Cost of computer crime exploding, survey says

Network specialist Russ Schadd wakes up in a cold sweat in the middle of the night worrying about how to protect his $1.5 billion printing company's proprietary information.

And well he should.

According to results of the sixth-annual Computer Crime and Security Survey, released today, intellectual property theft and security breaches are on the rise while the costs of those intrusions are skyrocketing.

Conducted by the Computer Security Institute of San Francisco and the FBI, the survey of 538 security administrators from industry, government and academia shows that 85% of respondents reported security breaches in this year's survey, and 26% reported intellectual property theft, up from 20% in 2000.

But the survey also shows that the cost of that theft is exploding. While only 34 respondents could quantify the financial losses associated with intellectual property theft, that number added up to more than $151 million. The amount is up from almost $67 million in 2000 and $20 million in 1997. In total, 186 respondents said losses from all types of security breaches cost more than $377 million. That means theft of intellectual property accounts for 40% of all losses tabulated in the survey, despite the fact that such a small number of companies could quantify it.

"I'm not worried about someone [hacking] in and destroying data because we have backups," says Schadd, who is a network specialist for Wallace Computer Services. It would be difficult to calculate how badly the company would be hurt if somebody stole that information. "It would be devastating if that information was given to a competitor," he says.

Richard Power, editorial director of the Computer Security Institute, says companies are figuring out how to protect their financial data, customers' credit information and personnel records. The problem is many companies aren't aware that they should be protecting the information that fuels their businesses - such as marketing plans, source codes and research information.

"You lock up rooms so people can't steal laptops . . . but if your [company is] based on information and information systems and that can't be secured, then you're in line to lose your cash crop," Power says.

"Industrial espionage is giving way to information age espionage. It used to be that you turned to an insider. You bribed them. You blackmailed them. But why risk someone getting caught . . . when you can just hack in and take what you need?" he asks.

The survey also points to several other aspects of computer security that are on the rise:

 Forty percent of respondents reported outside system penetration. That number is up from 20% in 1997

 Thirty-eight percent detected denial-of-service attacks. That number is up from 24% in 1998 and 27% in 2000.

 In last year's survey, 249 people were able (and willing) to quantify financial losses. That number totaled $265 million.

 Thirty-six percent of respondents reported security breaches to law enforcement agencies. That's up from 17% in 1997 and 25% in 2000.

Industry analysts and corporate users agree that more administrators should be focused on protecting their valuable proprietary information.

"Companies that collect credit card numbers and personal information about people take on that [security] responsibility," says Tim Belcher, CTO for RipTech, a security monitoring and consulting company. "What they're not doing is protecting their own information, records, n plans [and] technologies."

For some IT administrators, getting the message through to upper management is another matter.

"I have to work on this all the time. It's never-ending," says Michael Culp, systems administrator for Worthington Industries, a $2 billion company in Columbus, Ohio, largely focused on the steel industry. "On an importance level, I don't see proprietary information as high in their minds. They don't think the information isn't valuable, but they don't feel there's enough threat to warrant any significant attention."

Once management buys into the importance of protecting information, it's another matter to put a strong security plan in place.

"Companies developing a new drug or a new widget may get how sensitive [that product information] is, but they find it hard to protect,'' Belcher says. "It's the core of what they're doing, so it requires access from a whole lot of people for a lot of reasons. It's difficult to enforce protection while still letting people at it."

Getting that secure feeling

With the cost of high-tech intellectual theft on the rise, security administrators should be taking extra steps to secure their information and their businesses. Richard Power, editorial director of the Computer Security Institute, offers these tips:

Beyond the firewall: Encryption, PKI, firewalls. These are solid technologies, but companies neeed a well-planned security structure. A company should have a security unit separate from IT that reports directly to the CIO. The security unit should have a budget of at least 3% to 5% of the total IT budget and one to two workers for every 1,000 workers.

Map it: Use mapping technology to get the big picture. Know where your network begins and ends.

Bury it: The password as an effective security control is dead. Pay the price now, and move to smart cards or some equivalent strong authentication.

Patch it: Nine out of 10 security breaches aren't the result of a brilliant hacker but are the direct result of a company's failure to install a software patch that would have closed a known gaping hole. Otherwise, you're throwing away your security budget.

Give it some teeth: Implement a program based on the Economic Espionage Act, signed in 1996. The act gives teeth to federal law enforcement and attacks corporate spies.

Cost of computer crime exploding, survey says

Getting that secure feeling

Related Links