Computer Crime Research Center


Cybercrimes decrease, FBI and CSI

Date: July 15, 2005
Source: InformationWeek
By: Gregg Keizer

A downward turn in overall cyber crime has hit its fourth year, said the 10th-annual survey on computer crime released Thursday, and average financial losses have tumbled by more than half.

The yearly survey, which is conducted by the Computer Security Institute (CSI) in coordination with the FBI, found that the average dollar amount pegged to a security breach fell by a whopping 61 percent compared to 2004, when the loss per polled company or government agency was estimated at $526,000. In 2005, the amount per respondent was only $203,000.

Even more important, said Robert Richardson, the editorial director of CSI and the author of the report based on the poll, was the finding that the percentage of those polled who have experienced attacks of various types continued to tail off in 2004.

Most categories of cyber crimes have been on the downturn since 2001, the survey's figures show, with the biggest drop found in denial-of-service (DoS) attacks. In 2001, DoS attacks were experienced by over 90 percent of those polled; in 2005, fewer than 50 percent said they'd been the victim of a DoS attack in the last 12 months.

"It's a four-year trend now, which is good news," said Richardson. "It shows that companies are getting better and better at utilizing some fairly unexciting technologies, work-a-day tools like anti-virus scanning and firewalls. Also, organizations are getting better at stopping the losses before they get bad."

The downturn in losses, Richardson said, is due not only to this better management of security tools -- especially those that defend against long-running threats, such as viruses -- but also because of a 12-month run without fast-spreading, big-dollar-amount attacks.

But while CSI's survey was generally upbeat, it also detailed some gloomier news: losses to identity and information theft are up, way up. Losses reported per respondent due to unauthorized access crimes was up a huge 580 percent in 2005 over 2004, while theft of proprietary information because of a security breach rose 211 percent.

"This is where you see the spike related to things like identity theft," said Richardson.

Most other recent surveys have noted a huge increase in those kinds of computer crimes, yet CSI's poll said the frequency of crime in the categories that fit with data theft have actually fallen off. There's a way to reconcile the two seemingly contradictory findings, said Richardson.

"Identity theft hits consumers disproportionably hard," he said. "When Acme Credit Card Authorization Transaction Co. finds out they've had an intruder who may have stolen records, that's certainly a bad thing, but while that discovery is going on, credit card transactions are still being processed. Acme's explicit loss, which is what this survey measures, may be the cost of accessing the damage, which would probably be small. What may not be small would be the loss due to customers lost because of that disclosure. But that's an implicit cost almost impossible to quantify. It's certainly not included in our survey."

Another thing that can't be gleaned from the survey, said Richardson, is a solid risk assessment of current dangers, even though that might be tempting.

"The wrong thing to take away [from the positive data here] is that the risk of attack has dropped," he said. "Security breaches, especially when widely publicized, can be disastrous, both in terms of customer relations and financial results, such as a loss of market capitalization due to bad publicity.

"What you can take away from this year's survey is that we're getting better at handling the routine security stuff, but not the much more aggressive attacks," he continued. "Why? Because we haven't seen one, not the kind that people keep predicting will sweep through the Internet before companies can react."

Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo