Many within business and consumer groups have been focused in recent months on credit and debit card data security issues and standards and the reported breaches of merchant information systems that have made those standards topical, as well as controversial. In foodservice, the issue was punctuated recently by the theft of customer card numbers and expiration dates from the 13-unit Not Your Average Joe's chain of Dartmouth, Mass.
But findings from the Computer Security Institute's "12th Annual Computer Crime and Security Survey" of U.S. business, government and education representatives underscore that cyber crimes take many forms and impact many groups. The findings showed that while the percentage of respondents who said they suffered a security incident declined to 46 percent in the latest year, from 53 percent a year earlier, the average annual loss from cyber crime among respondents willing to share loss amounts more than doubled on a year-over-year basis, to $350,424, after declining for five years.
The 2007 survey included the responses of 494 of the approximately 5,000 computer-and-network security professionals belonging to CSI, the San Francisco-based organization said; representatives of 616 organizations responded for the 2006 survey. The estimated total dollar loss from cyber crimes against the 194 survey respondents in 2007 who shared loss information was $66.93 million; that compared to reported aggregate losses of $52.49 million by 313 respondents in 2006.
"At a period when experts throughout the industry have been discussing with concern the growing sophistication and stealth of cyber attacks, here we have a couple hundred respondents saying they lost significantly more money last year," said Robert Richardson, CSI director and author of the survey. "There's a strong suggestion in this year's results that mounting threats are beginning to materialize as mounting losses."
Among the respondents who suffered a security problem and shared financial losses, fraud overtook virus attacks as the most costly category of computer crime, survey administrators said. Virus attacks had been the leading cause of losses in each of the prior seven years.
Survey organizers said that among the key findings was that insider abuse of network access, including such things as trafficking in pornography or pirated software, was the most prevalent problem, with 59 percent of respondents citing such activities. About 52 percent of the respondents reported virus attacks.
Almost 20 percent of the respondents who acknowledged a security incident said they were victims of a "targeted attack," such as a malware assault aimed specifically at their organization or a small number of organizations, surveyors said.
CSI surveyors for years have maintained contacts with, and sought input from, agents within the Federal Bureau of Investigation who deal with computer crime, and the name of the survey in the past included a reference to FBI involvement. However, to make clear that the survey is funded and controlled by CSI, "FBI" has been dropped from the name, Richardson explained.
The CSI survey touches on a wide range of issues, including techniques for gauging the effectiveness of computer and network security, respondent attitudes about law enforcement agencies and cyber crime, and the impact on information systems security of the federal Sarbanes-Oxley Act of 2002. The survey's 30 pages of findings are available for free at CSI's website, www.gocsi.com .
Click links below to view the following CSI survey tables. (To enlarge tables to full size, position cursor on images and click):