Computer crimes targeted at businesses are at their lowest level ever, according to a leading expert in the field.
Computer crime, observed Robert Richardson, editorial director for the Computer Security Institute (CSI) in Philadelphia “is as low as it’s ever been and has dropped off significantly from last year.”
Speaking yesterday at a Webcast on the annual CSI/FBI Computer Crime and Security Survey, Richardson noted that the average loss per cybercrime incident in 2005 was about US$250,000. That compares to $500,000 in 2004 and more than $3 million in 2001 — the highwater mark for the survey, which has been conducted annually since 1999.
“We’ve gotten better and better at stopping [attacks] before they cost us a lot of money,” Richardson told Webcast listeners.
SOX Socks Crime
Another reason for declining losses due to cybercrime could be increased demands on corporations to comply with rules and regulations like the Sarbanes-Oxley Act.
“The impact of Sarbanes-Oxley and other regulations will continue to grow not only in North America but on a worldwide basis,” maintained Bob Tesh, a senior manager with NetIQ, which sponsored the Webcast.
“Compliance and risk management are becoming critical, not just in a few industries that have been regulated, but across many,” he added.
Viruses Top Mischief List
According to the survey, total cybercrime losses in 2005 were $130.1 million.
More than 80 percent of those losses, the survey showed, were attributed to three forms of cybermischief: viruses, unauthorized access to computer systems and theft of proprietary information.
“Even though in many ways we’ve gotten a much better handle on how to handle your every day virus attack, nevertheless, that’s still the top most pain point for the respondents to this survey,” Richardson said.
While average losses declined in most crime categories, surveyors found that they jumped alarmingly in two areas. Loss per incident of unauthorized access to information rose nearly sixfold, to $300,000 per incident in 2005 from $51,000 last year. The average loss per incident attributed to theft of proprietary information more than doubled year over year, to $360,000 from $168,000.
“Sixfold and twofold are large jumps,” Richardson conceded, “but one thing to point out is that they started from a relatively small base.
“These jumps, while I think they’re significant in terms of indicating where growth in the hacker industry, so to speak, is going on, the sixfold part of that information may not be as significant,” he contended. “The more important thing to focus on is that those are the categories that are growing.”
Tesh added that one reason that those categories may have increased dramatically is that companies have had to pay more attention to those areas due to increased regulation.
Low Hanging Fruit
Although cybercrime against businesses appears to be declining, Richardson postulated that some of that decline may be attributed to information highwaymen focusing their malevolent acumen elsewhere.
“If you think about where the pain in the security industry is right now and where the heat is around the media coverage and so forth, it’s really focused right now on issues of theft of identity, phishing and pharming, essentially consumer-targeted fraud,” Richardson said.
“The victims of these crimes, primarily, are the end users that have been duped into providing account information that’s been used to steal the individual’s money from their accounts,” he observed. “Those thefts are not coming out of enterprise coffers.
“So, in a sense, the low-hanging fruit for hackers right now really may have shifted outside of the enterprise for the time being — don’t know if it will stay there — but it may have shifted out more into the consumer arena,” he reasoned.
Outsourcing a No-No
Although many companies are looking for ways to outsource almost anything, security isn’t one of them, according to the survey. Some 63 percent of respondents said that no part of their security function was outsourced.
Surveyors also discovered that insurance wasn’t a popular weapon in the corporate arsenal against cybercrime, with 75 percent of respondents eschewing underwriters.
“There’s not a large buildout of cyberinsurance at this point,” Richardson noted. “But it does seem that as a tool for managing residual risk, insurance is something that really needs to be in an information security professional’s arsenal. So I expect to see that number to be ticking up over the years.”