Columns

Security, Computer Crimes Still Bane of IT

• By Kathleen Ohlson
• September 1, 2005

Robert Richardson is the editorial director of the Computer Security Institute, which provides training to computer, information and network security professionals. A recent survey by CSI, along with the FBI’s Computer Intrusion Squad, focused on computer crimes and security. During an interview with ADT, Richardson examines how companies are tackling these issues. Q: Were there any surprises in the survey? What were they and why did they happen? A: There was certainly nothing that was so shocking that I rubbed my eyes and looked again. It was interesting to see average losses [related to cybercrimes] declined again.

The thing that I thought was maybe interesting—where’s the big action at—is crime more targeted to consumers and users: phishing, various e-mail scams, viruses and root kit payloads. Companies see these kinds of attacks better than consumers because they can stop them at the perimeters. Losses are shifting to identity fraud, and assuming this is the case, organizations get attacked, but more attacks are going to databases to get to users. What was interesting in the survey was out of all the categories, financial losses went up sharply regarding unauthorized access to information (average loss per respondent climbed from $51,545 in 2004 to $303, 234 in 2005) and theft of proprietary information (the average loss per respondent increased from $168,529 in 2004 to $355,552 in 2005).

Q: Any new issues crop up this year?

A: We started tracking last year…[the abuse of] wireless networks. It moved up a little bit in percentage of respondents who suffer that kind of problem, but it was not unexpected, though.

Honestly, I think the one thing that seems to occur separately is the percentage of respondents who experience Web site incidents: they’re not identified—something happens to the Web server that security responds to. The shift was in the number of incidents; respondents had incidents, either from one to five or more than 10. Many had one to five [incidents] last year, but 95 percent say they had more than 10 this year.

Why the shift? I have couple of theories. Web incidents are not that expensive, economically speaking, so you would expect companies to focus energy on areas where high loss was strong. You cut losses on Web site protection, but that leaves defenses open where hackers gain skills [and find holes].

Q: With public and major security breaches, ChoicePoint and LexisNexis come to mind, are companies heeding the need for security?

A: There was a significant climate change around 9/11. Combining 9/11 and Enron, security became everybody’s buzzword to justify spending something. Congress had
enough of the malfeasance, and drafted legislation, the principle piece being Sarbanes-Oxley. A significant chunk of that law is auditing, keeping [corporations] honest and ensuring data is secure. Publicly traded companies must adhere to [SOX], and that coupled with HIPAA legislation…forced organizations to really meet these requirements.

The budgets we’re seeing may in fact be adequate. We ask how much IT budget goes to security, and if [companies] don’t have a budget or separate line items for IT security, that’s a bad sign.

Q: The survey mentions that total losses decreased from last year, especially the costs of fending off attacks. Why is that happening?

A: There was a bunch of different categories all in decline this year. Viruses are the most prevalent kinds of attacks, and the amount of attacks and cost has dropped. For a run-of-the-mill virus, corporations are much, much better at stopping them at the perimeter. The only time things survive is if end users and consumers are not up to date. The cost to corporations is really more if a road warrior heads on the road, they’re in a hurry and download a virus, and they have to wait to get it removed at the shop. I think the hackers are working on phishing, and it’s all about spam and phishing right now.

Q: The survey also highlighted that costs in other areas are rising, especially regarding unauthorized access. What’s changed from last year?

A: Why is it getting more expensive, that’s a good question, and I don’t have a good answer. It seems the nature of the crimes is much more focused on getting in there and stealing stuff. The profile of the hacker has really changed, before they would write a virus…and now they work for a crime syndicate and steal credit card information.

Q: Besides taking security more seriously, what do companies need to do differently than what they’re doing now?

A: Security is a long-term commitment and companies have to work with it over time, when they do take it as a long-term thing, they’ll see the results. Most hackers’ intent is on phishing scams, chasing the money and low-hanging fruit—people tricked into giving their bank accounts. It’s easier to trick my mother than it is Citicorp; individuals are less electronically defended, and any individual is more susceptible. The theory, which I happen to think is true, is there are so many hours in a hacker’s day.