Nearly nine out of 10 businesses and other organizations faced some type of computer security incident, a fifth of them were attacked 20 times or more and some US$67 billion was lost as a result of the incursions, according to the 2005 FBI Computer Crime survey.
The report, released Thursday by the FBI, was billed as the law enforcement agency’s largest survey to date on computer crime and its implications, with some 2,000 public and private organizations interviewed. The survey is meant to be a supplement to the annual CSI/FBI Computer Crime and Security Survey run by the Computer Security Institute and the FBI, which compiles big-picture data on computer crime.
“We surveyed about three times as many organizations and focused more on new technologies, where attacks originated, and how organizations responded,” said FBI special agent Bruce Verduyn, who oversaw the information gathering from the agency’s Houston office.
The most common types of attacks were viruses, reported by 84 percent of those surveyed, and spyware, which 80 percent said they had to contend with. Viruses and worms were seen as the most expensive types of attacks.
The average attack cost around $24,000, with much of the expense tied to repairing infected machines and networks and lost work time. The FBI said the total cost to the companies surveyed was $32 million and that it used conservative estimates to estimate a total annual cost of $67.2 billion for all U.S. organizations.
The FBI said the attacks it tracked came from 36 different countries, with the U.S. topping the list of countries of origin at 26 percent, followed closely by China, with about 24 percent.
The FBI said attacks were a catalyst to change for many, with businesses moving to put in place new security measures or to update existing ones after realizing they’d been breached. Cutting-edge measures such as biometrics or smart-cards were still being used by a small fraction of those surveyed, however, with less than 5 percent using biometrics and less than 10 percent using smart cards.
Most businesses did not bother reporting intrusions to law enforcement, with just 9 percent involving authorities. The FBI said respondents believed many of the incidents did not rise to the level of criminal activity or that reporting them would not lead to a positive outcome. Of those who did involve law enforcement, 91 percent said they were satisfied with the response they received.
Another reason for under-reporting may be that enterprises don’t always know when they’ve been breached, Sanjay Uppal, vice president of network access control firm Caymas Systems told the E-Commerce Times.
“Most firms lack the tools to differentiate between an intruder and an authorized user once the network has been accessed,” Uppal said. “Once a malicious user has gained access, firms often do not realize and therefore do not report the severity of the attack.”
Another Wake-Up Call
More than 40 percent of attacks came from inside an organization, a reminder of the difficulty of preventing that type of threat.
“Companies may be unaware of the internal potential for computer security incidents,” said Verduyn.
In addition to the FBI data, there is abundant additional evidence that the exposure to and the risk of such attacks continues to grow. A soon-to-be-released survey by network security firm Top Layer Networks found that 87 percent of the companies it surveyed nationally were “entirely” or “highly” reliant on their connections to the Internet to run their businesses.
However, nearly a quarter of those Top Layer surveyed said they did not have formal IT security policies in place, policies that are meant to address both outside and in-house attacks.