Computer fraud and abuse is as likely to be carried out by a company director as an outside hacker, according to a new survey by the Audit Commission.
The survey found that 25 per cent of reported incidents of abuse are now traced back to company managers in the public and private sectors. And even when managers are not acting illegally, they are often unaware of the dangers or slack in enforcing policy.
?There is a lot of talk of hackers as an external threat, which is obviously a valid concern, but as the Audit Commission report shows, the security threat is as likely to come from the MD?s desktop as anyone else?s,? said Nigel Hickson, head of the Department of Trade and Industry's Information Security Policy Group.
But managers may be not just unaware but fraudulent. ?One of the difficult issues is that there is a proportion of growth of fraud in middle management. Managers have a wide ranging access to systems so the potential for them to do harm is significant, so the senior managers must take steps," said Paul Vevers, the Audit Commission's director of audit support.
The survey found that 50 per cent of all computer fraud is only found by chance, yet the percentage of organisations reporting incidents of IT fraud and abuse continues to rise. The number affected has already increased from 36 to 45 per cent since 1994.
The average incident costs #7,605, and the types of abuse cited in the survey range from virus infection, theft (of data or software), using illicit copies of software, doing private work with company communication facilities, hacking, damage to processing cycles or equipment, breaching data protection legislation and downloading pornographic material from the Internet.
Downloading pornographic material accounts for eight per cent of all the incidents, according to Vevers.
This figure is "symptomatic of the level of awareness at top level management. And this is so disappointing because we did this survey three years ago and nothing has been done," according to Vevers.
He blames much of the increase on failure to introduce safeguards and on management unawareness, rather than technical deficiencies. "A lot of the steps that need to be taken to minimise fraud are managerial and not technical," he commented.
He recommends that senior managers assess the levels of risk and pinpoint where those risks are, then test the company?s defences against them, and communicate to staff clearly what is permissible.
Willingness to treat infringements seriously is vital, as well as clear communication. Only half of the fraudsters are currently dismissed or prosecuted. The survey claims that "internal controls need to be supported by a robust disciplinary process in which firm action is taken against those who do wrong.? It warns that managers regularly fail to act when abuse occurs.
The report surveyed 900 public and private sector organisations.
Are pinning down the exact rate of expansion of the Hubble constant
RISC OS 5 to form the basis of RISC OS Open after Castle Technology sells to RISC OS Developments
A smartphone maker fiddling its benchmarking scores? That's unusual, isn't it?
'We are making good progress on 10nm,' claims Intel