Greg Clay explains how you can be protected against criminal gangs putting their people in your IT department

The FSA is warning that criminal gangs are seeing opportunities to steal money and information from financial services companies by placing staff in their IT departments .

The regulator says high-tech crime already accounts for £74m of the £195m total for financial crime. This figure could increase as criminals exploit the IT recruitment process.

Regardless of whether a company runs its IT internally or outsources it, brokers and insurers treat IT risk like any other peril.

But it is no longer sufficient for the risk to be treated as safe just because an organisation protects itself behind firewalls and assumes its systems cannot be harmed. A company is exposed to its own staff.

In the UK, up to 70,000 IT jobs are vacant. The result is that more than three-quarters of businesses in the IT and telecoms area have been forced to delay new products because they cannot find qualified staff. And the European Commission, in 2003, estimated that the EU was short of 1.6 million IT and communications operators.

Management accountability
The risk management implications are significant. Anyone with a decent CV and a bit of charisma can walk into an IT position. Criminal gangs can gain access to jobs at all levels, so it would be naïve to assume that the same would not apply to IT fraud and misappropriation of data.

So how should IT risk be managed? First, someone with board responsibility must be accountable for IT. This goes further than mere reporting lines. Someone must take an active role in monitoring all threats, risks and vulnerabilities to the company. If not there is the real danger that risk management considerations are subsumed by other commercial pressures.

Those responsible should ensure that:

  • Information will be protected from unauthorised access
  • Confidentiality will be assured
  • Integrity of information will be maintained
  • Regulatory and legislative requirements are met
  • Business continuity plans are maintained and tested
  • Information security training is provided to all staff.
  • Second, whether it's an internal appointment or an external contractor looking after a network, the risks to a company are the same, and the appointment procedures should be equally stringent.

    If functions are outsourced, then the insurer or broker must be confident that the subcontractor is adequately screening all their employees (who may well be freelance or contractors).

    Screening contractors

    At a minimum, screening should include name, address, qualification and career validation, and criminal record checks. County court judgment referencing and Bank of England terrorist checks should also be taken if the person will be working in an environment where money laundering, fraud or terrorist activity could be possible.

    Third, businesses need to be much more rigorous in their approach to staff accessing systems. There is little point in spending significant sums on firewalls when the prevalence of laptops, personal digital assistants (PDAs), external hard drives, USB drives and even MP3s and ipods means that more staff are accessing work computers for private purposes. Finally, IT departments must audit large downloads of data either on or offsite. With 80GB to 160GB external hard drives, a user can download much of a small business database in just a few hours.

    Remote access must be monitored and any unauthorised remote access must be investigated.

    Given the right knowledge, IT risk management is no more complicated than any physical risk. IT

    'Greg Clay is marketing manager of IT service provider Pandi