​It is imperative to recognise that automated systems, which provide essential services, are vulnerable to natural disasters or to someone who has the resources to compromise a computer system. Appropriate security measures should be taken to ensure protection from accidental and deliberate threats to confidentiality and integrity of data. Whilst it is accepted that absolute security is unrealistic, steps should be taken to optimise your computer system at a cost that is relative to the reduction in the risk.

The security of files on computers is paramount and the use of password access is strongly recommended for users.

For employees who vacant their position either on transfer to another area or to another employer, risk management procedures should be implemented to ensure their access to the nominated computer system is revoked. Too often, users retain access to computer systems and files for lengthy periods of time after they have left their previous position. This creates an opportunity for criminal offences to be committed and possible corruption and loss of data.

Whilst there are avenues available to retrieve data that is lost, it can be an expensive cost to incur for something that is easily preventable.

The deleting of files from computer systems may constitute the criminal offence of fraud in Queensland, if it is shown that there has been a dishonest action to cause some detriment to the complainant in question.

Likewise, the theft of files may also constitute the criminal offence of stealing in Queensland, if it is shown that there is some intent on behalf of the offender to use the files for some purpose.

Matters such as disputes over the ownership of files, may give rise to copyright breaches and remedies in these matters should be sought via civil action if deemed necessary, rather than criminal complaints to police.

Steps to establish and maintain an adequate computer security program:

  • Identify the computer system assets that require protection (i.e. data, software, hardware, media, services and supplies)
  • Determine the value of each asset
  • Identify potential threats associated with each asset
  • Identify the vulnerability of the computer/EDP system to each of these threats
  • Assess the risk exposure for each asset
  • Select and implement security measures
  • Audit and refine the security program on a regular basis especially when employees depart on a permanent basis


Common methods to commit computer related crime.

Data Diddling
A simple and common computer related crime that involves changing data prior to or during input to a computer. Data can be changed by anyone involved in the process of creating, recording, encoding, examining, checking, converting, or transporting computer data.

  • Minimize the risk of diddling by applying internal security controls


Trojan Horse

A Trojan Horse involves the placement of unwanted computer instructions in a program so that the host computer will perform some undesired/unauthorized function. The instructions enter the target system hidden in some other message or program, thus the name Trojan Horse.

  • Minimize the risk of attack by a Trojan Horse by implementing security control measures for all incoming data containing hidden content.


Logic Bomb

A Logic Bomb is a computer program executed at a specific time to cause damage to computer programs or data. Logic Bombs often enter a computer system using the Trojan Horse method, but differ because their presence is detected only after the bomb "blows up."
For example, a disgruntled employee may write a computer program to cause the company's computer system to crash at a particular date. At the specified date and time, the system crashes costing hundreds of hours and thousands of dollars to restore.

  • Minimize the risk by using security methods that verify the system for inappropriate content.


Impersonation

When a password and user identifier controls access to a computer system, the most common method to gain access to the system is to impersonate an authorised user.
Impersonation in the workplace may be accomplished as easily as taking an authorised user's place at an unattended terminal that has not been logged off. However, impersonation usually requires that the intruder have access to two or three pieces of information:

  • User I.D. or account number;
  • Password of the authorised user,
  • A dial port number (computer's telephone number), if access is attempted from a remote location.
  • Minimize the risk of unauthorised access by implementing security measures and password maintenance. Passwords should be of adequate length to maximize security and maintenance systems should force a change of passwords at regular intervals. In addition, the system should be programmed to generate a minor alarm after an unusual number of invalid sign-on attempts.


Computer Virus

When a password and user identifier controls access to a computer system, the most common method to gain access to the system is to impersonate an authorised user.
Impersonation in the workplace may be accomplished as easily as taking an authorised user's place at an unattended terminal that has not been logged off. However, impersonation usually requires that the intruder have access to two or three pieces of information:

  • Minimize the risk of infection by incorporating virus scanning into the start-up of the computer system and scan any new software and files prior to use.