2005 E-Crime Watch™ Survey Shows E-Crime Fighters Making Headway
Media Contact Information
Kelly Kimberland
Phone: 412-268-4793
Fax: 412-268-5758
E-mail: public-relations@sei.cmu.edu
2005 E-CRIME WATCH™ SURVEY SHOWS
E-CRIME FIGHTERS MAKING HEADWAY
Average Company Loss Estimated at More Than Half Million Dollars
Framingham, MA—May 3, 2005—Results from the 2005 E-Crime Watch survey, conducted among security executives and law enforcement personnel by CSO magazine in cooperation with the United States Secret Service and the Carnegie Mellon University Software Engineering Institute’s CERT® Coordination Center, reveal the fight against electronic crimes (e-crimes) may be paying off. Thirteen percent (13%) of the 819 survey respondents—more than double the 6% from the 2004 survey—report the total number of e-crimes (and network, system or data intrusions) decreased from the previous year; 35% report an increase in e-crimes and 30% report no change. Almost one third (32%) of respondents experienced fewer than 10 e-crimes (versus the 25% reported in 2004), while the average number of e-crimes per respondent decreased to 86 (significantly less than 136 average reported in the 2004 survey). Respondents report an average loss of $506,670 per organization due to e-crimes and a sum total loss of $150 million.*
E-Crimes Impact
While the average number of e-crimes decreased year over year from 2003 to 2004,
68% of respondents report at least one e-crime or intrusion committed against
their organization in 2004 and 88% anticipate an increase in e-crime during
2005. More than half (53%) expect monetary losses to increase or remain the
same.
When asked what e-crimes were committed against their organizations in 2004, respondents cite virus or other malicious code as most prevalent (82%), with spyware (61%), phishing (57%) and illegal generation of spam email (48%) falling close behind. Phishing, a precursor to fraud and/or identity theft, jumps from 31% in the 2004 survey to 57%, the largest single percent increase of an e-crime year over year.
Of those who experienced e-crimes, more than half of respondents (55%) report operational losses, 28% state financial losses and 12% declare harm to reputation as a result. Interestingly, one third (31%) of respondents do not have a formal process or system in place for tracking e-crime attempts, and 39% do not have a formalized plan outlining policies and procedures for reporting and responding to e-crimes, demonstrating room for improvement.
“Security practitioners are faced with new e-crimes on a daily basis. Phishing is a perfect example of a crime that entered the market and has just exploded,” says Bob Bragdon, Publisher of CSO magazine. “It’s not enough to just track these crimes. Businesses need to be doing a better job of formalizing their reporting procedures so law enforcement can help them combat the attacks and, over the long haul, minimize the threats.”
Identifying, Monitoring & Reporting
Organizations, in both the public and private sectors, appear to be doing a
better job identifying criminals. Only 19% of respondents experiencing e-crimes
or intrusions in 2004 do not know whether insiders or outsiders were the cause,
down from 30% in last year’s survey. Respondents who identify the culprit
indicate that 80% of the attacks come from outsiders and 20% from insiders (a
drop from 29% in the 2004 survey).
Eighty percent (80%) of respondents report their organizations monitor their computer systems or networks for misuse and abuse by employees or contractors. Sixty-nine percent (69%) require internal reporting of misuse or abuse of computer access by employees or contractors. However, there is still an opportunity to progress in reporting e-crimes to outside officials. Among organizations experiencing e-crimes, the majority of respondents (78%) report that one or more cases were handled internally without involving legal action or law enforcement. The top three reasons stated for not referring an intrusion for legal action are: damage level insufficient to warrant prosecution (59%), lack of evidence/not enough information to prosecute (50%) and concerns about negative publicity (15%). However, only 31% of respondents consider themselves extremely or very knowledgeable in understanding U.S. laws about computer crimes; only 7% consider themselves knowledgeable about international laws.
"What is important for our partners in the private sector to know is that when an intrusion is not reported to law enforcement, that only enables the criminals to continue to do more—and possibly greater—damage elsewhere, " said Larry Johnson, Special Agent in Charge, Criminal Investigative Division, United States Secret Service. "The Secret Service philosophy is one of prevention. Together with our private industry partners, we have a proven track record of aggressively investigating and preventing electronic crimes that could adversely affect the businesses and citizens of this country."
Effective Practices
The top technologies used to combat e-crime are firewalls and automated virus
scanning used by 99% of respondents, followed by physical security systems (94%),
spyware/adware detection software (93%), intrusion detection systems (91%) and
manual patch management (90%). For the second year in a row, manual patch management,
a common strategy in use, is rated by respondents as the single least effective
technology (26%). Among the most effective technologies, the use of firewalls
is listed as most effective at 68%, followed by automated virus scanning (66%),
encryption (58%), two-factor authentication (56%) and intrusion detection systems
(50%). Moreover, the top five security policies and procedures in use by respondents
to prevent or reduce an e-crime are: account/password management policies (74%),
formal “inappropriate use” policy (71%), employee education and
awareness programs (67%), monitoring of internet connections (65%) and corporate
security policy (62%).
"The respondents rated employee security training, education and awareness programs, and regular communication as the most effective strategies for deterring insider threats. These strategies create a culture of security in the organization, where all employees understand that security is a shared responsibility,” said Dawn Cappelli, senior member of the technical staff with the Software Engineering Institute’s Networked Systems Survivability program.
