2004 E-Crime Watch Survey Shows Significant Increase in Electronic Crimes

« More Press Releases

 

SEI Press Release

                       
Contact: Kelly Kimberland, SEI Public Relations
  412-268-8467      

2004 E-Crime Watch Survey Shows Significant Increase in Electronic   Crimes
 
2003 E-Crime Losses Estimated At $666 Million
 
May 25, 2004

FRAMINGHAM, MA—The 2004 E-Crime Watch survey conducted among security   and law enforcement executives by CSO magazine in cooperation with   the United States Secret Service and the Carnegie Mellon University Software   Engineering Institute’s CERT® Coordination Center, shows   a significant number of organizations reporting an increase in electronic crimes   (e-crimes) and network, system or data intrusions. Forty-three percent (43%)   of respondents report an increase in e-crimes and intrusions versus the previous   year and 70% report at least one e-crime or intrusion was committed against   their organization. Respondents say that e-crime cost their organizations approximately   $666 million in 2003. However, 30% of respondents report their organization   experienced no e-crime or intrusions in the same period.

E-Crimes Impact
  When asked what types of losses their organizations experienced last year, over   half of respondents (56%) report operational losses, 25% state financial loss   and 12% declare other types of losses. The average number of individual e-crimes   and intrusions is 136. However, a third (30%) of respondents did not experience   e-crime or intrusions, while a quarter (25%) experienced fewer than ten. Interestingly,   32% of respondents do not track losses due to e-crime or intrusions. Of those   who do track, half say they do not know the total amount of loss. Forty-one   percent (41%) of respondents indicate they do not have a formal plan for reporting   and responding to e-crimes, demonstrating room for improvement. Slightly more   than half (51%) state their organization has a formal process in place to track   e-crime attempts. Additionally, respondents indicate a higher degree of familiarity   with local and national e-crime laws (39% and 33% respectively), but know little   about applicable international laws (8%).

“The increase in e-crime over the past year again demonstrates the need   for corporate, government and non-governmental organizations to develop coordinated   efforts between their IT and security departments to maximize defense and minimize   e-crime impact,” says Bob Bragdon, Publisher of CSO magazine.   “There is a lot of security spending going on, but not much planning.   It’s essential for chief security officers and information technology   pros to find the most manageable, responsive and cost effective way to stop   e-crime from occurring,” Bragdon added.

Who are the Criminals?
  Nearly a third (30%) of respondents in organizations experiencing e-crimes or   intrusions in 2003 do not know whether insiders or outsiders were the cause.   Respondents who do know report that an average of 71% of attacks come from outsiders   compared to 29% from insiders. Regarding the source of the greatest cyber security   threat, hackers were most frequently cited (40%) followed closely by current   or former employees or contractors (31%). When it comes to identifying specific   types of e-crimes committed against organizations, the survey shows 36% of respondents   organizations experienced unauthorized access to information, systems or networks   by an insider compared to 27% committed by outsiders. Both sabotage and extortion   are committed equally by insiders and outsiders for organizations responding   to the survey.

Monitoring & Reporting
  Eighty percent (80%) of respondents report they monitor their computer systems   or networks for misuse and abuse by employees or contractors. Ninety-five percent   (95%) of respondents say they use some type of employee monitoring (e.g., internet,   email, files) to deter e-crime. Thirty-six percent (36%) report using employee   monitoring to terminate an employee or contractor for illegal activities. Seventy-two   percent (72%) of respondents require internal reporting of misuse or abuse of   computer access by employees or contractors. However, just under half (49%)   of respondents say intrusions are handled with the help of law enforcement or   by taking other legal action.

“Many companies still seem unwilling to report e-crime for fear of damaging   their reputation,” says Larry Johnson, Special Agent in Charge, Criminal   Investigative Division, United States Secret Service. “However, as we   see with this survey, ignoring the problem or dealing with it quietly is not   working. The question is not why can’t we stop these criminal acts from   happening, but rather, why are we allowing them to take place? The technology   and resources are there to effectively fight this. We just need to work smarter   to do it.”

Best Practices
  The most common technologies deployed to combat e-crime are firewalls used by   98% of respondents, followed by physical security systems (94%) and manual patch   management (91%). In ranking the effectiveness of various technologies, firewalls   are considered the most effective (71%), followed by encryption of critical   data in transit (63%) and encryption of critical data in storage (56%). Manual   patch management, the third most common technology in use, also holds the dubious   distinction of being rated as the single least effective technology (23%). Among   policies and procedures, conducting regular security audits is listed as the   most effective method (51%), and recording or reviewing employee phone conversations   is listed as one of the least effective (26%).

“The ineffectiveness of manual patching demonstrates the difficulty corporate   and individual users have in keeping abreast of the large number of vulnerabilities   discovered every month,” says Richard Pethia, Director of the Software   Engineering Institute’s (SEI) Networked Systems Survivability Program.   “In the long-term, we all need to work towards higher quality software,   with fewer defects in order to keep our risks at a manageable level.”

About the 2004 E-Crime Watch Survey
  The 2004 E-Crime Watch survey was conducted by CSO magazine in cooperation   with the United States Secret Service and the CERT Coordination Center. The   research was conducted to unearth e-crime fighting trends and techniques, including   best practices and emergent trends.

