A recent survey of the “cybercrime” situation offers some good news and bad news.
However, overall trends remain relatively unchanged from last year, the 2005 FBI/CSI Computer Crime and Security Survey reveals.
The survey is now in its tenth year. This year’s findings are based on the responses of 700 US-based security practitioners.
“A lot of continuity and few surprises,” is how Robert Richardson, editorial director at the Computer Security Institute (CSI) summed up the situation.
Virus attacks continue to account for most (32 per cent) financial losses. The bad news is unauthorized access has replaced denial of service as the second most significant contributor to computer crime losses, accounting for 24 per cent of overall reported losses, and causing a significant increase in the average dollar loss.
Theft of proprietary information also increased sharply, with average losses more than double of what was reported last year.
But the good news is the total dollar value of financial losses caused by security breaches has decreased from last year’s average of US$526,000 per respondent to $204,000 this year.
“This continues a four-year trend in drops of average losses,” says Richardson. “It shows security professionals are getting better at dealing with routine problems like viruses.”
However, Richardson says there is no standard accounting for cybercrime losses, and that organizations may value losses differently for indirect costs such as system downtime, lost sales and the like. He says anecdotal evidence suggests that security professionals are getting better at distinguishing direct and indirect losses and accounting for them appropriately.
Intangibles such as loss of reputation are even more difficult to quantify, he says. “Where we don’t have a clue is in loss of customer trust, beyond the instances where publicly traded companies suffer losses in stock value after a breach.”
Richardson notes that the survey focuses strictly on enterprise cybercrime, and doesn’t report on attacks targeted at individual end-users —such as phishing, pharming and identity theft.
“My hunch is a decrease in enterprise cybercrime activity has little to do with companies’ security efforts. Rather, hackers are going after low-hanging fruit as they realize there’s a whole world of innocent folks to rip off. All they have to do is send a message that purports to be from e-Bay and they may have a thousand credit card numbers in an hour.”
Another piece of bad news is the percentage of organizations reporting computer intrusions to law enforcement continues its multi-year decline, with fears of negative publicity cited as the main concern.
“One of the reasons the FBI got involved in this survey to begin with was to increase awareness that they do go after cybercrime cases,” says Richardson. But organizations have rational reasons to avoid reporting it to authorities. No one wants to be the next Choicepoint, he says.
Another reporting issue is that organizations need to demonstrate US$ 5,000 in direct losses to get the FBI involved, he says. Organizations often know they’ve been hit, but are unable to demonstrate the extent of damage or how much stolen information is worth.
Another related issue is inadvertent tampering with digital evidence, according to Richardson. Proving a cybercrime has occurred, he says, requires showing time stamps in logs documenting how and when the intrusion took place. But IT employees are rarely aware a crime has occurred when users alert them to a problem, and may end up changing time stamps on logs when they open them in the course of troubleshooting.
“No one calls the help desk to say a database has been breached and records have been stolen. Instead, they say, ‘John, the performance on this database stinks,’ so [John] goes into the log to see what’s going on and blithely wrecks the case. But he’s just doing his job. Digital evidence is really easy to taint, and courts are understandably persnickety about the fact it can be easily changed,” says Richardson.
Rene Hamel, vice-president of computer forensic services at the Inkster Group in Toronto, says the survey findings also apply to Canada with few differences. If anything, information security practices are slightly worse.
“Subsidiaries of US companies comply with the security standards of their US parents, and big organizations such as banks have the experience and resources to deal with security. But we have a lot of small and medium-sized firms, and they’re usually so busy making their businesses work that security isn’t top of mind,” he says.
However, Hamel disagrees with the survey’s finding that average dollar losses are decreasing. “My personal experience here is that dollar losses are definitely increasing, but the problem is, how is the accounting done for those numbers?”
