How much is your data worth? You may think that the customer database your business has built is priceless, and individuals probably regard their online data as being rather valuable as well. After all, that’s why we put so much effort into securing it. Unfortunately, the basic economic laws of supply and demand exist within the criminal marketplace just as they do elsewhere.

Which means that our perception of value is hugely over-inflated when compared to the reality of the online underground economy. That reality is that as malware production and exploitation has rocketed, and stolen data has flooded the marketplace, so the price has plummeted to pretty unbelievable lows.

I’ve been scouting around the various cybercrime underground markets, as well as talking to professional security researchers, and have found pricing that ranges from a few pence for basic stolen credit card numbers purchased in bulk, to a few hundred pounds for a verified ‘active’ bank account with a balance in excess of £10,000 and an online purchase history to go with it.

The risk of arrest is far higher to the person cashing in on a stolen bank account than it is for someone simply selling the data on the underground market

At the really cheap end of the stolen data market are those volume purchases of stolen credit-card numbers. If you fancy taking your chances with a bunch of 100 US-originated cards, unverified and with no guarantees of still being active, then you can pay as little as 10p per card.

Double it if you want the same volume but with a guarantee (whatever that may be worth when dealing with low-life criminals) that the accounts have not yet been reported as compromised, and double it again if you want UK-originated cards rather than American ones.

Platinum variants used to carry a premium, but these seem to have all but disappeared. The bad guys are not adverse to racking up the profit margin with value-added deals though, charging an extra £1 per card if you want accompanying security data (such as postal address and mother’s maiden name) and 50p per time for cards registered to an owner in a specific city.

Unverified bank account data is also cheap enough at £1 per record, but if you want one that comes ‘guaranteed’ as active and with a positive balance of up to £500, then you can up that to £50. The bigger the available balance on a verified account, the more you can expect to pay. How does £400 for an account with around £50,000 of available funds grab you?

The most expensive charges are reserved for accounts which have an existing record of online purchases and PayPal transactions, and are therefore less likely to attract unwanted attention as the funds start to empty.

I know what you are thinking: if that balance was really available why would the criminals be selling the account data for such a relatively small amount instead of cashing in themselves? The answer can be summed up in one word: risk. The risk of arrest is far higher to the person cashing in on a stolen bank account than it is for someone simply selling the data on the underground market. Especially as most transactions are made using ‘untraceable’ cash transfer services such as Western Union or Liberty Reserve.

DIY Kits

The underground economy doesn’t only apply market forces to the value of your data, but does the same when it comes to selling the tools that allow the bad guys to steal it in the first place. The news that you can now buy a do-it-yourself kit for creating a rogue Facebook application for as little as £15 on the web black market came as absolutely no surprise to me.

Nor that yet another kiddie script on steroids kit has surfaced; after all, it was only a matter of time before someone decided that there is more money to be made and less exposure to risk by selling a Facebook malware app creation kit than operating a Facebook malware app scam. What’s more, it’s certainly no surprise that such a thing should come so cheap.

The malware business has long since followed hacking and become commoditised. By which I mean, just as with the hacking business before it, as malware activity has increased dramatically over the past few years, so the market value of malware exploits and the kits used to create them has declined equally dramatically. So whereas the top-end rogue coders selling highly customised and complex Trojan exploit kits to establish hard-to-track zombie networks, which can be used to rent out DDoS and spam attacks, are still demanding many thousands for their handiwork, the budget end of the market is really low cost.

Ironically, the templated, kiddie-script kit end of the malware market is also plagued by piracy, with gangs cracking software and making it available for free. The payload for this free lunch being pretty similar to most pirated commercial software, in that it carries malware of its own. The crackers add code that ensure a copy of any data stolen is passed back to them for resale, and some even comes with a Trojan built in to allow them to take control of the network used by the rival gang installing it. That creates more stolen data to flood the market and further drive the price down, which in turn means they need to steal more in order to make a living.

But perhaps the saddest thing about this malware cost equation becomes apparent when you factor in the cost to business of the data being stolen which, according to a report from the Ponemon Institute last year, sat at an average of £64 per record.

The truth of the matter is somewhat different, of course, and basic data security is neither difficult nor expensive to achieve. All it takes is a little bit of technical know-how and an awful lot of common sense.

One aspect of data security where common sense often gets thrown out of the window is that of physical theft. Sure, there is an argument that as long as your data is properly encrypted it matters not a jot if the bad guys access your hardware, steal your laptop or find your USB stick.

It’s an argument that holds a fair amount of water, and I’m the first to advocate an ‘encrypt everything’ approach to data, but safeguarding your hardware against physical theft is so obvious that I’m always amazed to discover so many small businesses doing no such thing.

