A teenager was this month acquitted of causing a denial-of-service attack, after he argued that his computer was hijacked. The verdict has raised concerns that firms could find their own computers are vulnerable to such interference.

Aaron Caffrey appeared at Southwark Crown Court charged with launching a denial-of-service attack that crippled a US port's IT systems. Caffrey argued that a Trojan program was planted on his computer by a third party and was used to launch the attack without his knowledge.

Although forensic experts said they found no evidence of a Trojan infection, Caffrey argued that he had been the victim of a self-wiping backdoor program.

The defence argument should serve as a warning to firms of the very real risk that their systems could be hijacked by malicious users, according to David Williamson, UK sales director for managed security services provider Ubizen. "A significant number of machines have been compromised, research has shown," he said. "But it can be difficult to locate someone who is using your machine without your knowledge."

Earlier this year a man was acquitted of child pornography charges after experts for the defence proved that a Trojan program had downloaded illegal images without his knowledge.

Williamson advised companies to use tools to carry out thorough scans of systems, specifically looking for hidden software installations. "They won't be discovered by ordinary antivirus or network scanning tools," he added.

The Caffrey case has also refreshed concerns about whether UK law is equipped to deal with denial-of-service attacks. Caffrey was tried under the Computer Misuse Act (CMA) 1990, which security and legal experts have often said should be updated.

Rupert Battcock, an IT lawyer at law firm Nabarro Nathanson, said while there could be an argument for looking at the status of some types of attack - particularly distributed denial-of-service attacks - the outcome of this case was unlikely to prompt a review of the CMA. This was because Caffrey's acquittal was based on the argument that the defendant's computer had been hijacked, rather than because denial-of-service attacks were beyond the scope of this particular law, Battcock added.