* via http://theMezz.com/lists

* subscribe at http://techPolice.com

FBI: Cybercrime on the rise

By Sam Costello
April 8, 2002 8:05 am PT

 THE COST OF computer security incidents continued to rise in 2001, to a total of $456 
million, while only 34 percent of victims of such crime reported it to law 
enforcement, according to the seventh annual Computer Crime and Security Survey 
conducted by the Computer Security Institute and the San Francisco Bureau of the U.S. 
Federal Bureau of Investigation.

The survey, which tallies the results of computer security incidents in 2001, is 
composed of responses from 503 computer security professionals who work at 
corporations, government agencies, financial institutions, medical firms and colleges 
and universities. The 503 responses to the survey, a 14 percent response rate, were 
down from the 643 responses received in 2000.

Representatives of technology companies made up 19 percent of the respondents, with 
financial services firms coming in at 18 percent and government workers at 16 percent. 
Thirty-six percent of companies represented in the survey have more than 5,000 
employees, with 24 percent boasting more than 10,000 workers.

The results of the survey show a continued upward trend in the total number and cost 
of computer security incidents, and continue to dispute some cherished notions within 
the computer security world, including that most security breaches are performed by 

"There is much more illegal and unauthorized activity going on in cyberspace than 
corporations admit to their clients, stockholders and business partners, or report to 
law enforcement," said Patrice Rapalus, director of the Computer Security Institute, 
based in San Francisco, in the report.

Such illegal and unauthorized activity was experienced by 90 percent of respondents 
during 2001, with 80 percent of those incidents leading to financial losses, the 
survey found. Twenty-five percent of those responding to the survey said they had 
experienced between two and five security breaches in 2001, while 39 percent reported 
more than 10 such incidents. Total annual losses from security events continued their 
sharp upswing, clocking in at $456 million in 2001, up from $378 million in 2000 and 
sharply up from $100 million in 1996.

The most serious losses came as a result of the theft of proprietary information or 
financial fraud, the respondents said. Twenty percent of those surveyed said they lost 
money when proprietary information was stolen in 2001. That number was down from 25 
percent in 2000, but the dollar amount was up in 2001, at $171 million. The average 
loss from such an incident is also up significantly since the first survey was 
conducted, with an average loss in 2001 of $6.6 million, up substantially from 
$954,666 in 1996.

Financial fraud cost organizations around $116 million, in 2001, the survey found. 
Average losses due to this kind of activity were $4.6 million in 2001, up from 
$957,384 in 1996, according to respondents.

Despite the perceived wisdom in the security industry that insider attacks are far 
more common than those from the outside, 74 percent of respondents said that their 
external Internet connection was a point of attack, as opposed to only 33 percent who 
said that their internal networks were attacked. Sixty percent of attacks against Web 
sites originated externally, with only 2 percent originating internally, the survey 
found. Thirty-two percent of attacks employed some combination of insider and 
outsiders, according to respondents.

Organizations should pay attention to these trends and be more aware of external 
threats, according to the report.

"Although cases documenting the hacking of trade secrets from the outside without 
insider knowledge are rarely made public, you would be very foolish indeed to think 
your organization's proprietary information was not at risk of attacks by professional 
hackers," the report concluded.

These attacks all came despite the presence of standard security countermeasures, the 
study found. Eighty-nine percent of respondents employed firewalls in 2001, 90 percent 
had antivirus software and 60 percent used intrusion-detection systems. Even still, 85 
percent of organizations covered in the survey reported virus infections in 2001, 
according to the survey. Total losses from virus outbreaks totalled $50 million in 
2001, up from $45 million in 2000. Total costs related to virus attacks since 1997 
have topped $150 million, according to the report.

Even with such a preponderance of attacks, only 34 percent of organizations reported 
security breaches to law enforcement in 2001, the survey found. This was down slightly 
from 36 percent in 2000, though up from 16 percent in 1996, the survey's first year. 
Of those not reporting such incidents to law enforcement, 70 percent cited negative 
publicity as a reason for their silence, though that was down from 90 percent in 2000.

In 2001, only 77 percent of respondents patched security holes after a breach, down 
from 94 percent in 2000.

In the face of such worrisome numbers, the report recommends that companies take a 
number of steps to improve their overall security. First, organizations ought to 
update and upgrade their disaster recovery plans, the report said. Second, according 
to the report, companies should consider joining InfraGuard, a public-private 
partnership which deals with computer security threats. Third, if a business depends 
heavily on e-commerce or a Web presence, organizations ought to consider e-business 
insurance, the report said. Finally, organizations ought to consider appointing a 
chief security officer.

If organizations don't take greater steps to protect themselves, the consequences 
could be serious, the study concluded.

"If you have not ... attended to these vital areas of an information security program, 
you are throwing money away on whatever sophisticated technology you purchase and 
deploy," the study warned.

Sam Costello is a Boston-based correspondent for the IDG News Service, an InfoWorld 


We can make it Happen! We have a list of over 900 Companies
looking for people to work from home.

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!

Reply via email to