The majority of U.S. IT professionals responsible for security issues feel it is likely companies will get hit with one major cyberattack within the next year.
According to the results of a recent poll sponsored by the U.S. Business Software Alliance (BSA) and released last week, 60 per cent of the 602 IT professionals surveyed think such attacks are imminent, while only 45 per cent think companies have adequate defences to ward off cyberattacks.
A major cyberattack is defined as an external or internal security breach that shuts down a significant portion of a network, or drastically hinders day-to-day activities, according to BSA.
While there is no equivalent Canadian data readily available, a report issued for the United States by CERT, a centre of Internet security expertise at the Software Engineering Institute and operated by Carnegie Mellon University in Pittsburgh, indicated there were almost twice the number of security incidents in the first six months of 2002 than there were in all of 2001 – 43,136, up from 52,658.
A University of Athabasca study released last November found that 20 per cent of Canadian companies suffered one serious external security breach or cyberattack in 2001, but only 35 per cent of them were reported. Twenty per cent of Canadian companies also experienced internal security breaches.
Despite these figures, it is difficult for the RCMP to keep accurate tabs on the numbers because organizations are concerned about getting bad publicity.
Sergeant Chuck Scott from the high technology crime forensics section at the Royal Canadian Mounted Police (RCMP) said there is reluctance for businesses to report cybercrime so it is not accurately known how widespread the cyberattacks are.
“There is no realistic appreciation of the threat level because of inadequate reporting,” he said. “There is a lack of prosecutional deterrent. If you don’t report the incident they (the perpetrators) can’t be presented in front of a court.”
Erik Niemi, a security consultant, said there are two important aspects in e-security – finding out what needs to be protected at the company and what or whom it needs to be protected from.
“A lot of organizations want to jump to the tools, techniques and processes first,” he said, adding that some do without taking the time to find out what type of security measures they really need to implement.
Niemi added that a lot of companies tend to dismiss the risks of hackers as insignificant when the reality is they are hard to protect against.
Experts say it is relatively easy to break into Canadian companies mainly due to software vulnerabilities. Software companies tend to want to release software into the market as quickly as possible without considering these vulnerabilities. According to CERT, 2,800 software vulnerabilities were reported in the first six months of 2002, compared to the 2,437 reported in all of 2001.
Even when vulnerabilities are found, it is up to the network administrator to implement the patches that are designed to counteract them. So, although the antidote is available, due to staffing issues or time constraints, the company might not have time to implement the cure, say experts.
When asked specifically about the possibility of a cyberterrorist attack, Peter Carr, the director of the centre for innovative management at Athabasca University said Canada is less likely to be targeted than the United States simply because of the political climate. He added that the probability of suffering a cyberterrorist attack is as likely as suffering a conventional terrorist attack.
However, he said that if Canada takes a more prominent role in military operations in the Middle East, it could make organizations more vulnerable to attacks.
Both Carr and Niamey said that Canadian while Canadian companies should not dismiss the possibility of cyberterrorism, they are more likely to be dealing with hackers.
Niemi said that while businesses are becoming increasingly concerned with security, that it was not Sept. 11 that prompted these cautious sentiments.
He cited the denial of service attacks in 2000 against Yahoo, eBay, Amazon.com, CNN and Buy.com along with the Melissa virus as instigating the trend developing better security measures.
In Canada, the Office of Security Preparedness and Emergency Protection (OCIPEP) works with the private sector to help protect them against security breaches by disseminating information about viruses and software vulnerabilities on its Web site.