Security holds its ground in IT crime survey
- By William Jackson
- Jun 09, 2003
The eighth annual IT crime survey by the Computer Security Institute of San Francisco and that city's FBI's computer intrusion squad shows a dramatic drop in financial losses caused by computer attacks. And a former chief of the FBI's cybercrime squad said government systems showed significant improvements.
The number of significant security incidents appears to have leveled off since last year, according to the survey, which produces some of the most widely quoted numbers about the state of IT security.
But CSI editorial director Robert Richardson cautioned against reading too much into the apparent good news.
'The survey raises a lot of questions it doesn't answer,' Richardson said.
The 530 security professionals who responded to the survey
were self-selected, and many of them might not have been totally frank about financial losses.
Even so, said Patrick Gray, former head of the FBI cybercrime squad, 'Their numbers are pretty good. For security practitioners, it's a pretty valuable barometer.'
Gray now heads emergency response services for Internet Security Systems Inc. of Atlanta.
Only 7 percent of the respondents in the latest survey worked for the federal government. About 5 percent were in state governments and 3 percent in local governments. Seventeen percent came from high-tech sectors, 15 percent were from financial and 11 percent from manufacturing sectors.
Still, Gray was particularly positive about the state of government security.
'As a 20-year FBI veteran who retired two years ago, I am amazed at how well the government has responded,' he said. 'Sometimes the government moves glacially, but I think this administration is serious about getting where it should be.'
Gray discounted persistent government reports about the sorry state of federal IT security, including a congressional report card that gave it an overall failing grade.
'I don't know that those grades are meaningful,' he said.
Low performance might be caused by agencies' focus on a handful of critical systems, he said. The biggest job still undone is enforcing proper policies and standards.
When Richardson analyzed by sector, he found no statistically significant differences between the various industry and government groups.
The biggest shift in this year's numbers was in total reported losses, which dropped by more than half from $455 million last year to $202 million this year. Only 56 percent of respondents reported unauthorized use of IT systems this year, compared with 60 percent last year.
Richardson said that the drop from last year's numbers was steep, but figures for financial losses were in line with those reported earlier.
'You have to be careful what you draw from those numbers,' he said, because fewer than half of the respondents reported money figures. Given the small sample, a few large losses in any given year could sharply swing the totals.
'People don't know how to account for a loss very well,' Richardson said. 'The information security industry has just begun to talk to economists.'
The downward trend in unauthorized systems use has held steady for the last three years, reaching a high of 70 percent in 2000. Reported insider attacks have trended downward for four years, with a corresponding increase in attacks from the Internet.
Almost all respondents said they used antivirus software and firewalls. Intrusion detection technology came up fast, however, reported by 73 percent of respondents this year compared with 60 percent last year.
Biometric authentication still has not taken off, however, hovering around 11 percent this year.
Only 30 percent of the respondents who had security breaches reported them to law enforcement. Seventy percent said they wanted to avoid negative publicity, and 61 percent were afraid of revealing such information to competitors. Surprisingly, 53 percent said they were not aware they could report incidents to law enforcement.
William Jackson is a Maryland-based freelance writer.