http://www.gocsi.com/prelea11.htm
Annual cost of computer crime rise alarmingly
Organizations report $136 million in losses
SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the
results of its third annual "Computer Crime and Security Survey."
The "Computer Crime and Security Survey" is conducted by CSI with the
participation of the Federal Bureau of Investigation (FBI) International
Computer Crime Squad’s San Francisco office. The aim of this effort is to
help raise the level of security awareness as well as determine the scope
of computer crime in the United States.
Based on responses from 520 security practitioners in U.S. corporations,
government agencies, financial institutions and universities, the findings
of the "1998 Computer Crime and Security Survey" indicate that computer
crime and other information security breaches are still on the rise and
that the cost to U.S. corporations and government agencies is increasing.
Here are some of the most intriguing results.
* 64% of respondents report computer security breaches within the last
twelve months. This figure represents dramatic increases of 16%
increase over the "1997 CSI/FBI Computer Crime and Security Survey"
results, in which 48% of respondents reported unauthorized use and 22%
increase over the initial 1996 survey, in which 42% acknowledged
unauthorized use. (Note: If you include those reporting only incidents
of computer virus or laptop theft, the number rises to 88% of all
respondents.)
* Although 72% of respondents acknowledge suffering financial losses from
such security breaches, only 46% were able to quantify their losses.
The total financial losses for the 241 organizations that could put a
dollar figure on them adds up to $136,822,000. This figure represents a
36% increase in reported losses over the 1997 figure of $100,115,555 in
losses.
* Security breaches detected by respondents include a diverse array of
serious attacks. For example, 44% reported unauthorized access by
employees, 25% reported denial of service attacks, 24% reported system
penetration from the outside, 18% reported theft of proprietary
information, 15% reported incidents of financial fraud, and 14%
reported sabotage of data or networks.
* The most serious financial losses occurred through unauthorized access
by insiders (18 respondents reported a total of $50,565,000 in losses),
theft of proprietary information (20 respondents reported a total of
$33,545,000 in losses), telecommunications fraud (32 respondents
reported a total of $17,256,000 in losses) and financial fraud (29
respondents reported a total of $11,239,000 in losses).
* The number of organizations that cited their Internet connection as a
frequent point of attack rose from 47% in 1997 to 54% in 1998. This
represents a 17% increase over the initial 1996 figure of 37%. And
significantly, the number of respondents citing their Internet
connection as a frequent point of attack is now equal to the number of
respondents citing internal systems as a frequent point of attack. (In
the past, internal systems has been considered to be the greater of
problems. It is not that the threat from inside the perimeter has
diminished, it is simply that the threat from outside, via Internet
connections, has increased.) This trend was reinforced by another piece
of data. Of those who acknowledged unauthorized use, 74% reported from
one to five incidents originating outside the organization, and 70%
reported from one to five incidents originating inside the
organization.
Summary data for responses to all 1998 survey questions, and a table
displaying financial losses due to various types of security breaches
reported in both 1997 and 1998 accompany this press release.
Patrice Rapalus, CSI director, suggests that organizations pay more
attention to information security staffing and training.
"While companies may think that they are spending the requisite amount on
information security, the dramatic increase in quantified dollar losses
indicates otherwise. In addition to hardware and software (for example,
firewalls), organizations must ensure that training staffing levels are
adequate and that end users are made aware of the seriousness of the
situation."
Robert Walsh, Special Agent in Charge of the FBI’s San Francisco office
agreed that the dollar losses as reflected in this year’s survey are a
matter of grave concern.
"But what is of equal concern is the seeming reluctance of organizations,
for the third year in a row, to report computer intrusions to law
enforcement. It is understandable that negative publicity is cited as the
principal reason for this; however, the FBI has successfully investigated,
and resolve, many cases in which computer crimes are alleged with either
minimal or no public exposure to the victim company."
###
CSI, established in 1974, is a San Francisco-based association of
information security professionals. It has thousands of members worldwide
and provides a wide variety of information and education programs to
assist practitioners in protecting the information assets of corporations
and governmental organizations.
The FBI, in response to an expanding number of instances in which
criminals have targeted major components of information and economic
infrastructure systems, has established International Computer Crime
Squads in selected offices throughout the United States. The mission of
these squads is to investigate violations of Computer Fraud and Abuse Act
of 1986, including intrusions to public switched networks, major computer
network intrusions, privacy violations, industrial espionage, pirated
computer software and other crimes where the computer is a major factor in
committing the criminal offense.
The seriousness of this mission was recently reinforced by U.S. Attorney
General Janet Reno’s announcement of the creation of the National
Infrastructure Protection Center. Recopgnizing this country's
unprecedented reliance on technology, the Center, which will be a joint
partnership among federal agencies and private industry, is designed to
serve as the government's lead mechanism for responding to an
infrastructure attack.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Aug 26 09:14:56 1998