Tackling white-collar cybercrime
The most common class of perpetrator is the disgruntled employee – and it’s not always for financial gain, say experts
White-collar cybercrime can come in many guises. Photograph: iStock
The proliferation of technology means that traditional white-collar fraud is most likely to come in the form of white-collar cybercrime.
“It refers to instances where you have people working within an organisation who are abusing the permissions given to them in relation to the internal system, to defraud the company they work for,” says Brian Honan of BH Consulting, a security consultancy.
Yet it can come in many guises. “It can be about making online payments to fictitious suppliers, or instances where someone in an organisation is motivated by third parties to find out and steal information – industrial espionage on behalf of competitors,” he says.
It could be the online equivalent of taking the Rolodex with you when you go. “You’ll find cases where someone leaves an organisation and takes sensitive information with them, such as customer or client lists, so that they can target them themselves, or it could be someone in IT taking source code or other intellectual property to use in future projects they may be working on.”
Not all white-collar cybercrime is driven by financial gain or greed, he points out. It could be even more banal than that. “In some cases, you’ll have people who do it out of curiosity, who may be prompted by the boredom of a long shift to snoop in the internal systems to find out information about other employees.”
It’s really all the same frauds and scams it has ever been, it’s just that it is now being done on a computer
Such activity can have more nefarious purposes. “It could be about securing information for insider trading but it could also be about finding out embarrassing information from someone’s HR file to embarrass or even blackmail workmates with.”
White-collar cybercrime includes checking out another employee’s remuneration package illicitly, so as to gain an advantage when negotiating your own.
Among the most common class of perpetrator is the disgruntled employee, someone who has “been passed over for promotion, or sees redundancies coming,” he says. “It’s really all the same frauds and scams it has ever been, it’s just that it is now being done on a computer.”
For organisations, the fact that it is being perpetrated digitally should at least make such activity easier to track and trace. “The problem is that too many organisations have what we call M&M systems, that is, systems that are hard on the outside and soft on the inside, where employees get trusted access. Very many are good at securing their perimeter but not so good at managing their internal systems.”
That’s no longer good enough.
Range of offences
The Criminal Justice (Offences Relating to Information Systems) Act 2017 provides for a range of offences in relation to cybercrime. As a result, it is a crime to access an information system without lawful authority, or to interfere with one so as to intentionally hinder or interrupt its functioning. It is an offence to interfere with data without lawful authority, or to intercept the transmission of data. Moreover, the use of a computer, password, code or data for the purpose of the commission of any of these offences, is itself an offence.
“Section 9 [of the Act] provides that where a relevant offence is committed for the benefit of a body corporate by a relevant person, the body corporate shall be guilty of an offence,” says Niamh Hodnett, head of regulatory affairs at Three Ireland.
Where previously cybercrime was seen as an issue for IT people, it is now being taken much more seriously at director level
Even without the Act, there were already a number of statutory prohibitions to white-collar cybercrime, points out Honan.
Chief among these is an organisation’s legal responsibilities under General Data Protection Regulations, or GDPR. Good corporate governance generally, of the kind the prevents a business falling foul of the Office of the Director of Corporate Enforcement, obliges businesses to do their utmost to guard against white-collar cybercrime, while certain sectors, such as financial services, have additional regulatory standards which they must adhere to.
The cumulative result of all these measures has been to move management of cyber risk, including white-collar cyber risk, to board level. “Where previously cybercrime was seen as an issue for IT people, it is now being taken much more seriously at director level, helped too by the fact that risk and audit committees are more prevalent,” Honan says.