- Email: [email protected]
Cybercrime rife in Ireland
NEWS
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Peter Stephenson, US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Cybercrime rife in Ireland
N
early all Irish organizations (98%) have experienced cybercrime with 86% suffering attacks during 2006 according to university research, which is the first extensive survey undertaken in Ireland.
Nearly 70% of companies only accidentally spotted that they had become victims of cybercrime, revealed the ISSA / UCD Irish Cybercrime Survey 2006. Ninety percent of organizations were hit by viruses while 88% experienced misuse of systems. More than half (56%) of companies have been victims of phishing attacks while 63% have had assets stolen. “Loss of productivity was reported as the most common consequence of cybercrime and was experienced by 89% of respondents,” said UCD School of Computer Science and Informatics academic, Dr Pavel Gladyshev. “The next most common result was loss of data, reported by 56%, followed by loss of employees through termination or resignation which occurred at 38% of organizations surveyed,” he said. It was found that 68% of survey respondents discovered the security compromise by accident. Sixty one percent said cybercrime had been detected by technology while 58% revealed that employees who didn’t work in information technology uncovered the breaches. Sixty two percent of companies said suppliers, partners, or unconnected organizations informed them about security breaches. Almost all of the surveyed organizations took internal disciplinary actions to deal with cybercrime. Thirty nine percent of firms have sacked employees or had them resign. Less than one fifth (18%) of organizations have turned to law enforcement to investigate accusations against
an employee – 66% resulted in prosecution. The Information Systems Security Association (ISSA) and the UCD School of Computer Science and Informatics conducted the research. “The ISSA / UCD Irish Cybercrime Survey clearly shows that cybercrime is a significant issue for Irish organizations” said Owen O’Connor, Vice President ISSA Ireland and co-author of the study. “We intend to conduct this survey every year. Over time, it will present a comprehensive body of knowledge and information for Irish organizations in relation to this type of criminal activity and allow them to learn from one another how best to detect and tackle cybercrime,” he said. Welcoming the report the Tánaiste (Deputy Prime Minister) and Minister for Justice Michael McDowell said: “The Government is driving and supporting a wide range of initiatives to tackle cybercrime. This report will assist those initiatives and future developments in combating such crime.”
British building society fined over stolen laptop
A
UK financial regulator has fined the Nationwide Building Society £980,000 for failing to manage IT security risks following the theft of a laptop from an employee last year.
The Financial Services Authority (FSA) discovered Nationwide was not aware that the laptop contained confidential information and did not launch an investigation until three weeks after the comptuer was stolen. Nationwide sent letters to customers notifying them of the theft, but said that it believed no confidential information was at risk. Margaret Cole, the FSA director of enforcement, said: “Nationwide is the UK’s largest building society and holds confidential information for over 11 million customers. Nationwide’s customers were entitled to rely upon it March 2007
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Editor: Sarah Hilley Editorial Advisors: Peter Stephenson, US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Cybercrime rife in Ireland
N
early all Irish organizations (98%) have experienced cybercrime with 86% suffering attacks during 2006 according to university research, which is the first extensive survey undertaken in Ireland.
Nearly 70% of companies only accidentally spotted that they had become victims of cybercrime, revealed the ISSA / UCD Irish Cybercrime Survey 2006. Ninety percent of organizations were hit by viruses while 88% experienced misuse of systems. More than half (56%) of companies have been victims of phishing attacks while 63% have had assets stolen. “Loss of productivity was reported as the most common consequence of cybercrime and was experienced by 89% of respondents,” said UCD School of Computer Science and Informatics academic, Dr Pavel Gladyshev. “The next most common result was loss of data, reported by 56%, followed by loss of employees through termination or resignation which occurred at 38% of organizations surveyed,” he said. It was found that 68% of survey respondents discovered the security compromise by accident. Sixty one percent said cybercrime had been detected by technology while 58% revealed that employees who didn’t work in information technology uncovered the breaches. Sixty two percent of companies said suppliers, partners, or unconnected organizations informed them about security breaches. Almost all of the surveyed organizations took internal disciplinary actions to deal with cybercrime. Thirty nine percent of firms have sacked employees or had them resign. Less than one fifth (18%) of organizations have turned to law enforcement to investigate accusations against
an employee – 66% resulted in prosecution. The Information Systems Security Association (ISSA) and the UCD School of Computer Science and Informatics conducted the research. “The ISSA / UCD Irish Cybercrime Survey clearly shows that cybercrime is a significant issue for Irish organizations” said Owen O’Connor, Vice President ISSA Ireland and co-author of the study. “We intend to conduct this survey every year. Over time, it will present a comprehensive body of knowledge and information for Irish organizations in relation to this type of criminal activity and allow them to learn from one another how best to detect and tackle cybercrime,” he said. Welcoming the report the Tánaiste (Deputy Prime Minister) and Minister for Justice Michael McDowell said: “The Government is driving and supporting a wide range of initiatives to tackle cybercrime. This report will assist those initiatives and future developments in combating such crime.”
British building society fined over stolen laptop
A
UK financial regulator has fined the Nationwide Building Society £980,000 for failing to manage IT security risks following the theft of a laptop from an employee last year.
The Financial Services Authority (FSA) discovered Nationwide was not aware that the laptop contained confidential information and did not launch an investigation until three weeks after the comptuer was stolen. Nationwide sent letters to customers notifying them of the theft, but said that it believed no confidential information was at risk. Margaret Cole, the FSA director of enforcement, said: “Nationwide is the UK’s largest building society and holds confidential information for over 11 million customers. Nationwide’s customers were entitled to rely upon it March 2007