Close

We use cookies to give you the best possible online experience. If you continue, we'll assume you are happy for your web browser to receive all cookies from our website. See our cookie policy for more information on cookies and how to manage them.

Knowledge store

For tips, tools and guidance on all things risk management, just search for a topic you’re interested in or use the below pods.

Knowledge store general enquiry form
Submit enquiry

Computer Security [Hardfacts]

Introduction

These days there are few commercial premises that do not have at least one computer present, and in most large organisations computers, and their related communications networks, are now commonplace.

In the early days of widespread computer ownership/use, theft of computers and their memory chips was a major problem.  Nowadays this seems to have died down, but other malicious/criminal activity relating to computers has seemingly increased over time, e.g. hacking and data theft, etc.

When it comes to hardware, thieves can be attracted by the portability, value and general anonymity of many items of equipment, e.g. laptops and tablets are still  ‘popular' items; and high specification network/web servers also remain  attractive to professional gangs of thieves, who on occasion seem prepared to use extreme force to obtain them.

On the software front hackers or disgruntled staff may see malicious interference with systems as a challenge or be attracted to the (criminal resale) value of personal information contained within them.

Note. Whilst this "hardfacts" outlines some basic computer security measures, protection against data theft/interference is a complex topic beyond it's scope. Readers should therefore take specialist advice on this matter, but those wishing to obtain a greater insight/overview of the topic are recommended to download an insurance industry (RISCAuthority) publication on "Cyber Crime" - see Sources of Further Information for details.

Risk Assessment

The necessity for computer security measures should always be determined after considering the impact on your organisation of possible computer crime, for example:

  • Cost of replacing computer equipment, systems or data
  • Expected equipment/software replacement times
  • Vulnerability of premises, systems or data to unauthorised physical or electronic access
  • The effect on your operations, including customer confidence, of loss of/malicious interference with computer equipment, systems or data

Computer security measures can be considered under several broad headings, e.g. procedural, physical, electronic or item specific, all possibly supplemented by manned guarding; but when doing so bear in mind that the best security is usually achieved by adopting a range of complementary measures.

When reviewing your computer related security measures, don't forget to check whether any interested party, e.g. your insurer or a leasing company, has any specific requirements.

Procedural Security Measures

Options to consider include:

  • Ensuring that passwords and other procedures suitably limit staff/customer access to systems and equipment
  • Installing, and maintaining, up to date anti-virus software and internet firewalls
  • Implementing strict and clear staff controls on use of the internet, downloading software, use of data encryption and memory sticks, etc
  • Ensuring users are aware of the theft risks of leaving equipment unattended in public, or semi public, areas of the workplace or when working away from the premises
  • Ensuring users don't leave equipment in unattended vehicles, or walk through streets with items such as laptops in recognisable laptop carrying cases
  • Avoiding the positioning of theft attractive equipment next to externally accessible glazing
  • Maintaining an ‘asset register', i.e. a list of all serial numbers and installed locations of computer equipment
  • Avoid advertising the arrival of new equipment by not leaving packaging in yards, etc
  • By way of deterrent, advertise any security measures that may not otherwise be readily apparent to potential intruders; e.g. posting notices to the effect that the premises have a remote signalling alarm, or that equipment marking systems are in use, etc.
  • Ensuring key computer data is regularly backed up and copies maintained off site
  • Producing a ‘Business Continuity Plan' (BCP) to assist in getting computer systems quickly back to normal after any security breach or loss

Physical Security Measures - Premises

A well secured perimeter, either to the building or an area within, but ideally both, will provide major benefits. The perimeter protection should take account of the nature of the buildings and their location, ease of access, hours of occupancy and the type (theft attraction) of the computer equipment present within.

IT/Server rooms in particular often contain concentrations of expensive or critical equipment. Ensure these are robustly built, sited away from outside walls (ideally on upper floors) and good quality doors and locks are fitted.

Space precludes the provision of information here; but ‘Hardfacts' information sheets on Perimeter Security, Door and Window Security and Locks & Lock Standards are available in the ‘Knowledge Store'.

Electronic Security Measures - Premises

Given sufficient attraction, thieves will often go to the trouble of overcoming physical security measures. In such circumstances electronic security devices can usefully supplement physical and procedural measures, with options including the installation of:

  • An access control system to assist in vetting/controlling persons seeking access to, or within key parts of, the premises
  • A locally or remotely monitored intruder and hold up alarm system. Intruder Alarms - Guidelines for Purchasers, and other intruder alarm ‘Hardfacts' information sheets, are available in the ‘Knowledge Store'.
  • A locally monitored CCTV system to allow staff to manage, monitor and or record visitors during working hours
  • An external remotely monitored detector activated CCTV system. These can be particularly effective outside business hours in detecting potential intruders whilst they are still outside, i.e. before a break in occurs. The nature of such systems requires very careful attention to system design and operating procedures if they are to be effective. See CCTV - Guidelines for Purchasers, and other CCTV ‘Hardfacts' information sheets, are available in the ‘Knowledge Store'.
  • A ‘smoke' generating system operated by alarm sensors. When activated these rapidly fill an area with a dense non-harmful chemical fog which obscures vision, and thus prevents intruders from seeing what they have come to steal.
  • A forensic intruder marking system. When activated these fill an area with a near invisible non-harmful uniquely formulated chemical mist, which adheres to the clothes and body of intruders. The police can detect this marking on suspects and trace it back to the registered premises.

