Some are simply greedy for criminal profit. Frequently, many hacks originate with disgruntled employees within the organisation.

Viruses are indiscriminate and take many forms. Most are detected quickly and destroyed by good anti-virus software. But this year's viruses have found chinks in corporate armour and spread very quickly. And so-called Trojan viruses, can remain dormant in systems for weeks or months, then strike suddenly.

One of the main problems in tackling hackers and viruses is that attacks are global. But certain companies, such as Citibank, provide more attractive targets. Last month the American website of the anti-virus software vendor Symantec was over-written with a sneering message that threatened to disarm the company by unleashing a worm, a mutating line of destructive code sent via e-mail. "It was online for about 45 minutes, although what it said was rubbish," says Lucy Bunker, the company's public relations manager.

The fact that the majority of cases never become public makes the problem harder to handle. Jan Babiak, at Ernst & Young, says: "One client of ours had an employee who just disappeared with access to all their systems. They were totally panicked. But getting companies to talk is hard." The point is that frankness can jeopardise so much, from customer confidence to share price. The market value of at least one celebrated e-commerce brand has fallen dramatically in recent months after systems failure said to be blamed on hackers.

Andy Kyte, a research director at Gartner Group believes the millennium bug will prove irresistible to virus writers. Here computer crashes caused by the inability of computers to identify the date change because it shows "00" could provide a screen for attack and a wave of cybercrime. Or perpetrators may wish to add their own bit of chaos. "From the Internet chat rooms these people use, as well as our research network, it is clear that in some cases Y2K is being seen as the virus Olympics," says Mr Kyte. Virus writers are imaginative. A client of the law firm Kaltons found a virus from an unknown source that automatically sent copies of e-mail correspondence to an unknown third party. "This had serious implications for the company's reputation, its liability, and protection of data," says Maitland Kalton, senior e-commerce partner of Kaltons. "The virus was spotted, but it demonstrated how quickly damage can be done." One clue was fairly obvious - the rogue e-mails were addressed to one "Billy Bollocks".

From the managerial perspective, keeping control of business continuity in the face of an attack is paramount, although complex. Probably the greatest disruption caused - and greatest financial vulnerability - is in business continuity. "Companies need to ask themselves whether they can carry on after an attack," says D K Matai, managing director and founder of mi2g. "Viruses we have seen this year meant that systems went down for as much as 72 hours. Do companies have recovery programmes in place and how do they repair the damage done to customers?"

Another source of concern is that many organisations outsource online systems to specialists. Outsourcing inevitably puts distance between an organisation and its online systems which is fine during normal operations. But this practice could become a problem after an attack when fast, high- level decisions need to be made.

Arsenal Football Club outsources the running of its web-site to the Web consultancy, Designer City, which uses the Internet service provider UUNet. The site was infiltrated by the self-styled Cumbrian Hackers' Alliance to publicise a bugbear about another club.

"It caused us some embarrassment," a spokesman for Arsenal says. "We have reviewed security with no new hacks since and we have every confidence in Designer City." Apart from the reputation of the service providers, regular liaison meetings are important for maintaining this confidence. Contractual obligations must be clear too.

But experience elsewhere indicates this might not be enough. "If you have someone providing a service you expect them to do a proper job," says David Marchese, partner with law firm Richard Butler. "The trouble is that in the IT world there are hefty exclusion clauses attached to contracts." An example is the landmark case ICL lost to St Alban's City Council.

ICL had inserted a low limited liability clause in its contract with the council, should the tax system it had installed not work properly. The court ruled that, in effect, such clauses wrongly allowed contractors simply to opt out when things went wrong. "But there is a new generation of exclusion clause writers already trying to find ways round this decision," adds Mr Marchese.

Recourse to the law is problematic for other reasons too. The 1990 Computer Misuse Act can impose fines and prison sentences of up to five years for illegally altering IT systems. People can be extradited too. But suing is not an option many companies want to take.

"Big business does not like to own up to being a victim," says Mr Marchese. "There is a culture of shame, so cases are very rare."