Computer breaches: losses up, reporting down. (Tech Talk).The results of a computer crime survey conducted jointly by the Computer Security Institute and the FBI show that both the frequency of computer attacks and the losses arising from those security breaches are increasing. Of the 503 respondents, 90 percent reported a computer security breach, and quantifiable losses almost quintupled from their level in 1997; they now total more than $455 million. More than half of those losses stemmed from the theft of proprietary information and financial fraud. The respondents, who were information security managers from a wide range of industries and from the government, also claimed losses of more than $50 million from "insider abuse of Net access," almost $50 million lost from viruses, and more than $11 million lost in laptop thefts Laptop theft is a serious threat to users of mobile computers. Many methods to protect the data and to prevent theft have been developed, including alarms, laptop locks , and visual deterrents such as stickers or labels. . Even more alarming, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. some experts, is that only 34 percent of the companies that suffered a breach reported it to law enforcement--down from 36 percent the previous year. This lack of reporting hamstrings law enforcement efforts to track down and prosecute wrongdoers, says Alan Frill, senior managing director of Kroll Worldwide. "The theory is that the only way to know [that] an attack is being planned...is by seeing unusual patterns, and those patterns won't be seen by government unless [incidents] get reported," says Brill Brill or Bril, Flemish painters, brothers. Mattys Brill (mä`tīs), 1550–83, went to Rome early in his career and executed frescoes for Gregory XIII in the Vatican. . The reasons companies fail to report incidents are varied. Dorsey Morrow, CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. , general counsel for the International Information Systems Security Certification A certification issued by competent authority to indicate that a person has been investigated and is eligible for access to classified matter to the extent stated in the certification. Consortium, or [(ISC (1) (Internet Systems Consortium, Redwood City, CA www.isc.org) An organization founded by Paul Vixie, Carl Malamud and Rick Adams in 1994 and later sponsored by UUNET and other Internet companies. ).sup.2], says that intrusions go unreported due to fears of damaging the company s reputation, concerns about exposing the company to lawsuits, and a reluctance to tie up personnel or equipment during an extended investigation. The survey showed that IT managers are reluctant to reveal breaches even within their own companies. Only 19 percent reported intrusions to the company's general counsel, making it impossible to prosecute offenders through civil complaints, says Frill. Marc Goodman, senior managing director of digital security and investigations at Decision Strategies, says that infosec professionals don't always recognize the need to reveal attacks to the company's lawyers. "Many system administrators and IT personnel don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. that what has occurred is indeed a criminal event," he says. Morrow believes that the increase in breaches indicates that information security is not yet considered a vital corporate issue by senior managers. As a result, he says, "they don't push down the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that need to be put into, place." Protection policies, such as encrypting data on laptops taken outside the corporation and regularly updating antivirus signatures, don't get much notice outside the IT department, notes Morrow. "Senior management bas to take a bigger role in leading the way for the rest of the corporation," he says. Experts are quick to point out that the survey's results are merely broad indicators of the impact of computer breaches. CSI's editorial director, Richard Power Richard Power may refer to:
Brill says, however, that he finds the survey interesting because it does tend to accurately show trends. @ Find out more on the survey by visiting www.securitymanagement.com. |
|
||||||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion