• PC World
• » Tech Industry

The cost of computer security incidents continued to rise in 2001, to a total of $456 million, while only 34 percent of victims of such crime reported it to law enforcement, according to the seventh annual Computer Crime and Security Survey conducted by the Computer Security Institute and the San Francisco Bureau of the U.S. Federal Bureau of Investigation.

The survey, which tallies the results of computer security incidents in 2001, is composed of responses from 503 computer security professionals who work at corporations, government agencies, financial institutions, medical firms, and colleges and universities. The 503 responses to the survey, a 14 percent response rate, were down from the 643 responses received in 2000.

Representatives of technology companies made up 19 percent of the respondents, with financial services firms coming in at 18 percent, and government workers at 16 percent. Thirty-six percent of companies represented in the survey have more than 5,000 employees, with 24 percent boasting more than 10,000 workers.

Upward Trend

The results of the survey show a continued upward trend in the total number and cost of computer security incidents, and continue to dispute some cherished notions within the computer security world, including that most security breaches are performed by insiders.

"There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders, and business partners, or report to law enforcement," says Patrice Rapalus, director of the Computer Security Institute, based in San Francisco, in the report.

Such illegal and unauthorized activity was experienced by 90 percent of respondents during 2001, with 80 percent of those incidents leading to financial losses, the survey found. Twenty-five percent of those responding to the survey said they had experienced between two and five security breaches in 2001, while 39 percent reported more than 10 such incidents. Total annual losses from security events continued their sharp upswing, clocking in at $456 million in 2001, up from $378 million in 2000 and sharply up from $100 million in 1996.

The most serious losses came as a result of the theft of proprietary information or as a result of financial fraud, the respondents said. Twenty percent of those surveyed said they lost money when proprietary information was stolen in 2001. That number was down from 25 percent in 2000, but the dollar amount was up in 2001, at $171 million. The average loss from such an incident is also up significantly since the first survey was conducted, with an average loss in 2001 of $6.6 million, up substantially from $954,666 in 1996.

Financial fraud cost organizations around $116 million in 2001, the survey found. Average losses due to this kind of activity were $4.6 million in 2001, up from $957,384 in 1996, according to respondents.

Outside Sources

Despite the received wisdom in the security industry that insider attacks are far more common than those from the outside, 74 percent of respondents said that their external Internet connection was a point of attack, as opposed to only 33 percent who said that their internal networks were attacked. Sixty percent of attacks against Web sites originated externally, with only 2 percent originating internally, the survey found. Thirty-two percent of attacks employed some combination of insider and outsiders, according to respondents.

Organizations should pay attention to these trends and be more aware of external threats, according to the report.

"Although cases documenting the hacking of trade secrets from the outside without insider knowledge are rarely made public, you would be very foolish indeed to think your organization's proprietary information was not at risk of attacks by professional hackers," the report concluded.

These attacks all came despite the presence of standard security countermeasures, the study found. Eighty-nine percent of respondents employed firewalls in 2001, 90 percent had antivirus software, and 60 percent used intrusion-detection systems. Even still, 85 percent of organizations covered in the survey reported virus infections in 2001, according to the survey. Total losses from virus outbreaks totaled $50 million in 2001, up from $45 million in 2000. Total costs related to virus attacks since 1997 have topped $150 million, according to the report.

Keeping Quiet

Even with such a preponderance of attacks, only 34 percent of organizations reported security breaches to law enforcement in 2001, the survey found. This was down slightly from 36 percent in 2000, though up from 16 percent in 1996, the survey's first year. Of those not reporting such incidents to law enforcement, 70 percent cited negative publicity as a reason for their silence, though that was down from 90 percent in 2000.

In 2001, only 77 percent of respondents patched security holes after a breach, down from 94 percent in 2000.

In the face of such worrisome numbers, the report recommends that companies take a number of steps to improve their overall security. First, organizations ought to update and upgrade their disaster recovery plans, the report says. Second, according to the report, companies should consider joining InfraGuard, a public-private partnership which deals with computer security threats. Third, if a business depends heavily on e-commerce or a Web presence, organizations ought to consider e-business insurance, the report says. Finally, organizations ought to consider appointing a chief security officer.

If organizations don't take greater steps to protect themselves, the consequences could be serious, the study concludes.

"If you have not ... attended to these vital areas of an information security program, you are throwing money away on whatever sophisticated technology you purchase and deploy," the study warns.

• See more like this:
• cybercrime,
• FBI,
• hacker,
• attack,
• computer,
• network,
• security,
• incident,
• Computer Crime and Security Survey,
• Computer Security Institute