Security breaches grow in number and cost

The cost of computer security incidents continued to rise in 2001, to a total of US$456 million, while only 34 per cent of victims of such crime reported it to law enforcement, according to the seventh annual Computer Crime and Security Survey conducted by the Computer Security Institute and the San Francisco Bureau of the U.S. Federal Bureau of Investigation.

The survey, which tallies the results of computer security incidents in 2001, is composed of responses from 503 computer security professionals who work at corporations, government agencies, financial institutions, medical firms and colleges and universities.

Representatives of technology companies made up 19 per cent of the respondents, with financial services firms coming in at 18 per cent and government workers at 16 per cent. Thirty-six per cent of companies represented in the survey have more than 5,000 employees, with 24 per cent boasting more than 10,000 workers.

The results of the survey show a continued upward trend in the total number and cost of computer security incidents, and continue to dispute some cherished notions within the computer security world, including that most security breaches are performed by insiders.

More crime than admitted

“There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners, or report to law enforcement,” said Patrice Rapalus, director of the Computer Security Institute, based in San Francisco, in the report.

Such illegal and unauthorized activity was experienced by 90 per cent of respondents during 2001, with 80 per cent of those incidents leading to financial losses, the survey found. Twenty-five per cent of those responding to the survey said they had experienced between two and five security breaches in 2001, while 39 per cent reported more than 10 such incidents. Total annual losses from security events continued their sharp upswing, clocking in at $456 million in 2001, up from $378 million in 2000 .

The most serious losses came as a result of the theft of proprietary information or financial fraud, the respondents said. Twenty per cent of those surveyed said they lost money when proprietary information was stolen in 2001. That number was down from 25 per cent in 2000, but the dollar amount was up in 2001, at $171 million. The average loss from such an incident is also up significantly since the first survey was conducted, with an average loss in 2001 of $6.6 million, up substantially from $954,666 in 1996.

Cost of financial fraud

Financial fraud cost organizations around $116 million, in 2001, the survey found. Average losses due to this kind of activity were $4.6 million in 2001, up from $957,384 in 1996, according to respondents.

Despite the received wisdom in the security industry that insider attacks are far more common than those from the outside, 74 per cent of respondents said that their external Internet connection was a point of attack, as opposed to only 33 per cent who said that their internal networks were attacked. Sixty per cent of attacks against Web sites originated externally, with only two per cent originating internally, the survey found. Thirty-two per cent of attacks employed some combination of insider and outsiders, according to respondents.

“Although cases documenting the hacking of trade secrets from the outside without insider knowledge are rarely made public, you would be very foolish indeed to think your organization’s proprietary information was not at risk of attacks by professional hackers,” the report concluded.

These attacks all came despite the presence of standard security countermeasures, the study found. Eighty-nine per cent of respondents employed firewalls in 2001, 90 per cent had anti-virus software and 60 per cent used intrusion-detection systems. Even still, 85 per cent of organizations covered in the survey reported virus infections in 2001, according to the survey.

Even with such a preponderance of attacks, only 34 per cent of organizations reported security breaches to law enforcement in 2001, the survey found. Of those not reporting such incidents to law enforcement, 70 per cent cited negative publicity as a reason for their silence, though that was down from 90 per cent in 2000.

In 2001, only 77 per cent of respondents patched security holes after a breach, down from 94 per cent in 2000.

Recommended actions

In the face of such worrisome numbers, the report recommends that companies take a number of steps to improve their overall security. First, organizations ought to update and upgrade their disaster recovery plans, the report said. Second, according to the report, companies should consider joining InfraGuard, a public-private partnership which deals with computer security threats. Third, if a business depends heavily on e-commerce or a Web presence, organizations ought to consider e-business insurance, the report said. Finally, organizations ought to consider appointing a chief security officer.

If organizations don’t take greater steps to protect themselves, the consequences could be serious, the study concluded.

“If you have not … attended to these vital areas of an information security program, you are throwing money away on whatever sophisticated technology you purchase and deploy,” the study warned.