Cost of computer crime exploding, survey says
By Sharon Gaudin
Network World,
03/12/01
Network specialist Russ Schadd wakes up in a cold sweat in the
middle of the night worrying about how to protect his $1.5 billion
printing company's proprietary information.
And well he should.
According to results of the sixth-annual Computer Crime and
Security Survey, released today, intellectual property theft and
security breaches are on the rise while the costs of those
intrusions are skyrocketing.
Conducted by the Computer
Security Institute of San Francisco and the FBI, the survey of
538 security administrators from industry, government and academia
shows that 85% of respondents reported security breaches in this
year's survey, and 26% reported intellectual property theft, up from
20% in 2000.
But the survey also shows that the cost of that theft is
exploding. While only 34 respondents could quantify the financial
losses associated with intellectual property theft, that number
added up to more than $151 million. The amount is up from almost $67
million in 2000 and $20 million in 1997. In total, 186 respondents
said losses from all types of security breaches cost more than $377
million. That means theft of intellectual property accounts for 40%
of all losses tabulated in the survey, despite the fact that such a
small number of companies could quantify it.
"I'm not worried about someone [hacking] in and destroying data
because we have backups," says Schadd, who is a network specialist
for Wallace Computer Services. It would be difficult to calculate
how badly the company would be hurt if somebody stole that
information. "It would be devastating if that information was given
to a competitor," he says.
Richard Power, editorial director of the Computer Security
Institute, says companies are figuring out how to protect their
financial data, customers' credit information and personnel records.
The problem is many companies aren't aware that they should be
protecting the information that fuels their businesses - such as
marketing plans, source codes and research information.
"You lock up rooms so people can't steal laptops . . . but if
your [company is] based on information and information systems and
that can't be secured, then you're in line to lose your cash crop,"
Power says.
"Industrial espionage is giving way to information age espionage.
It used to be that you turned to an insider. You bribed them. You
blackmailed them. But why risk someone getting caught . . . when you
can just hack in and take what you need?" he asks.
The survey also points to several other aspects of computer
security that are on the rise:
Forty percent of respondents reported outside system
penetration. That number is up from 20% in 1997
Thirty-eight percent detected denial-of-service attacks. That
number is up from 24% in 1998 and 27% in 2000.
In last year's survey, 249 people were able (and willing) to
quantify financial losses. That number totaled $265 million.
Thirty-six percent of respondents reported security breaches to
law enforcement agencies. That's up from 17% in 1997 and 25% in
2000.
Industry analysts and corporate users agree that more
administrators should be focused on protecting their valuable
proprietary information.
"Companies that collect credit card numbers and personal
information about people take on that [security] responsibility,"
says Tim Belcher, CTO for RipTech, a security monitoring and
consulting company. "What they're not doing is protecting their own
information, records, n plans [and] technologies."
For some IT administrators, getting the message through to upper
management is another matter.
"I have to work on this all the time. It's never-ending," says
Michael Culp, systems administrator for Worthington Industries, a $2
billion company in Columbus, Ohio, largely focused on the steel
industry. "On an importance level, I don't see proprietary
information as high in their minds. They don't think the information
isn't valuable, but they don't feel there's enough threat to warrant
any significant attention."
Once management buys into the importance of protecting
information, it's another matter to put a strong security plan in
place.
"Companies developing a new drug or a new widget may get how
sensitive [that product information] is, but they find it hard to
protect,'' Belcher says. "It's the core of what they're doing, so it
requires access from a whole lot of people for a lot of reasons.
It's difficult to enforce protection while still letting people at
it."
Getting that secure feeling
With the cost of high-tech intellectual theft on the rise,
security administrators should be taking extra steps to secure their
information and their businesses. Richard Power, editorial director
of the Computer Security Institute, offers these tips:
Beyond the firewall: Encryption, PKI, firewalls. These are
solid technologies, but companies neeed a well-planned security
structure. A company should have a security unit separate from IT
that reports directly to the CIO. The security unit should have a
budget of at least 3% to 5% of the total IT budget and one to two
workers for every 1,000 workers.
Map it: Use mapping technology to get the big picture.
Know where your network begins and ends.
Bury it: The password as an effective security control is
dead. Pay the price now, and move to smart cards or some equivalent
strong authentication.
Patch it: Nine out of 10 security breaches aren't the
result of a brilliant hacker but are the direct result of a
company's failure to install a software patch that would have closed
a known gaping hole. Otherwise, you're throwing away your security
budget.
Give it some teeth: Implement a program based on the
Economic Espionage Act, signed in 1996. The act gives teeth to
federal law enforcement and attacks corporate spies. Contact Features
Writer Sharon Gaudin
The enemy
within
A look at how the true trouble could be a cubicle
away.
Network World, 05/08/00.
FBI
investigating widespread Web site break-ins by crime
groups
Computerworld, 03/08/01.
Security
newsletter
Get tips from expert Mich Kabay twice a week.
Breaking
security news
All the latest from Network World and around
the 'Net.
.
|
