Security incidents rise in 2001

The number and cost of computer security incidents in the US continued to rise last year according to the Federal Bureau of...

The number and cost of computer security incidents in the US continued to rise last year according to the Federal Bureau of Investigation.

The cost of computer security incidents in 2001 rose to £318mm, while only 34% of victims of cybercrime reported it to law enforcement, according to the seventh annual Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI.

Worryingly, in 2001 only 77% of respondents reported patching security holes after a breach, down from 94% in 2000.

The survey, which will give UK security professionals pause for thought, was based on the answers of more than 500 respondents in corporations, government agencies, financial institutions, medical firms and colleges.

The results showed a continued upward trend in the total number and cost of computer security incidents, and challenged some of the commonsense notions within the IT security world, including the view that most security breaches are performed by insiders.

"There is much more illegal and unauthorised activity going on in cyberspace than corporations admit to their clients, stockholders and business partners, or report to law enforcement," said Patrice Rapalus, director of the Computer Security Institute, in the report.

Illegal and unauthorised activity was experienced by 90% of respondents during 2001, with 80% of those incidents leading to financial losses, the survey found. Some 25% of respondants said they had experienced between two and five security breaches in 2001, while 39% reported more than 10 such incidents.

Total annual losses from security events continued their sharp upswing at $456m (£318m) in 2001, up from $378m in 2000 and sharply up from $100m in 1996.

The most serious losses came as a result of the theft of proprietary information or financial fraud, the respondents said. Some 20% of those surveyed said they lost money when proprietary information was stolen in 2001. That number was down from 25% in 2000, but the cost was up in 2001, at $171m (£119m).

The average loss from such an incident was also up significantly since the first survey was conducted, with an average loss in 2001 of $6.6m, up from $954,666 in 1996.

Financial fraud cost organisations around $116m (£81m), in 2001, the survey found. Average losses were $4.6m (£3.2m) in 2001, up from $957,384 in 1996, according to respondents.

Despite the perception that insider attacks are far more common than those from the outside, 74% of respondents said that their external Internet connection was a point of attack, as opposed to 33% who said that their internal networks were attacked.

Around 60% of attacks against Web sites originated externally, with only 2% originating internally, the survey found. Thirty-two per cent of attacks employed some combination of insiders and outsiders, according to respondents.

Organisations should pay attention to these trends and be more aware of external threats, according to the report.

"Although cases documenting the hacking of trade secrets from the outside without insider knowledge are rarely made public, you would be very foolish indeed to think your organisation's proprietary information was not at risk of attacks by professional hackers," the report concluded.

These attacks all came despite the presence of standard security countermeasures, the study found. Some 89% of respondents employed firewalls in 2001, 90% had antivirus software and 60% used intrusion-detection systems.

Despite the weight of attacks, only 34% of organisations reported security breaches to law enforcement agencies, with 70% of those not reporting, citing negative publicity as a reason for their silence.

Read more on IT risk management