Businesses Respond to Cybercrime and Security Trends

• The Sarbanes-Oxley Act (SOA) has begun to affect information security in more industry sectors. The 2004 survey introduced a question to determine how SOA affects information security activities. Out of 14 sector categories, respondents in eight (utility, high-tech, manufacturing, medical, telecommunications, educational, financial, and other) believe SOA affects their organization’s information security. In contrast, last year’s survey showed an impact in only five sector categories. The survey report recognizes that, due to the phased-in nature of Sarbanes-Oxley, a greater impact on information security may be seen in future years.
• Computer virus attacks continue as the source of the greatest financial losses. Unauthorized access, however, showed a dramatic cost increase and replaced denial of service as the second-most significant contributor to computer crime losses during the past year.
• Financial losses resulting from cybercrime are decreasing. Two areas, however—unauthorized access to information and theft of proprietary information—showed significant increases in average loss per respondent.
• Website defacement and similar incidents have increased dramatically, but are still insignificant compared to virus attacks and unauthorized use of systems.
• State governments currently have the largest information-security investment per employee of all industry/government segments.
• Despite a perception of increasing outsourcing, survey results indicate very little outsourcing of information security activities. Among organizations that do outsource computer security activities, the percentage of activities outsourced is low.
• Despite many articles on the emerging role of cybersecurity insurance, its use remains low.
• The percentage of organizations reporting computer intrusions to law enforcement has continued to decline over the past several years. The key reason cited for not reporting intrusions to law enforcement is concern about negative publicity.
• A significant number of organizations conduct some form of economic evaluation of their security expenditures, with 38% using return on investment (ROI), 19% using internal rate of return (IRR), and 18% using net present value (NPV).
• More than 87% of the responding organizations conduct security audits, up from 82% last year.
• The vast majority of respondents view security awareness training as important. On average, however, respondents do not believe their organization invests enough in it.

At an October presentation of the survey findings, Bruce Helman, head of the FBI cybercrimes squad, noted that large e-commerce websites are the most vulnerable to cybercrime, including extortion. To report all types of cybercrime, Helman recommended the Internet Crime Complaint Center (www.ic3.gov; 212-384-1000).

A complete report on the survey, the tenth annual study conducted by the Computer Research Institute with the participation of the San Francisco FBI’s Computer Intrusion Squad, is available at the CSI website, www.gocsi.com.

Close