Cybercrime: The story behind the stats

An inside look at the real problem, who’s behind it, the legal machine fighting back and what you can do.

The outlook on cybercrime is good.

Cyberattacks are down, companies are losing less money, network executives are more confident than ever about the safeguards they have in place, and companies are ramping up auditing to stay ahead.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The outlook on cybercrime is good.

Cyberattacks are down, companies are losing less money, network executives are more confident than ever about the safeguards they have in place, and companies are ramping up auditing to stay ahead.

Those are some of the conclusions reached in a Network World survey and in the annual survey by the Computer Security Institute (CSI) and the FBI's Computer Intrusion Squad.

But not all of the news is reassuring. Confidence in network security is indeed higher than it was three years ago, but still not what you would call high. And more and more crime goes unreported.

However, it is hard to misinterpret the basic message of the latest CSI/FBI findings - the number of successful attacks on computer systems has been in decline since 2000, with only 53% of respondents to the eighth annual CSI/FBI survey saying they experienced unauthorized use of computer systems. This is compared with 70% in 2000.

Another encouraging sign: The percentage of companies that experienced only one to five computer security incidents in the previous year grew from 33% in 2000 to 47% in this survey.

Perhaps most importantly, the CSI/FBI study shows total losses falling 30% from $202 million last year to $142 million in the 2004 study.

Network World's own research roughly validates that finding. The 263 companies surveyed in September estimated they had a collective annual loss of $178 million. The larger the company, the greater the losses. The 118 companies with less than 500 employees together lost $16 million, while the 145 companies with 500 or more employees lost $162 million.

Both the Network World and the CSI/FBI studies show that the greatest financial losses stem from everyday threats such as viruses and worms.

While companies feel better today about their ability to fend off everyday threats (see graphic), the percentage of Network World respondents who said they were confident or very confident in their security measures still only ranked in the 65% range. The inverse: Some 35% still feel vulnerable.

Even more - 45% or so - still feel vulnerable to the different forms of targeted threats, such as theft of company data or customer information.

What you don't see

Self-doubt can be a good thing when it comes to security, especially with crime getting more nefarious.

Cybercrime is difficult to comprehend because often there is no tangible theft, says Mark Lobel, director of security and privacy services with PricewaterhouseCoopers. Computers still are chugging away in the server room, yet criminals might have copied or altered data and used that information to commit identity theft, divulge trade secrets or expose proprietary code.

Another disturbing trend: "Not stealing data but modifying its integrity," says John Pironti, a security consultant with Unisys. "If I can disrupt a database, I might be able to cause more hysteria than if it was just stolen. If it's stolen you know it, but if I start changing, say, prescription data so it's not consistent, you don't know what is right."

"The goal of young, inexperienced people performing cybercrime is to gain notoriety," Lobel says. "The goal of a professional is to gain access to information, or remove or alter information in a completely undetectable manner."

Even though losses from computer crime seem to be declining, the security community is fearful that the financial opportunities have expanded and are now so great that even organized crime is paying attention. Some say this year's rash of phishing schemes, in which e-mail users receive messages that appear to come from a bank or retailer asking them to divulge personal or financial information, have been orchestrated largely by organized crime groups in Russian and Eastern Europe.

"We're seeing it from all over the world. There is no doubt that the level of sophistication and the level of knowledge is growing," says Shelagh Sayers, a special agent in the FBI's San Francisco bureau. "That's quite a challenge to keep up with. If you look at the history of the Internet, it hasn't been around that long. I just can't imagine that [attacks are] going to do anything but increase."