An inside look at the real problem, who’s behind it, the legal machine fighting back and what you can do.
The outlook on cybercrime is good.
Cyberattacks are down, companies are losing less money, network executives are more confident than ever about the safeguards they have in place, and companies are ramping up auditing to stay ahead.
Main index: Profiling cybercrime: Network threats and defense strategies
Those are some of the conclusions reached in a Network World survey and in the annual survey by the Computer Security Institute (CSI) and the FBI's Computer Intrusion Squad.
But not all of the news is reassuring. Confidence in network security is indeed higher than it was three years ago, but still not what you would call high. And more and more crime goes unreported.
However, it is hard to misinterpret the basic message of the latest CSI/FBI findings - the number of successful attacks on computer systems has been in decline since 2000, with only 53% of respondents to the eighth annual CSI/FBI survey saying they experienced unauthorized use of computer systems. This is compared with 70% in 2000.
Another encouraging sign: The percentage of companies that experienced only one to five computer security incidents in the previous year grew from 33% in 2000 to 47% in this survey.
Perhaps most importantly, the CSI/FBI study shows total losses falling 30% from $202 million last year to $142 million in the 2004 study.
Network World's own research roughly validates that finding. The 263 companies surveyed in September estimated they had a collective annual loss of $178 million. The larger the company, the greater the losses. The 118 companies with less than 500 employees together lost $16 million, while the 145 companies with 500 or more employees lost $162 million.
Both the Network World and the CSI/FBI studies show that the greatest financial losses stem from everyday threats such as viruses and worms.
While companies feel better today about their ability to fend off everyday threats (see graphic), the percentage of Network World respondents who said they were confident or very confident in their security measures still only ranked in the 65% range. The inverse: Some 35% still feel vulnerable.
Even more - 45% or so - still feel vulnerable to the different forms of targeted threats, such as theft of company data or customer information.
What you don't see
Self-doubt can be a good thing when it comes to security, especially with crime getting more nefarious.
Cybercrime is difficult to comprehend because often there is no tangible theft, says Mark Lobel, director of security and privacy services with PricewaterhouseCoopers. Computers still are chugging away in the server room, yet criminals might have copied or altered data and used that information to commit identity theft, divulge trade secrets or expose proprietary code.
Another disturbing trend: "Not stealing data but modifying its integrity," says John Pironti, a security consultant with Unisys. "If I can disrupt a database, I might be able to cause more hysteria than if it was just stolen. If it's stolen you know it, but if I start changing, say, prescription data so it's not consistent, you don't know what is right."
"The goal of young, inexperienced people performing cybercrime is to gain notoriety," Lobel says. "The goal of a professional is to gain access to information, or remove or alter information in a completely undetectable manner."
Even though losses from computer crime seem to be declining, the security community is fearful that the financial opportunities have expanded and are now so great that even organized crime is paying attention. Some say this year's rash of phishing schemes, in which e-mail users receive messages that appear to come from a bank or retailer asking them to divulge personal or financial information, have been orchestrated largely by organized crime groups in Russian and Eastern Europe.
"We're seeing it from all over the world. There is no doubt that the level of sophistication and the level of knowledge is growing," says Shelagh Sayers, a special agent in the FBI's San Francisco bureau. "That's quite a challenge to keep up with. If you look at the history of the Internet, it hasn't been around that long. I just can't imagine that [attacks are] going to do anything but increase."
The real story?
The success of targeted crime might be a contributing factor in why more companies refuse to report computer crime.
Only 20% of the companies in the latest CSI/FBI study reported security breaches to law enforcement officials, down from 36% in 2001.
Reasons for not reporting cybercrime range from office politics and fear of depressing stock prices to management's fear of admitting mistakes and a lack of resources.
"We thwart thousands of attacks everyday," says one respondent in the Network World survey. "We don't have the resources to report them. Our job is to keep the network running, not litigate infractions of the law."
