Businesses Cut Security LossesBusinesses Cut Security Losses

Thanks to better security practices, businesses are losing less money. Some 251 organizations lost nearly $202 million last year due to security incidents. That's a lot of money, but its down 56% from the $456 million lost in 2001. Those are the key findings of the eighth annual CSI/FBI Computer Crime and Security Survey released Thursday by the Computer Security Institute and the Federal Bureau of Investigation.

The number of significant security incidents last year was about the same as the year before, says Robert Richardson, editorial director for the institute. The reduction in losses probably came about because businesses are paying more attention to security in the wake of the terrorist attacks of Sept. 11 and security professionals are getting better at spotting and stopping attacks, he says. Plus, stiffer legal penalties against hackers may be scaring would-be hackers into pursuing other things. "If I were a young kid with an interest in hacking, I wouldn't be hacking into the Rand Corporation right now," says Richardson.

But the drop in losses attributed to security problems could be more related to companies "re-examining their real intellectual-property risk and reflecting more realistic losses in those areas" than a reduction in security threats, says Eric Ogren, senior analyst at the Yankee Group.

The survey puts the losses into a dozen categories. Total losses attributed to theft of proprietary information fell from around $171 million in 2001 to $70 million in 2002. Financial fraud dropped from $116 million in 2001 to $10 million in 2002. In fact, most loss categories were down this year, including sabotage of data on networks, telecommunications eavesdropping, outsiders breaking into systems, insider Net access abuse, virus attacks, unauthorized insider access, telecom fraud, and laptop theft.

The only categories to show an increase in losses were active wiretapping and denial-of-service attacks. The cost of denial-of-service attacks surged from $18 million in 2001 to around $66 million in 2002.

The growth of E-commerce and the increasing interconnectedness between businesses could help explain the increase in losses to denial-of-service attacks, Ogren says. "More companies are opening up their networks to a supply chain," he says. "So when a denial of service attack hits, such as those caused by SQL Slammer, the impact can delay the ordering of parts and slow down the supply chain. It certainly shows networks being much more critical year over year."

Some 78% of the companies surveyed said the Internet is the most frequent point of attack; that percentage has steadily increased from 57% in 1999. At the same time, internal system attacks have been trending downward. About 51% of those surveyed cited internal systems as the point of attack in 1999, while only 30% of respondents said the same in 2002.

The survey shows respondents have increased their reliance on every form of security hardware and software. The use of encryption leapt from 58% to 69%; firewall usage is up from 89% to 98%; intrusion-detection systems are up from 60% to 73%; and anti-virus software is nearly universal at 99% usage compared with 90% a year earlier.

Experts agree that increased use of anti-virus software, intrusion-detection systems, digital IDs, firewalls, and encryption are helping companies better defend themselves and mitigating the damage of successful attacks. Says Ogren, "There's definitely more security intelligence available today than just a couple of years ago."