I’m the first to advocate an ‘encrypt everything’ approach to data, but safeguarding your hardware against physical theft is so obvious

Many will say that they already pay hefty insurance premiums, and if the old laptop is stolen then it’s a good opportunity to upgrade with the claim money. But what if all your data wasn’t properly encrypted, what about the interruption to your business continuity (even if it’s only a matter of an hour or two while a current backup image is squirted onto a spare machine) and what about the notion that not becoming a crime statistic is actually a good thing?

The bottom line is that taking any risk with your data is a bad thing and ensuring that your hardware is protected from theft or loss to the best of your ability is a no-brainer. The Absolute Theft Recovery team monitors laptop thefts, and has compiled a top ten list of the most common places where hardware is stolen from, after analysing the details of thousands of reported thefts during 2010. I was somewhat surprised that most thefts of laptops occurred from school, but have to imagine that’s because Absolute do a lot of business monitoring hardware in the education sector.

It came as no surprise at all that the home and the car made up the rest of the top three, with work following close behind at number four. Hotels, restaurants, public transport including taxi cabs, and airports were also common venues for computer crime.

So what can your small business do to prevent becoming part of the statistics? Actually, quite a lot and most of them are low cost and easy to implement.

Physical locks

Take the straightforward, if rather retro sounding, matter of making use of the Kensington lock slot and looping a decent quality cable around an immovable object to secure your laptop against casual theft in your office? Please note that the leg of a chair or desk is not an immovable object, and a five quid cable that can be cut using a pair of nail clippers isn’t decent quality. Cables are fine for protecting against opportunistic thefts during office hours, but if laptops are left in the office overnight then you should consider investing in a made-for purpose lockbox or secure storage cabinet and suitable alarm systems.

Also, when it comes to in-situ hardware, a cable will not stop the determined thief equipped with a pair of bolt cutters. The good news is that such thefts seem to be on a downwards spiral. While I have no official figures to support this claim, I’ve not been reading about so many hardware thefts as I used to and the business grapevine would suggest that offices are not being targeted as much as they used to be.

I suspect that the falling price of memory has a lot to do with the apparent decline in such crimes, as ripping a machine open and stripping it of RAM to sell down the pub or on eBay used to be high on the agenda of a petty thief. Couple that with a general decline in desktop computing and the ready availability of cheap netbooks, and it’s hardly surprising that demand for knock-off RAM and second-hand machines has fallen like a lead balloon.

Mobile alarms

Opportunist and professional thieves would appear to favour the mobile hardware market these days, and that means laptops, netbooks and smartphones. So how should you go about protecting these from the bad guys and moments of stupidity when things get lost? The latter is, actually, a much harder proposition that the former. Losing things is a fact of life, although losing a lappy can often be a rather expensive one in terms of both the hardware cost and the interruption to your working day and beyond.

Attach a transmitter to your laptop and keep the receiver in your pocket; if the two should be separated by more than the preset couple of metres or so an alarm will sound to remind you

You can buy alarms which work on a proximity principal, such as the Zomm reviewed in this month’s issue of PC Pro. Attach a transmitter to your laptop and keep the receiver in your pocket; if the two should be separated by more than the preset couple of metres or so an alarm will sound to remind you (and everyone in the vicinity) that you’re stupid.

At the low end of the budget scale such devices provide a simple method of preventing both the accidental loss of laptops at airports and train stations, for example, as well as opportunistic theft. For the one-man band business they make a lot of sense, but slightly bigger concerns might want a slightly more complex and costly solution such as a lojack service.

These use a software agent embedded in the BIOS firmware that maintains contact with a service centre, either via GPS or Wi-Fi depending upon your hardware, and allows the laptop to be located if lost or stolen. Lojack services are also useful in that they can keep a log of all activity after the theft was reported and remotely block access to your data, or even delete it if you prefer.

A similar service can be had for free if you happen to have an iPhone, using the Apple MobileMe service and an app called Find My iPhone. Once installed, you can locate your missing iPhone from any web browser and have a custom message pushed to the home screen and lock screen, together with an alarm sound. An email is sent to let you know that the message has been pushed to the handset, and another provides a date and timestamp when that message has been viewed on the iPhone itself. You can also remotely lock the iPhone or wipe all data, and the precise location of the device is displayed via Google Maps.

Laptop anti-theft measures

Don’t leave your laptop in the car. If you absolutely must, make sure it’s locked in the boot, preferably securely with either the Kensington lock slot and a cable, or within a specially installed car safe. Of course, if your car gets stolen then so does your laptop.

