Should College Students be Required to Take a Class in Civility?
SEC Whistleblower Program Pays Out First Award

Cybercrime and Workplace Ethics

Protecting Your Organization Against Cyber attacks

The purpose this blog is to make people aware of the spreading disease of cybercrime; how to identify the threats; and how to protect yourself and your computer systems from attack. The issue is so important that a new field of ethics has been identified – Cyber ethics. It refers to the philosophic study of ethics pertaining to computer networks, encompassing user behavior and what networked computers are programmed to do, and how this affects individuals and society.

Cybercrime is criminal activity done using computers and the Internet. This includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet.

As all too many of us painfully know, the most prominent form of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming.   Both of these methods draw users to fake websites (that appear to be legitimate), where they are asked to enter personal information. This includes login information, such as usernames and passwords, phone numbers, addresses, credit card numbers, bank account numbers, and other information criminals can use to "steal" another person's identity. For this reason, I advise you to always check the URL or Web address of a site to make sure it is legitimate before entering your personal information. Moreover, it is smart to protect yourself by using antivirus and spyware blocking software and being careful where you enter your personal information.

KPMG recently conducted research on the web sites of some of the largest companies in the world: the constituents of the Forbes 2000 annual ranking. It found that 78% of the sites leak some form of potentially useful information through document “meta-data”: information about a document or about its properties.

Using nothing but perfectly legal techniques, the audit firm downloaded almost 10 million publicly-available documents by carrying out the same preliminary steps that cyber criminals would, known as advanced persistent threats. It then used automated data tools on those documents to dig out such information as the user name of the creator, the network location where the document was filed, and the version of the software used to create the document. The information garnered included:

  • 419,430 potential user names;
  • 104,370 network folders and locations;
  • 33,250 printer host names;
  • 70,910 software applications and versions; and
  • 342,040 e-mail addresses.

Those figures, the report says, show “the ease with which cyber attackers can target specific individuals and the vulnerable software versions that they may be using on their computers.”

KPMG’s exercise also looked at postings on online forums and newsgroups, and found that information was being revealed in the postings themselves — put up by people with e-mail addresses from Forbes 2000 companies — that could be regarded as commercially sensitive.

The firm was also able to identify the specific web-server technologies and then cross-check that data against known security flaws: 8% of Apache web servers (the most commonly used technology) were found to be potentially vulnerable, as were 6% of Microsoft web servers. Switzerland, Liechtenstein, and Germany were among the top 10 countries having the most vulnerable web-server software.

Taking all these risks together, the banking and other financial institutions and the technology sectors were the biggest information leakers. That surprises me because these are the two sectors that would have been thought to be most aware of cyber threats and most familiar with the steps necessary to counter them.

Cybercrime affects small businesses and may be a more significant problem than attacks on large corporations because of the latter’s more sophisticated security systems. According to the 2011 Global Economic Crime Survey released by PricewaterhouseCoopers, nearly half of all surveyed businesses reported suffering some form of fraud in 2010, up 10 percentage points since 2009.

Likewise, the incidence of fraud costing the business in excess of $100,000 has also increased considerably, from 44% to 2009 to 54% in 2011. Approximately 10% of businesses report that fraud has cost their company more than $5 million in the past year.

The survey results also show that after asset misappropriation, cybercrime is the most common form of fraud affecting the business community, with almost one in two (40%) respondents indicating that they believe their companies have been victimized by cybercriminal activity in the past year.

Although 61% of survey respondents indicated heightened awareness about the perceived risk of cyber-attacks in 2011, approximately half indicated that C-suite leadership either never or infrequently (once a year) review the organization's cyber fraud prevention strategy. Instead, cyber fraud prevention is conducted on an ad hoc basis, typically in response to an actual attack.

As we can see, cyber-attacks come in different forms and affect different systems in business. As in most situations today, the technology to prevent and detect the crimes lags the myriad of methods used to steal, alter, block, or otherwise infect computer systems. My concern is that we must start to educate young people about cyber ethics before it is too late. Cyber ethics should be part of a healthy ethics education in our schools. I will address this issue in my next Ethics Sage blog.

Blog posted by Steven Mintz, aka Ethics Sage, on August 31, 2012