Survey shows drop in cybercrime
The eighth annual IT crime survey by the Computer Security Institute of San Francisco and the FBI's computer intrusion squad shows a dramatic drop in financial losses from cyberattacks.
The number of significant security incidents appears to have leveled out since last year, according to the survey, which produces some of the most widely quoted numbers about the state of IT security.
But CSI editorial director Robert Richardson cautioned against reading too much into the apparent good news.
'The survey raises a lot of questions it does not answer,' Richardson said.
The 530 security professionals who responded to the survey were self-selected, and many of them might not have been totally frank about financial losses. The survey also ocurred before the Blaster and SoBig attacks.
But the 'numbers are pretty good. For security practitioners, it's a pretty valuable barometer,' aid Patrick Gray, former head of the FBI Cybercrime Squad.
Gray now heads emergency response services for Internet Security Systems Inc. of Atlanta.
Only 7 percent of the respondents in the latest survey worked for the federal government. About 5 percent were in state governments and 3 percent in local governments. Most respondents came from the high-tech (17 percent), financial (15 percent) and manufacturing (11 percent) sectors.
When Richardson analyzed by sector, he found no statistically significant differences between the various industry and government groups.
'In some cases I had to throw numbers out because the samples were too small,' he said. 'Seven percent of 530 is not that many.'Fewer financial losses
The biggest shift in this year's numbers was in total reported losses, which dropped by more than half from $455 million last year to $202 million this year. Only 56 percent of respondents reported unauthorized use of IT systems this year, compared with 60 percent last year.
Richardson said that the drop from last year's numbers was steep, but figures for financial losses were in line with those reported earlier.
'You have to be careful what you draw from those numbers,' he said, because fewer than half of the respondents reported money figures. Given the small sample, a few large losses in any given year could sharply swing the totals.
'People don't know how to account for a loss very well,' Richardson said. 'The information security industry has just begun to talk to economists.'
The downward trend in unauthorized systems use has held steady for the last three years, reaching a high of 70 percent in 2000. Reported insider attacks have trended downward for four years, with a corresponding increase in attacks from the Internet.
Almost every respondent reported antivirus software and firewall use. Intrusion detection technology came up fast, however, reported by 73 percent of respondents this year compared with 60 percent last year.
Biometric authentication still has not taken off, however, hovering around 11 percent this year.
Only 30 percent of the respondents who had security breaches reported them to law enforcement. Seventy percent said they wanted to avoid negative publicity, and 61 percent were afraid of revealing such information to competitors. Surprisingly, 53 percent said they were not aware they could report incidents to law enforcement.
'I didn't want to be the guy who got up and said, 'See, we know what we're doing,' ' Richardson said. 'I think we probably still have some huge vulnerabilities, although we are getting better.'
Gray's take was more positive. 'I think people are learning,' he said. 'In the security world, you either sink or swim, and most of the people are swimming now.'
The CSI-FBI report appears online at www.gocsi.com