Cyber crime still a threat despite some reports of a decline

If you are among those individuals who believe computer crimes impact only other companies, then read on to live vicariously the lives of organizations that have been forced to deal with it.

According to the 10th Annual Computer Security Institute/FBI Computer Crime and Security Survey, the cost of cyber crimes reported by respondents willing and able to quantify losses decreased in 2004 compared with the figure for 2003. Nevertheless, the losses were considerable.

The 639 respondents to the loss question in 2004 said they were out an aggregate $130.1 million from offenses ranging from theft of proprietary information to sabotage. That compared with $141.5 million in losses tied to 269 survey takers a year earlier.

Compiling the findings of the survey of business, government and education computer users were Robert Richardson, editorial director of San Francisco-based CSI, and academicians Lawrence A. Gordon, Martin R Loeb and William Lucyshyn. They point out that the decrease in average per-respondent toss, $203,606 in 2004 versus $526,010 in 2003, may be the result of increased awareness of some forms of computer crimes, such as viruses, and improved technology to battle them.

At the same time, the authors voice concern that the true cost of cyber crime may not be represented by survey findings.

"We suspect respondents are more accurate than ever in accounting for their explicit costs, such as the cost of reinstalling software and reconfiguring computer systems," they write. "But we're equally suspicious that the implicit losses, such as the lost future sales due to negative media coverage following a breach, are largely not represented in the toss numbers reported here."

The types of computer crimes mentioned by survey respondents and the aggregate dollar losses attributed to those crimes included viruses, $42.8 million; unauthorized access to information, $31.2 million; theft of proprietary information, $30.9 million; denial of service attacks, $7.3 million; insider Internet/network abuse, $6.9 million; laptop theft, $4.1 million; and financial fraud, $2.6 million.

Losses in 2004 decreased in all but two of those crime-type categories. The average loss per respondent in cases relating to unauthorized access to information rose from $51,545 in 2003 to $303,234 in 2004, and the average loss for theft of proprietary information was $355,552 last year, compared with $168,529 a year earlier.

In terms of the actual numbers of attacks acknowledged by respondents, only one category--wireless network abuse--saw an increase in 2004 compared with 2003.

If your company is spending less than 1 percent or more than 5 percent of its total information technology budget on computer security, then your company differs from nearly half, or 48 percent, of the 690 respondents in 2004 who provided budget details.

The types of security tools used in 2004 and the percentage of the 687 respondents reporting their use shook out like this: firewalls, 97 percent; anti-virus software, 96 percent; intrusion detection systems, 72 percent; server-based access control lists, 70 percent; and encryption for data in transit, 68 percent.

Reusable account/log-in passwords were employed to foil digital miscreants by 52 percent of the survey takers, encrypted files by 46 percent, smart cards and other onetime password tokens by 42 percent, public-key infrastructures by 35 percent, intrusion prevention systems by 35 percent, and biometrics devices by 15 percent.

In 2004, 87 percent of the groups represented by respondents conducted computer security audits, up from 82 percent in the previous period.

Other findings were as follows. Twenty-five percent of 652 respondents said they have insurance to protect them from major losses tied to computer crimes, about the same percentage as in 2003. Attacks against computer systems are as likely to come from within an organization as from outside it. Slightly more than a third of 682 respondents said that as of last year, they outsourced some aspect of their computer security.

Look for full survey results at CSI's website, www.gocsi.com.

COPYRIGHT 2005 Reproduced with permission of the copyright holder. Further reproduction or distribution is prohibited without permission.
COPYRIGHT 2005 Gale Group