Intrusion numbers don't lie, but some crimes miss the count
The numbers are in, and you might already have seen them in slide presentations, flip charts and white papers. According to the fifth annual Computer Security Institute and FBI survey on computer crime, a record number of organizations experienced system intrusions in the last year. They reported a whopping $265.6 million in losses, more than double last year's survey total.
The largest single category was theft of proprietary information, which cost a reported $66.7 million. Second was financial fraud, costing $56 million.
Some of the most interesting numbers are in the fine print. The response rate for this year's survey was 15 percent'higher than in any previous year but still only a fraction of the potential respondents. And the numbers of those willing or able to answer some questions were disturbingly small. Although 74 percent of those who filled out the survey admitted to some financial losses from attack or misuse of their systems, only 42 percent could or would specify a dollar amount.
Of those who admitted intrusions in the past year, 44 percent said they did not report them at all. Only a quarter notified law enforcement authorities, down from 32 percent the year before. Although the majority of respondents who avoided law enforcement said they preferred to pursue civil remedies, only 20 percent even reported the intrusions to legal counsel, down from 29 percent the year before.Not for public use
The bottom line is, we still have little beyond anecdotal evidence about the nature and magnitude of computer crime. Many security professionals seem less than willing to talk openly about their risks and their losses. Security issues are still seen as something to be handled internally. Those surveyed apparently prefer not to air their dirty linen in public.
It is difficult to say how aggressive federal agencies are in reporting intrusions and misuse of computer systems. Just 9 percent of the respondents in the 2000 survey said they work for the federal government. Another 7 percent were in state government, and 2 percent were local.
The Computer Security Institute of San Francisco has acknowledged the survey is not scientific but 'at best, a series of snapshots that give some sense of the facts on the ground at a particular time,' according to its editorial director, Richard Power.
What the snapshots show is what we already assume: Computer crime is on the rise. Losses in dollar amounts are particularly hard to calculate, but the $265.6 million cited in this year's survey is a conservative figure, and a lot more money is at stake.
The trends appear a little confusing. Virtually all survey respondents this year said they have antivirus software and intrusion detection systems. But the percentage of those having network firewalls actually decreased, from 91 percent last year to 78 percent this year.
The best security advice for this year is the same as last year's: Be aware of new vulnerabilities, exploits and viruses; keep up to date with patches and antivirus software; and pay attention to the configuration of your firewalls, routers, switches, hubs and gateways.