For the purpose of this survey, an electronic crime is defined as: Any criminal   violation in which electronic media is used in the commission of that crime.   An insider is defined as: a current or former employee or contractor. An outsider   is defined as: non-employee or non-contractor. The online survey of CSO   magazine subscribers and members of the U.S. Secret Service’s Electronic   Crimes Task Force members was conducted from April 15 to April 26, 2004. Results   are based on 500 completed surveys. At a 95% confidence level, the margin of   error is +/- 4.4%.

In addition to the 2004 E-Crime Watch survey team, the following security practitioners   served as advisors to the project:

                                                                       
Michael         Assante, Vice President and Chief Security Officer, American Electric         Power
Bill         Boni, Vice President and Chief Information Security Officer, Motorola
Don         Masters, Assistant Special Agent in Charge, Los Angeles Field Office,         United States Secret Service
Bob         Rose, Senior Managing Director, Bear Sterns
Dennis         Treece, Director of Corporate Security, Massachusetts Port Authority
James         Wellington, Director of Federal Systems, Questerra

About CSO Magazine
  CSO magazine is published by CXO Media Inc. In addition to CSO,   CXO Media publishes CIO magazine (launched in 1987), www.cio.com,   The CIO Insider, CSOonline.com and darwinmag.com. CXO Media serves CIOs, CSOs,   CEOs, CFOs, COOs and other corporate officers who use technology to thrive and   prosper in this new era of business. The company strives to enhance partnerships   among C-level executives, as well as create opportunities for information technology   (IT) and consumer marketers to reach them. In addition to magazines and websites,   CXO Media produces Executive Programs, a series of conferences that provide   educational and networking opportunities for corporate and government leaders.   CXO Media Inc. is a subsidiary of IDG, International Data Group (IDG), the world's   leading technology media, research and event company. A privately-held company,   IDG publishes more than 300 magazines and newspapers including Bio-IT World,   CIO, CSO, Computerworld, GamePro, InfoWorld,   Network World and PC World. The company features the largest   network of technology-specific Web sites with more than 400 around the world.   IDG is also a leading producer of more than 170 computer-related events worldwide   including LinuxWorld Conference & Expo®, Macworld Conference   & Expo®, COMNETR Conference & Expo, DEMO, and IDC Directions.   IDC provides global market research and advice through offices in 50 countries.   Company information is available at www.idg.com.

About CERT
  The CERT® Coordination Center (CERT/CC) is located at Carnegie Mellon University's   Software Engineering Institute in Pittsburgh, Pennsylvania, U.S.A. The Software   Engineering Institute is a Department of Defense-sponsored federally funded   research and development center. The CERT/CC was established in 1988 to deal   with security issues on the Internet. It now partners with and supports the   Department of Homeland Security's National Cyber Security Division and its US-CERT   to coordinate responses to security compromises; identify trends in intruder   activity; identify solutions to security problems; and disseminate information   to the broad community. The CERT/CC also conducts R&D to develop solutions   to security problems and provides training to help individuals build skills   in dealing with cyber-security issues.

About the Secret Service-Led Electronic Crimes Task Forces (ECTF)
  The USA PATRIOT ACT OF 2001 (HR 3162, 107th Congress, First Session; October   26, 2001,
  Public Law 107-56) ordered the Director of the United States Secret Service   to take appropriate actions to develop a national network of electronic crime   task forces, based on the New York Electronic Crimes Task Force model, throughout   the United States for the purpose of preventing, detecting and investigating   various forms of electronic crimes, including potential terrorist attacks against   critical infrastructure and financial payment systems.
  The ECTF mission is to establish a strategic alliance of federal, state and   local law enforcement agencies, private sector technical experts, prosecutors,   academic institutions and private industry in order to confront and suppress   technology-based criminal activity that endangers the integrity of our nation’s   financial payments systems and poses threats against our nation’s critical   infrastructure. The ECTF model is built on trust and confidentiality without   regulators or other outside influences. ECTF law enforcement members develop   personal pre-incident relationships with corporate and academic ECTF members   and are educated in business concepts such as risk management, return on investment   and business continuity plans. As trained first responders to various forms   of electronic crimes, ECTF law enforcement members approach incidents with the   focus on business designs and information sharing with known corporate and academic   individuals. Currently, 15 ECTF models are proving successful in Atlanta, GA;   Boston, MA; Charlotte, NC; Chicago, IL; Cleveland, OH; Columbia, SC; Dallas,   TX; Detroit, MI; Houston, TX; Las Vegas, NV; Los Angeles, CA; Miami, FL; New   York, NY; Philadelphia, PA; San Francisco, CA; Washington, DC. The current ECTF   success models will be utilized for the additional 15 ECTFs scheduled to open   prior to 2010.

NOTE TO EDITORS: Complete findings from the 2004 E-Crime Watch   survey can be found at http://www.csoonline.com/releases/052004129_release.html.   If you report any of the data from the 2004 E-Crime Watch survey, the data must   be sourced as originating from: CSO magazine/U.S. Secret Service/CERT   Coordination Center.

Additional Contact Information
 
CSO magazine
  Susan Watson
  508.935.4190

U.S. Secret Service
  Office of Public Affairs
  202.406.5708

# # #

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Media Contacts: 

Richard Lynch

public-relations@sei.cmu.edu

412-268-4793

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.