Cybercrime on the rise, but few victims report it

The cost of computer security incidents continued to rise in 2001, to a total of US$456 million, while only 34 per cent of victims of such crime reported it to law enforcement, according to the seventh annual Computer Crime and Security Survey conducted by the Computer Security Institute and the San Francisco Bureau of the U.S. Federal Bureau of Investigation.

The survey, which tallies the results of computer security incidents in 2001, is composed of responses from 503 computer security professionals who work at corporations, government agencies, financial institutions, medical firms and colleges and universities. The 503 responses to the survey, a 14 per cent response rate, were down from the 643 responses received in 2000.

Representatives of technology companies made up 19 per cent of the respondents, with financial services firms coming in at 18 per cent and government workers at 16 per cent. Thirty-six per cent of companies represented in the survey have more than 5,000 employees, with 24 per cent boasting more than 10,000 workers.

The results of the survey show a continued upward trend in the total number and cost of computer security incidents, and continue to dispute some cherished notions within the computer security world, including that most security breaches are performed by insiders.

“There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners, or report to law enforcement,” said Patrice Rapalus, director of the Computer Security Institute, based in San Francisco, in the report.

Such illegal and unauthorized activity was experienced by 90 per cent of respondents during 2001, with 80 per cent of those incidents leading to financial losses, the survey found. Twenty-five per cent of those responding to the survey said they had experienced between two and five security breaches in 2001, while 39 per cent reported more than 10 such incidents. Total annual losses from security events continued their sharp upswing, clocking in at $456 million in 2001, up from $378 million in 2000 and sharply up from $100 million in 1996.

The most serious losses came as a result of the theft of proprietary information or financial fraud, the respondents said. Twenty per cent of those surveyed said they lost money when proprietary information was stolen in 2001. That number was down from 25 per cent in 2000, but the dollar amount was up in 2001, at $171 million. The average loss from such an incident is also up significantly since the first survey was conducted, with an average loss in 2001 of $6.6 million, up substantially from $954,666 in 1996.

Financial fraud cost organizations around $116 million, in 2001, the survey found. Average losses due to this kind of activity were $4.6 million in 2001, up from $957,384 in 1996, according to respondents.

Despite the received wisdom in the security industry that insider attacks are far more common than those from the outside, 74 per cent of respondents said that their external Internet connection was a point of attack, as opposed to only 33 per cent who said that their internal networks were attacked. Sixty per cent of attacks against Web sites originated externally, with only 2 per cent originating internally, the survey found. Thirty-two per cent of attacks employed some combination of insider and outsiders, according to respondents.

Organizations should pay attention to these trends and be more aware of external threats, according to the report.

“Although cases documenting the hacking of trade secrets from the outside without insider knowledge are rarely made public, you would be very foolish indeed to think your organization’s proprietary information was not at risk of attacks by professional hackers,” the report concluded.

These attacks all came despite the presence of standard security countermeasures, the study found. Eighty-nine per cent of respondents employed firewalls in 2001, 90 per cent had antivirus software and 60 per cent used intrusion-detection systems. Even still, 85 per cent of organizations covered in the survey reported virus infections in 2001, according to the survey. Total losses from virus outbreaks totalled $50 million in 2001, up from $45 million in 2000. Total costs related to virus attacks since 1997 have topped $150 million, according to the report.

Even with such a preponderance of attacks, only 34 per cent of organizations reported security breaches to law enforcement in 2001, the survey found. This was down slightly from 36 per cent in 2000, though up from 16 per cent in 1996, the survey’s first year. Of those not reporting such incidents to law enforcement, 70 per cent cited negative publicity as a reason for their silence, though that was down from 90 per cent in 2000.

In 2001, only 77 per cent of respondents patched security holes after a breach, down from 94 per cent in 2000.

In the face of such worrisome numbers, the report recommends that companies take a number of steps to improve their overall security. First, organizations ought to update and upgrade their disaster recovery plans, the report said. Second, according to the report, companies should consider joining InfraGuard, a public-private partnership which deals with computer security threats. Third, if a business depends heavily on e-commerce or a Web presence, organizations ought to consider e-business insurance, the report said. Finally, organizations ought to consider appointing a chief security officer.

If organizations don’t take greater steps to protect themselves, the consequences could be serious, the study concluded.

“If you have not … attended to these vital areas of an information security program, you are throwing money away on whatever sophisticated technology you purchase and deploy,” the study warned.