The majority of U.S. IT professionals responsible for security issues feel it is likely companies will get hit with one major cyberattack within the next year.
According to the results of a recent poll sponsored by the U.S. Business Software Alliance (BSA) and released last week, 60 per cent of the 602 IT professionals surveyed think such attacks are imminent, while only 45 per cent think companies have adequate defences to ward off cyberattacks.
A major cyberattack is defined as an external or internal security breach that shuts down a significant portion of a network, or drastically hinders day-to-day activities, according to BSA.
While there is no equivalent Canadian data readily available, a report issued for the United States by CERT, a centre of Internet security expertise at the Software Engineering Institute and operated by Carnegie Mellon University in Pittsburgh, indicated there were almost twice the number of security incidents in the first six months of 2002 than there were in all of 2001 - 43,136, up from 52,658.
A University of Athabasca study released last November found that 20 per cent of Canadian companies suffered one serious external security breach or cyberattack in 2001, but only 35 per cent of them were reported. Twenty per cent of Canadian companies also experienced internal security breaches.
Despite these figures, it is difficult for the RCMP to keep accurate tabs on the numbers because organizations are concerned about getting bad publicity.
Sergeant Chuck Scott from the high technology crime forensics section at the Royal Canadian Mounted Police (RCMP) said there is reluctance for businesses to report cybercrime so it is not accurately known how widespread the cyberattacks are.
"There is no realistic appreciation of the threat level because of inadequate reporting," he said. "There is a lack of prosecutional deterrent. If you don't report the incident they (the perpetrators) can't be presented in front of a court."
Erik Niemi, a security consultant, said there are two important aspects in e-security - finding out what needs to be protected at the company and what or whom it needs to be protected from.
"A lot of organizations want to jump to the tools, techniques and processes first," he said, adding that some do without taking the time to find out what type of security measures they really need to implement.
Niemi added that a lot of companies tend to dismiss the risks of hackers as insignificant when the reality is they are hard to protect against.
Experts say it is relatively easy to break into Canadian companies mainly due to software vulnerabilities. Software companies tend to want to release software into the market as quickly as possible without considering these vulnerabilities. According to CERT, 2,800 software vulnerabilities were reported in the first six months of 2002, compared to the 2,437 reported in all of 2001.