6 minute read
Management can help short-circuit computer crime ,"
By Daniel A. Janko national mgr., Computer Auditing, and Frederick S. Atkari director of Computer Services Group, Alexander Grant & Co., Chicago, Il., c.P.A.
lT'S 7 P.M. An assistant bookIkeeper in a small wholesaling company is working late into the evening to help settle numerous outstanding accounts. On the pretext of needing additional invoice data, the bookkeeper enters the office of the company's president where he finds the firm's master record-keeping system-a $6,000 micro-computer purchased at a local electronics store.
Having bought and studied a copy of the computer's instruction manual, the bookkeeper has little trouble programming a personal entry code into the machine's electronic memory. Three minutes later he's back at his desk, diligently working away.
In the months that follow, the bookkeeper, sitting at home before his own low-cost computer terminal, dials up his company's machine via telephone and enters phony invoices in the name of
Story at a Glance
Computer crime can strike any size business. . responsibility for preventing abuse falls on manager. controls to secure your business agalnst intrusions.
bogus suppliers. Checks are then automatically generated by the system and mailed to a local post office box.
Although the bills only average between $100 and $200 each, they will cost the wholesaling company many thousands of dollars until the fraud is detected.
If it ever is.
The above scenario demonstrates that computer crime is no longer the sole province of multi-million-dollar corporations. Any business, large or small, that uses a computer to pay bills, issue payroll checks, inventory merchandise or perform any other accounting function, is vulnerable to this relatively new and often underestimated avenue f or sophisticated theft.
Responsibility for preventing this kind of abuse falls squarely upon the shoulders of management. The four-year-old Foreign Corrupt Practices Act of 1977 affirms the precept that company executives alone must see that controls are imposed to protect the integrity of internal auditing systems, this idea being just as relevant to data processing, even for those companies not doing business with foreign nations. It is, after all, a matter of practicality. Any administrator who pleads ignorance and leaves the responsibility for computer operations to a subordinate, no matter how trusted, is a prime target for electronic chicanery.
Although still rare, the incidence of computer crime is growing rapid- ly. Newspapers have carried numerous stories of enterprising students who have played havoc with academic records in their attempts to master supposedly restricted institutional computer systems. Here the motive is not material gain, but the precious computer time itself with which these sophisticated youngsters can expedite their other pet projects and investigations.
On the corporate level, the 1973 Equity Funding case is the largest example of computer abuse. In that instance, the New York-based insurance holding company used a computer to generate $27.5 million in phony policies that were subsequently sold to reinsurers. More recently, the Wells Fargo Bank, the nation's I lth largest, was the victim of large-scale computer fraud that cost the company over $21 million. The alleged perpetrator was an internal operations officer.
As easy-to-use, low-cost computers proliferate, the number of related crimes is expected to increase. As reported in the April 20, 1981, issue of Business Week, only 1,500 personal computers were sold in the United States prior to 1975. International Data Corp. now estimates that total to be close to 500,000 and it will probably skyrocket to three million by 1985.
Estimates of losses due to computer crime now range anywhere from $100 million to $3 billion annually. This number is expected to grow substantially, not through ma- jor thefts on the Equity Funding or Wells Fargo scale, but by a rapid increase in the incidence of small-time fraud. Still, regular losses of $100 or $1,000 can be just as devastating to a small business as a multi-million- dollar embezzlement is to a major national corporation.
Clearly, the need for firm and effective controls exists wherever a computer is present. The type and level of sophistication of these controls will depend on the size and complexity of the system involved and the functions it has been designed to perform.
Physical security is one of the simplest and most effective deterrents to electronic crime for businesses employing personal-sized micro-computer systems. It is also one of the most overrated and useless barriers to fraud in larger main-frame operations.
If a company utilizes a microsystem, the kind that can be purchased in most any computer shop for under $10,000, then physical access should be restricted to those directly responsible for its operation. When not in use, the computer should be locked away in a secure location.
Some micro-systems have telephone hook-ups so that company personnel can communicate with the computer from terminals in their homes. While this is a desirable convenience, it also leaves the computers vulnerable to anyone who has learned or, as was the case in our fictitious scenario, can manufacture a password. Remote links to microsystems should, therefore, be avoided unless other more sophisticated safeguards have been instituted.
Which brings us to main-frame computers, those cybernetic leviathans thatdaily exchange countless billions of bits of information via the common telephone line. Although there is a flourishing industry selling ways to protect such computers from intruders, magnetic passes and other high-tech devices are a poor defense against a clever programmer with a telephone and terminal of his own.
This does not dismiss totally the need to shield computer hardware. Direct physical assaults on company computers are not unheard of, and while a two-inch steel door and electronic deadbolt may do little to prevent subtle tampering with internal programs, they can be quite effective against a disgruntled employee with a tire iron.
Even if the possibility of vandalism is remote, managers should take steps to protect their most valuable commodity, their computer software, from loss or damage, be it accidental or intentional. As a matter of course, all computerized master files should be copied twice, one copy kept on the premises and the other removed to another location. this latter step will insure company continuity even in the case of destruction of the physical plant by fire, storm, earthquake, or other disaster.
For larger companies with data processing budgets over $10,(X)0 a month, dividing design and opera- tional responsibilities among numerous employees is one of the simplest and surest ways to keep a computer system honest. Systems analysts, programmers, computer operators and data entry personnel should be limited in their knowledge to only that information that is necessary to their specific areas of activity. No designer should have access to programs or data files. No programmer should be regularly involved in daily computer operations. No computer operator should be entering transactions via terminal; this should be done only by data entry personnel.
When no single employee knows how the entire computer system operates, chances are remote one will be sophisticated enough to abuse it for his or her own ends.
Unfortunately, in small companies, such segregation is not always feasible. In businesses with l0 or less employees, the designer, programmer and operator are often one and the same person. Such concentration of responsibility, unless in the hands of the company president, places the business in a very precarious position. While it may limit the number of suspects should fraud occur, it also greatly lessens the chances that such fraud will ever be caught.
The extreme vulnerability of simple micro-systems is the reason physical security, as discussed previously, is so essential in small business.
Beyond physical and organizational procedures, there are (Please tltrn to page 5,1)
10 Steps to Guard against Computer Crime
(1) Situate computers in a secure location.
(2) Restrict access to only those individuals directly involved with computer operations.
(3) If you use a micro-computer, lock it away securely when not in use.
(4) Avoid telephone links with micro-computers unless other safeguards are in place.
(5) Copy all computerized master files twice. Keep one on the premises and remove the other to another location.
(6) Segregate responsibilities for system design, programming, computer operations and data entry among various individuals.
(7) Use passwords not only for computer access, but assign specific entry codes to individual functions and operations. Likewise, individual terminals can be assigned to specific operations. Void personal passwords immediately should an employee resign or be fired.
(E) Implement programs that will flag accounting operations that do not conform to an established norm.
(9) If using telephone lines for data transmission, install signal scramblers to inhibit wire taps and prevent unauthorized entry. Also, change the access phone number periodically.
(10) Have an experienced auditor examine your computer system and recommend safeguards tailored to your individual needs.