Don’t spend a fortune on a designer laptop bag, or use the branded one that was supplied with the laptop. These simply serve to identify you as a potentially valuable target. Instead, use a cheap and above all else non-descript bag instead.

Stick like glue to your laptop. If you are holding it then the only way a thief will get it is if they mug you. If you leave it unattended on your desk, in a conference room, the floor of an airport lounge, on the seat next to you on a train, things become a lot easier especially for the opportunist thief.

Consider marking your equipment to make it both easier to identify and harder to sell. So-called invisible marking systems such as ’smartwater’ forensic liquid will leave a unique chemical fingerprint on your hardware that is all but impossible to remove, but easily viewed by the police using specialist equipment.

At the opposite end of the marking scale, hugely visible customisation (think business logos and slogans, impossible to remove identification tags and the like) which will help to prevent a casual thief from making an easy sale and a quick buck from your loss.

It isn’t totally new – Londoners can check their borough already at the Met Police website. And a quick look at the figures shows that – despite the media giving the impression we’re entering a new Wild West of guns and knives – crime in London has been on the decline for several years now.

At the time of writing, gun-enabled crime is down 11.5% on last year; violence against the person has dropped 4.8%; murders fell by 1.9% in the last 12 months and robberies are down a massive 19%.

But according to the papers it’s crime “hot-spots” that are the problem, so a plan like these online crime maps is the ideal way to highlight it, right? Wrong, and to illustrate why, I give you an example of an existing online crime mapping scheme:

The LCPD crime “Blotter” (click to enlarge).

Before you attack me with the blindingly obvious, I know it’s not real.

The LCPD Blotter details the daily crime stats for Liberty City, Grand Theft Auto IV’s fictional locale. And, as any idiot could confidently predict, its list of “no go areas” acts entirely as a magnet for wannabe digital criminals – whether as a challenge to single-handedly lift the crime level in a listed safe area, or simply be a part of it in a known hot-spot.

Now, I’m not suggesting the real-world maps will be so stupid as to list such glorifying top-twenty charts of “no go areas” (we hope), but is it so far-fetched to imagine the statistics on easily accessible online crime maps becoming status symbols?

Will we see gangs of youths navigating to “no go” streets on their 3G iPhones to take on the current occupants for the turf? Or challenging rivals to be the street with the most knife attacks, robberies, even murders, in a month?

Could we even see flashmob-style events? A whole borough’s gang members co-ordinate online and aim to hit a target number of crimes in a week. A day. An hour. Or even a daily ratcheting of the crime total over a week – every day more crimes than the last.

With a publicly viewable achievements sheet for gangs, it’s almost as though these crimes are legitimised by statistics; a terrible merger of computer game ‘objectives’ and real-life misery. The incentive for some to prove themselves may be too great to resist.

I know, I know, I’m sure the PM knows more about this than the rest of us; I’m sure none of all that will happen and crime will start declining quicker than Internet Explorer and the French national team.

But if it all goes wrong and crime starts rising, you know it won’t be the PM who shoulders the blame. It’ll be poor old Grand Theft Auto as usual.

Very commendable, but am I the only person wondering how many of them still have those handsets? If the reports that hit the headlines only yesterday are anything to go by, then the answer should be 160, as 40 of them are statistically likely to have been nicked during a violent street mugging. The Design Council survey, on which the headlines are based, revealed that 1 in 5 of youngsters aged between 11 and 16 in London had been victim of a mugging where an item of mobile personal electronics (mobile phone or iPod essentially) had been nicked.

The survey also found that two thirds of the youngsters interviewed carried no less than £100 worth of mobile kit around with them at all times, 61 percent of these kids were worried about theft funnily enough. Actually, not funny at all really, especially considering the 20 percent chance of ending up a victim of just such a crime. Rather surprisingly 42 percent of those victims admitted that they did not report the crime to the police, although the reasons are unclear one would hazard a guess that it falls somewhere between not trusting the old bill, being scared of reprisals or that they were using a mobile phone they had nicked from someone else the week before.

So perhaps the LIFEWISE project is coming at the right time, looking as it does for solutions amongst teenagers themselves to fight this type of violent crime. As Chris Nash, Mobile Learning Consultant at one of the sponsors, Steljes, says: “Handheld technology has allowed the pupils to work together on this project, regardless of where they are – whether in different locations or even different schools,” explains. Anytime Learning is about enhancing the learning experience by extending the school walls to wherever the pupils are and whenever the work is done. This in turn streamlines communications and allows students to share their work and ideas and to forge a more collaborative way of learning and working.”

Yeah, but, it’s no good if the mobile phone has been nicked or whatever…