'Byte' the dust: computer crime drops over last 4 years

Nation's Restaurant News, July 12, 2004 by Alan J. Liddle

SAN FRANCISCO -- An annual survey of about 500 public and private organizations found that the unauthorized use of computer systems has declined for four straight years, as has the respondents' average estimated dollar loss tied to such illegal activities.

In addition, denial-of-service attacks surpassed theft of proprietary information as the most costly computer crime among survey respondents, reflecting the proliferation of viruses that implant on computers time-triggered programs that launch denial-of-service attacks against targeted networks. Theft of proprietary information had been the most costly computer crime among respondents in the five previous studies.

Those were among the findings of the Ninth Annual Computer Crime and Security Survey, conducted by the Computer Security Institute of San Francisco with the help of the Federal Bureau of Investigation's local Computer Intrusion Squad. An academic research team specializing in information security economics from the Robert H. Smith School of Business at the University of Maryland also collaborated on the 2004 survey, CSI sources reported.

Nearly all of the 494 respondents to the 2004 survey from U.S. corporations, government agencies, financial institutions, medical organizations and universities were members of the CSI, which characterizes itself as a 31-year-old membership association and education provider. CSI executives speculated that the rate of cyber break-ins and dollar loss from such crimes is likely higher among the general business, government and education populations.

"Although the CSI/FBI survey clearly shows that cyber crime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security. Their average dollar losses per year have dropped in each survey for four straight years," CSI director Chris Keating said. "We don't believe that all organizations maintain the same defenses as our members; financial damages for less-protected organizations are almost certainly worse."

The breakdown of respondents and complete results of the 2004 survey are available at the CSI's Web site, www.gocsi.com. Questions on the latest survey pertained to the 2003 calendar year.

The survey found that of the 481 respondents who answered a question about whether or not their organization had experienced unauthorized use of its computer systems during the prior 12 months, 53 percent said yes, compared with about 57 percent the year before.

About 35 percent said there had been no unauthorized use during the preceding 12 months, up from about 29 percent a year earlier; and 11 percent said they didn't know if there had been unauthorized use, versus approximately 14 percent in 2003.

The number of security breaches originating from within the reporting organizations and those originating from the Internet or outside those organizations were about evenly split in the latest year, respondents indicated.

Surveyors said the 269 respondents willing or able to quantify their estimated losses from computer crimes in the latest year reported that their aggregate costs reached $141.5 million, down from the aggregate $201.8 million reported by about 249 respondents a year ago. Respondents cited in the 2002 survey attributed more than $455 million in aggregate losses to computer crime.

The five most costly categories of computer crimes and the estimated losses attributed to such crimes by survey respondents were as follows: denial-of-service attacks, $26.1 million; theft of proprietary information, $11.5 million; insider network abuse, $10.6 million; abuse of wireless network, $10.2 million; and financial fraud, $7.7 million.

Of the 132 respondents reporting security problems at their organizations' Internet Web sites, 89 percent reported one to five incidents, 6 percent cited six to 10, and 5 percent acknowledged more than 10 cases of unauthorized activity.

Asked about the types of security technology they use, nearly all of the 483 respondents to the question cited antivirus software and firewalls. More than half mentioned reusable account and login passwords, encryption for data in transit, intrusion-detection tools and server-based network access control lists.

Of the 481 respondents who reported the percentage of their total information technology budget spent on security, 24 percent said 1 percent to 2 percent; 22 percent said 3 percent to 5 percent; 7 percent said 6 percent to 7 percent; 8 percent said 8 percent to 10 percent; and another 8 percent said more than 10 percent. About 16 percent of the respondents said they allocated less than 1 percent of their overall IT budget for security, and 14 percent acknowledged that they did not know the percentage breakdown.

"Although information sharing has recently been promoted by the Department of Homeland Security and various leaders in the computer security community, [the latest survey] detected no increase in the disposition to share information about security intrusions," the authors of a report on the survey wrote. Those authors were Lawrence A. Gordon, Martin E Loeb, William Lucyshyn and Robert Richardson, the CSI's editorial director.