It isn't just computers but the integral components that thieves will focus upon. Computer crime is on of the UK's fastest growing crimes, according to the Association of British Insurers; in 1995 a third of all commercial claims were computer crime related. It isn't just the loss of a computer or related equipment that represents the biggest loss; it is the costs of business interruption and important or sensitive data loss.
There is a simple solution; prevent thieves from having access!
When budgeting for IT security we need to ensure the expenditure is appropriate to the value of the IT assets at risk, not just the replacement value but also other losses incurred.
A simple risk analysis can be deployed by calculating the harm to your business as a result of theft or damage to such assets. Create a 'what if' scenario and ensure you calculate every aspect from loss of business, interruption to services and compensation to clients including farming out work or bringing in other contractors for damage limitation.
Then take this figure and consider the real likelihood of it happening; taking on board prevailing threats and current climate.
This information shouldn't be taken lightly and should be used to build an IT Security Policy Document. So in the event of such an incident, there is a chain of command from top managers down the ranks, a contact list of 24 hour telephone numbers and individual responsibilities so that there is no room for 'I thought he was doing that!' Each individual on the IT Security Policy Team should have his or her own copy and a signed as read and understood copy filed.
There should be a list of suppliers and back up systems including all identification markings and asset control numbers. This can only be achieved through formal training.
This could be a good time to call in your local CPO (Crime Prevention Officer).
Commercial premises that maintain large numbers of computers clearly face a disproportionate risk from crime. If IT equipment is spread out or scattered throughout the premises, it is more difficult to establish a secure perimeter, than if the 'IT' area was concentrated in secure pockets.
Let's take a look at the physical security of the actual building.
No matter how good the locks are on Entry/Exit Doors, if the door and frame cannot withstand a violent attack, your premises are vulnerable.
Often Health & Safety and security don't mix, for example; Regulations state that when the building is occupied, fire exit doors must be able to be opened quickly in the direction of escape without the use of keys. A perfect escape rout for thieves too!
· Fire exit doors must not be overlooked. Regulations state that when the building is occupied, these doors must be able to be opened quickly in the direction of escape without the use of keys. Look at alarming these doors so they comply with regulations but notify the appropriate individuals that access has been made. Perhaps CCTV cameras could be fitted too. When the premises are empty, however, these doors can be secured like any other.
· If you occupy offices of multiple tenancies then the landlord and appropriate tenants should address the security of communal doors No one benefits if this area is deemed the responsibility of the other. · Look out windows, check either side for potential access points, and look for flat roofs. Internal grilles should be considered for all accessible windows, don't overlook skylights.
· If there is no reason for goods lifts to be used after working hours they should be disabled at the end of the day. Perhaps taking them to the top and switching them off.
· Talk to your Crime Prevention Officer about installing an intruder alarm system linked to a central monitoring station. This should be fitted in accordance with Association of Chief Police Officers (ACPO) policy and Association of British Insurers (ABI) guidelines.
· Be mindful that nominated key holders must be able to get to the building within 20 minutes of being notified of alarm activation. This allows police to check the premise if a forced entry is not apparent. Consider using a reputable key-holding company if you cannot meet this requirement.
· Keep the number of people able to arm and disarm the alarm system to an absolute minimum and make sure that they are issued with individual 'pin' numbers that can be monitored and their activity is logged. This will facilitate better management of the system and minimise in-house mischief or activity from disgruntled ex-employees.
· If employees work during periods of reduced occupation, for example, overnight or weekends then personal attack buttons will need to be incorporated into the alarm system. In these circumstances, staff should never work alone always insure there is more than one person on the premises in order that someone can raise an alarm.
· Consider revising name signs that might advertise the presence of computers and never leave computer related boxes in public view. Empty or otherwise, these cartons inform all passers-by that you have new IT equipment on the premises..
Thieves rarely rely on guesswork when selecting a commercial building to break into. This isn't about 'walk-in' crime. Companies have had new computers stolen the very same day as they have been delivered, it not not pure coincidence or extreme bad luck! It is obvious that intelligence is gained before the event inside information or poor security measures. It cannot be over-stressed how important it is to control access during office hours as well as when closed.
If possible, restrict access to the building to one entrance/exit, with all other access points being controlled.
Is your front of house staff, whether it be security or receptionist, fully aware of staff that have left - voluntary or otherwise? All personnel should be identifiable. This begins at the reception point where a visitor should be registered and supervised by an authorised member of staff. It extends to the active vigilance of employees - fully aware of the defined procedure for challenging strangers.
If visitors sign in or are issued with security tags, does anyone check to see that they actually leave the premises? Is anyone tasked with an end of the day procedure for checking the building to ensure that no one is hiding in it?
We mentioned at the beginning about creating a perimeter for access control. If that perimeter is breached, look at the measures below will help to reduce your losses.
· House your IT equipment carefully, away from the perimeter and behind obstacles that slow and frustrate the intruder, in locked rooms for example.
· Mark property with your full postcode in a permanent and prominent way. Heat branding or chemical etching can do this.
· Anchor equipment to solid furniture and building fixtures with an enclosure unit designed to resist dismantling. Choose a product that has been certified to Loss Prevention Standard 1214.
· If an enclosure unit is not in use, special security screws are available that replace the standard back cover screws and help, to some extent, to prevent quick entry to the computer's interior.
· Safes and security cabinets can be obtained which allow the computers to be used during the day and locked away at night.
· Smoke generating devices, activated by the intruder alarm system, work to create conditions where intruder penetration is severely hampered.
· Computer alarms that detect tampering can be fitted to units. These are suitable for buildings either during office hours or when an on-site response can be generated at night.
· Lap-top computers need to be locked away when they are not being used. Security instructions should be issued to personnel for care of equipment when used away from the office.
· Key security - keys to security devices should be kept in the custody of authorised personnel only and either removed from the premises when they are left unattended or put in a locked safe.
· Asset control - make sure that an up-to-date inventory is in existence so that full details of any equipment that is stolen can be given to the police and insurance companies.
Digby Farquart is a leading UK security consultant and crime prevention advisor. He writes articles for top sites such as Computer Crime Prevention and UK Crime Prevention.