May 29, 2002—The threat from computer crime and other information security breaches continues unabated, and the financial toll is mounting, according to the Computer Security Institute’s (CSI) seventh annual “Computer Crime and Security Survey.” As reported in previous years, the most serious financial losses occurred through theft of proprietary information and financial fraud. The 223 respondents who quantified their financial losses placed those losses at $455,848,000.
Highlights of the “2002 Computer Crime and Security Survey” include:
- Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months.
- Eighty percent acknowledged financial losses due to computer breaches.
- Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.
- As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported $170,827,000) and financial fraud (25 respondents reported $115,753,000).
- For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).
- Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)
Respondents detected a wide range of attacks and abuses, such as:
- 40% detected system penetration from the outside.
- 40% detected denial of service attacks.
- 78% detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems).
- 85% detected computer viruses.
For the fourth year, CSI asked some questions about electronic commerce over the Internet. Here are some of the results:
- 98% of respondents have WWW sites.
- 52% conduct electronic commerce on their sites.
- 38% suffered unauthorized access or misuse on their Web sites within the last twelve months.
- 21% said that they didn’t know if there had been unauthorized access or misuse.
- 25% of those acknowledging attacks reported from two to five incidents. Thirty-nine percent reported ten or more incidents.
- 70% of those attacked reported vandalism (only 64% in 2000).
- 55% reported denial of service (only 60% in 2000).
- 12% reported theft of transaction information.
- 6% reported financial fraud (only 3% in 2000).
Conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad, the survey is based on responses from 503 computer security practitioners in US corporations, government agencies, financial institutions, medical institutions, and universities. CSI concludes that there is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders, and business partners or report to law enforcement. For a free copy of “2002 Computer Crime and Security Survey,” complete with graphs, charts and analysis, contact the Computer Security Institute.