Security Measures - Equipment

Good procedural, physical and electronic security measures at premises can provide a robust line of defence, but security measures applied to particular pieces of equipment can provide very effective additional security.

Options include:

  • Permanent visible marking (etching) of equipment with details of your name and postcode, or covert forensic marking. By removing anonymity in this way, attraction to thieves is reduced
  • Securing equipment to walls or furniture with steel cable ties to hinder removal
  • Securing equipment in an ‘entrapment' device bolted to a floor, wall or desk to prevent removal of equipment or internal components. In conjunction with the insurance industry, the Loss Prevention Certification Board (LPCB) has a certification scheme available against which manufacturers can have equipment tested. Test ‘Category 1' relates to removal of equipment, test ‘Category 2' relates to removal of equipment and any internal components.
  • Securing plug in ‘dongles' (devices that enable/encrypt software to specific users or computers) within a steel enclosure separate from the computer equipment e.g. under the desk. If the computer is then stolen the dongle should be left behind, avoiding the need to buy new software and the inconvenience of not being able to run any backup copies on replacement equipment.
  • Using equipment alarms which emit an audible signal if equipment is moved or interfered with. These are ideal for alerting nearby staff to ‘walk in' theft or unauthorised use.
  • Using internet tracing devices, which can send you a message if a computer is used from an unauthorised location, e.g. after being stolen, which in turn can help establish its new location.

Security Measures - Manned Guarding

At some premises the values at risk, or the effect of a loss, may suggest that in addition to some or all of the foregoing, a manned guarding presence is appropriate, either during or outside business hours, or both.

When choosing a guarding company, National Security Inspectorate (NSI) listing is one of the best indicators of full compliance (supported by external auditing) with UK manned guard licensing rules and good security practice, e.g. adherence to recognised British Standards; but membership of the Security Industry Authority (SIA) Approved Contractor Scheme (ACS) is also indicative of good standards.

Although it may conflict with operational convenience, at high risk sites care should be taken to ensure that guards are suitably protected against duress, i.e. they cannot be forced to unset alarms/unlock doors, etc. This is best done by stationing guards outside of any building they are guarding, and not permitting them to hold keys &/or codes/unsetting devices for electronic security systems, etc.

Key Action Steps

Effective security is usually achieved only after considering the various risks faced and then implementing an appropriate set of complementary security measures, so:

  • Undertake a security risk assessment
  • Aim for a complementary set of security measures rather than relying on just one or two.
  • Review security as circumstances change, e.g. as new equipment is installed or existing equipment is relocated
  • Ensure staff are aware of, and understand the reasons for, your security measures
  • Review security after any loss. If you do not do so are at high risk of a repeat incident
  • If unsure how to proceed, don't rely solely upon ‘trade' based advice. It many cases it may be preferable to seek impartial advice from others, e.g. police crime prevention teams or your insurers.

Sources of further information

For computer entrapment manufacturers/suppliers:

For access control, CCTV, intruder alarms and manned guarding:

  • National Security Inspectorate (NSI). Tel 0845 006 3003 or see www.nsi.org.uk
  •  The Security Systems & Alarm Inspection Board (SSAIB). Tel 0191 296 3242 or see www.ssaib.org
  •  The Security Industry Authority - www.the-sia.org.uk

For forensic and other marking systems:

British Security Industry Association (BSIA). Tel 0845 389 3889 or see www.bsia.co.uk

MLA (Master Locksmiths Association). Tel 01327 262255 or see www.locksmiths.co.uk

Next Steps:

  • Source discounted products, available to Aviva insured customers and brokers only, via our Specialist Partners - click here to find out more about the savings you could make
  • View our Tools and Templates
  • Call our Risk Helpline on 0345 366 66 66
  •  Email us at riskadvice@aviva.com

Please Note
This document contains general information and guidance and is not and should not be relied on as specific advice. The document may not cover every risk, exposure or hazard that may arise and Aviva recommend that you obtain specific advice relevant to the circumstances. AVIVA accepts no responsibility or liability towards any person who may rely upon this document.

Rate this entry

Was this helpful to you?

Risk Management Bulletins