Web of Crime: Enter the Professionals

Artwork: Diego Aguirre
Part 1 of a special five-part series.

You can't do serious business today without a Web site. And most company owners know that their sites have to be protected from teenage vandals and small-time hackers.

But Internet crime has grown up. Today, if your business comes under attack or your computer gets infected with a virus or worm, the culprit is far more likely to be someone who expects to make money from the assault.

Figures measuring the impact of malware-based crimes are hard to come by because most information in this area is anecdotal. However, a 2004 PriceWaterhouseCoopers survey of more than 1000 businesses in the UK found that, on average, companies spent more than $17,000 on their worst security incidents that year. For large companies, the amount was closer to $210,000, the study found, with most of the cost arising from the disruption to their ability to do business. In addition, people who track and/or fight these types of crime say that many companies affected by such attacks do not report the crimes. Instead, they either take care of the problem themselves or go to private security companies for assistance.

"The life that we had with the so-called pranksters instead of the pros is likely to end," says Shane Coursen, senior virus researcher at Kaspersky Lab, maker of security software. "If you exist as a business on the Internet, you should be greatly concerned."

The global viruses and worm attacks we've seen thus far--Bagle, MyDoom, and Sasser--are just the beginning of a trend, Coursen says. For instance, this month's Windows Plug and Play attacks saw different worms duking it out for control over infected PCs. These days, Coursen adds, three out of every four pieces of malicious code or malware that come into Kaspersky Lab are "obviously meant to make money."

Your business may be vulnerable to this new breed of criminals--Web thugs who have money, not mayhem, in mind. As the mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century, your business may suffer. For example, according to the 2005 E-Crime Watch survey of security and law enforcement executives, survey respondants estimated an average loss of $506,670 per organization due to malware and other types of e-crime. The survey was conducted by CSO Magazine (a sister publication to PC World) in association with the U.S. Secret Service and Carnegie Mellon University's Computer Emergency Response Team (CERT).

It's gotten so bad that CERT last year stopped publishing the number of computer crime incidents, saying: "Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."

Subscribe to the Security Watch Newsletter

Comments