Companies that report attacks are "the very, very, very tip of the iceberg," Sayers says. "There are entire sectors of the economy that are not reporting, and I'm quite sure they are targets."
The FBI says the reluctance to report crimes makes it difficult to enforce the laws, much less prosecute perpetrators. "Laws only work when they're enforced, and the only way we can enforce laws is when we have the information we can act on," Sayers says. "If a company is victimized and they don't report it, we don't get to track down that intruder or that person who did damage to their system."
But the Network World survey shows most companies have the desire to report crime but lack the knowledge about where and how and don't have faith in the adequacies of the laws (see related story).
More than 75% of the respondents say they are likely or very likely to report computer crimes, but when given the option to comment on the statement, "I am familiar with the legal resources at my disposal for computer/network crime," only 34% said they agreed or agreed strongly. And when asked if the legal system is adequately structured to ease the reporting of computer/network crime, only 10% agreed or agreed strongly. This points to a larger, longer-term issue the industry will have to resolve with the legal establishment.
After all, the fact that a large amount of crime goes unreported could be skewing study results like those from the CSI/FBI that suggest crime is on the wane.
Add that to the fact that some companies don't even know that they have been victimized and the picture looks even less pretty. "We cannot accurately quantify [cybercrime] because if the crime has been successful, often no one knows about it," Lobel says.
Fighting back
Knowledge is key to fighting computer crime, and one of the key tools in knowing how vulnerable you are to attack is the security audit.
The good news revealed by the Network World survey is that companies are doing more audits than they were three years ago (see graphic), but that is tempered by the fact that companies still aren't doing many. Sixty percent of the respondents are doing two or fewer security audits per year, with the bulk doing only one.
While 44% of the respondents said they would conduct more audits in the next 12 months compared with what they do today, another 42% said they are content with their current practice.
The CSI/FBI survey went into greater detail about what technologies companies are using to fight back. Firewalls and anti-virus tools are almost universally adopted, while 71% of the respondents said they have server-based access control lists, 68% said they use intrusion-detection systems, 45% use intrusion-prevention systems, 35% use smart cards or other one-time password tokens, 30% use public-key infrastructure, and only 11% use biometrics.
While all this purchasing adds up, experts say companies still aren't spending enough on security. The CSI/FBI survey found that 24% of respondents spent only 1% to 2% of their IT budget on security, and 16% allot less than 1%.
"I suspect that we don't spend quite enough as a percentage of IT budgets" on security products, says CSI Editorial Director Robert Richardson. "About half of the respondents say they're getting somewhere between 1% and 5% of the IT budget."
Making the case to spend millions of dollars on products that might protect an organization from a potential attack can be a hard sell, says one CIO. But it helps to cite the alternative - paying the price of suffering an attack.
"When I went to [company executives] for funding for intrusion-protection software, it was really based on it being an insurance policy against events we're sure are going to happen," says Barry Libenson, CIO of Ingersoll Rand, a diversified manufacturing firm with roughly 30,000 users. Libenson estimates the software will cost his organization $2.5 million in 2005, but that figure pales in comparison to what can happen if the company is attacked. "A system outage for us costs millions of dollars an hour."
Share info
In addition to putting technology in place to thwart cybercrime, experts say companies can help themselves by helping each other. No company wants to expose itself to the criticism or loss of competitive edge that can result from making an attack public, but sharing information can help prevent attacks.
In the financial industry, perhaps the biggest target for cybercrime, finding a way to confidentially share information about security breaches and how to prevent them could go a long way in helping these companies protect themselves, says Sophie Louvel, a research analyst with Financial Insights, a division of IDC. She cites banks in the 1990s that began sharing information about fraudulent checking accounts. "That was tremendously helpful," she says.
While any such communication would need to remain confidential, even casual conversations among professionals would be preferable to the tight-lipped culture of today. "There needs to be a better way," Louvel says.
No one in the security community, it would seem, is ready to ease up, regardless of what the studies show about crime trends.