About the 2005 E-Crime Watch Survey
The 2005 E-Crime Watch survey was conducted by CSO magazine in cooperation with
the United States Secret Service and the CERT Coordination Center. The research
was conducted to unearth e-crime fighting trends and techniques, including best
practices and emerging trends. Respondent answers are based on the 2004 calendar
year.
For the purpose of this survey, an electronic crime is defined as: any criminal violation in which a computer or electronic media are used in the commission of that crime. An intrusion is defined as: a specific incident or event perpetrated via computer that targeted or affected an organization’s data, systems, reputation or involved other criminal behavior. An insider is defined as: a current or former employee or contractor. An outsider is defined as: non-employee or non-contractor. The online survey of CSO magazine subscribers and members of the United States Secret Service’s Electronic Crimes Task Force members was conducted from March 3 to March 14, 2005. Results are based on 819 completed surveys. At a 95% confidence level, the margin of error is +/- 3.4%.
In addition to the 2005 E-Crime Watch survey team, the following security practitioners served as advisors to the project:
- Michael Assante, Vice President and Chief Security Officer, American Electric Power
- Bill Boni, Vice President and Chief Information Security Officer, Motorola
- Don Masters, Assistant Special Agent in Charge, Los Angeles Field Office, United States Secret Service
About CSO
Launched in 2002, CSO magazine provides chief security officers (CSOs) with
analysis and insight on security trends and a keen understanding of how to develop
successful strategies to secure all business assets—from people to information
and financial value to physical infrastructure. The CSO portfolio includes its
companion website (www.CSOonline.com), the CSO Perspectives™ conference
and the CSO Executive Council™. The magazine is read by 27,000 security
leaders from the private and public sectors. The U.S. edition of the magazine
and website are the recipients of 50 awards to date, including the American
Society of Business Publication Editor’s Magazine of the Year award as
well as eight Jesse H. Neal National Business Journalism Awards and Grand Neal
runner-up honors two years in a row. Licensed editions of CSO magazine are published
in Australia, France and Sweden. The CSO Perspectives™ conference, the
first face-to-face conference designed for CSOs and featuring speakers from
the national stage and the CSO community, offers educational and networking
opportunities for pre-qualified corporate and government security executives.
The CSO Executive Council is a professional organization of CSOs created to
advance strategic security practices. CSO magazine, CSOonline.com, CSO Perspectives
conference and the CSO Executive Council are produced by International Data
Group’s award-winning business unit: CXO Media Inc.
About CERT Coordination Center
The CERT® Coordination Center (CERT/CC) is located at Carnegie Mellon University's
Software Engineering Institute in Pittsburgh, Pennsylvania, U.S.A. The Software
Engineering Institute is a Department of Defense-sponsored federally funded
research and development center. The CERT/CC was established in 1988 to deal
with security issues on the Internet. It now partners with and supports the
Department of Homeland Security's National Cyber Security Division and its US-CERT
to coordinate responses to security compromises; identify trends in intruder
activity; identify solutions to security problems; and disseminate information
to the broad community. The CERT/CC also conducts R&D to develop solutions
to security problems and provides training to help individuals build skills
in dealing with cyber-security issues.
About the Secret Service’s Electronic Crimes Task Forces (ECTF)
The USA PATRIOT ACT OF 2001 (HR 3162, 107th Congress, First Session, October
26, 2001, Public Law 107-56) ordered the Director of the United States Secret
Service to take appropriate actions to develop a national network of electronic
crime task forces, based on the New York Electronic Crimes Task Force model,
throughout the United States for the purpose of preventing, detecting and investigating
various forms of electronic crimes, including potential terrorist attacks against
critical infrastructure and financial payment systems.
The ECTF mission is to establish a strategic alliance of federal, state and local law enforcement agencies, private sector technical experts, prosecutors, academic institutions and private industry in order to confront and suppress technology-based criminal activity that endangers the integrity of the nation’s financial payments systems and poses threats against the nation’s critical infrastructure. The ECTF model is built on trust and confidentiality without regulators or other outside influences. ECTF law enforcement members develop personal pre-incident relationships with corporate and academic ECTF members and are educated in business concepts such as risk management, return on investment and business continuity plans. As trained first responders to various forms of electronic crimes, ECTF law enforcement members approach incidents with the focus on business designs and information sharing with known corporate and academic individuals. Currently, 15 ECTF models are proving successful in Atlanta, GA; Boston, MA; Charlotte, NC; Chicago, IL; Cleveland, OH; Columbia, SC; Dallas, TX; Houston, TX; Las Vegas, NV; Los Angeles, CA; Miami, FL; New York, NY; Philadelphia, PA; San Francisco, CA; Washington, DC.
NOTE TO EDITORS: Complete findings from the 2005 E-Crime Watch survey can be found at http://www.csoonline.com/info/ecrimesurvey05.html. If you report any of the data from the 2005 E-Crime Watch survey, the data must be sourced as originating from: CSO magazine/U.S. Secret Service/CERT Coordination Center.
*Monetary loss data not comparable to 2004 figures due to change in question format implemented to collect more precise data.
Additional Contacts:
CSO magazine
Lori Piscatelli Scanlon
508.988.6838
U.S. Secret Service
Jonathan Cherry
202.406.5708
###