2004 E-Crime Watch Survey Shows Significant Increase In Electronic Crimes

Framingham, MA – May 25, 2004 – The 2004 E-Crime Watch survey conducted among security and law enforcement executives by CSO magazine in cooperation with the United States Secret Service and the Carnegie Mellon University Software Engineering Institute’s CERT® Coordination Center, shows a significant number of organizations reporting an increase in electronic crimes (e-crimes) and network, system or data intrusions. Forty-three percent (43%) of respondents report an increase in e-crimes and intrusions versus the previous year and 70% report at least one e-crime or intrusion was committed against their organization. Respondents say that e-crime cost their organizations approximately $666 million in 2003 (chart available at http://www.csoonline.com/releases/052004_chart3.html). However, 30% of respondents report their organization experienced no e-crime or intrusions in the same period.

E-Crimes Impact

When asked what types of losses their organizations experienced last year, over half of respondents (56%) report operational losses, 25% state financial loss and 12% declare other types of losses. The average number of individual e-crimes and intrusions is 136 (chart available at http://www.csoonline.com/releases/052004_chart1.html). However, a third (30%) of respondents did not experience e-crime or intrusions, while a quarter (25%) experienced fewer than ten. Interestingly, 32% of respondents do not track losses due to e-crime or intrusions (chart available at http://www.csoonline.com/releases/052004_chart2.html). Of those who do track, half say they do not know the total amount of loss. Forty-one percent (41%) of respondents indicate they do not have a formal plan for reporting and responding to e-crimes, demonstrating room for improvement. Slightly more than half (51%) state their organization has a formal process in place to track e-crime attempts. Additionally, respondents indicate a higher degree of familiarity with local and national e-crime laws (39% and 33% respectively), but know little about applicable international laws (8%).

“The increase in e-crime over the past year again demonstrates the need for corporate, government and non-governmental organizations to develop coordinated efforts between their IT and security departments to maximize defense and minimize e-crime impact,” says Bob Bragdon, Publisher of CSO magazine. “There is a lot of security spending going on, but not much planning. It’s essential for chief security officers and information technology pros to find the most manageable, responsive and cost effective way to stop e-crime from occurring,” Bragdon added.

Who are the Criminals?

Nearly a third (30%) of respondents in organizations experiencing e-crimes or intrusions in 2003 do not know whether insiders or outsiders were the cause. Respondents who do know report that an average of 71% of attacks come from outsiders compared to 29% from insiders. Regarding the source of the greatest cyber security threat, hackers were most frequently cited (40%) followed closely by current or former employees or contractors (31%). When it comes to identifying specific types of e-crimes committed against organizations, the survey shows 36% of respondents’ organizations experienced unauthorized access to information, systems or networks by an insider compared to 27% committed by outsiders. Both sabotage and extortion are committed equally by insiders and outsiders for organizations responding to the survey.

Monitoring & Reporting

Eighty percent (80%) of respondents report they monitor their computer systems or networks for misuse and abuse by employees or contractors. Ninety-five percent (95%) of respondents say they use some type of employee monitoring (e.g., internet, email, files) to deter e-crime. Thirty-six percent (36%) report using employee monitoring to terminate an employee or contractor for illegal activities. Seventy-two percent (72%) of respondents require internal reporting of misuse or abuse of computer access by employees or contractors. However, just under half (49%) of respondents say intrusions are handled with the help of law enforcement or by taking other legal action.

“Many companies still seem unwilling to report e-crime for fear of damaging their reputation,” says Larry Johnson, Special Agent in Charge, Criminal Investigative Division, United States Secret Service. “However, as we see with this survey, ignoring the problem or dealing with it quietly is not working. The question is not why can’t we stop these criminal acts from happening, but rather, why are we allowing them to take place? The technology and resources are there to effectively fight this. We just need to work smarter to do it.”

Best Practices

The most common technologies deployed to combat e-crime are firewalls used by 98% of respondents, followed by physical security systems (94%) and manual patch management (91%). In ranking the effectiveness of various technologies, firewalls are considered the most effective (71%), followed by encryption of critical data in transit (63%) and encryption of critical data in storage (56%). Manual patch management, the third most common technology in use, also holds the dubious distinction of being rated as the single least effective technology (23%). Among policies and procedures, conducting regular security audits is listed as the most effective method (51%), and recording or reviewing employee phone conversations is listed as one of the least effective (26%).

“The ineffectiveness of manual patching demonstrates the difficulty corporate and individual users have in keeping abreast of the large number of vulnerabilities discovered every month,” says Richard Pethia, Director of the Software Engineering Institute’s (SEI) Networked Systems Survivability Program. “In the long-term, we all need to work towards higher quality software, with fewer defects in order to keep our risks at a manageable level.”

About the 2004 E-Crime Watch Survey

The 2004 E-Crime Watch survey was conducted by CSO magazine in cooperation with the United States Secret Service and the CERT Coordination Center. The research was conducted to unearth e-crime fighting trends and techniques, including best practices and emergent trends.

For the purpose of this survey, an electronic crime is defined as: Any criminal violation in which electronic media is used in the commission of that crime. An insider is defined as: a current or former employee or contractor. An outsider is defined as: non-employee or non-contractor. The online survey of CSO magazine subscribers and members of the United States Secret Service’s Electronic Crimes Task Force members was conducted from April 15 to April 26, 2004. Results are based on 500 completed surveys. At a 95% confidence level, the margin of error is +/- 4.4%.

In addition to the 2004 E-Crime Watch survey team, the following security practitioners served as advisors to the project:

• Michael Assante, Vice President and Chief Security Officer, American Electric Power

• Bill Boni, Vice President and Chief Information Security Officer, Motorola

• Don Masters, Assistant Special Agent in Charge, Los Angeles Field Office, United States Secret Service

• Bob Rose, Senior Managing Director, Bear Stearns & Co. Inc.

• Dennis Treece, Director of Corporate Security, Massachusetts Port Authority

• James Wellington, Director of Federal Systems, Questerra

About CSO Magazine

CSO magazine is published by CXO Media Inc. In addition to CSO, CXO Media publishes CIO magazine (launched in 1987), www.cio.com, The CIO Insider, CSOonline.com and darwinmag.com. CXO Media serves CIOs, CSOs, CEOs, CFOs, COOs and other corporate officers who use technology to thrive and prosper in this new era of business. The company strives to enhance partnerships among C-level executives, as well as create opportunities for information technology (IT) and consumer marketers to reach them. In addition to magazines and websites, CXO Media produces Executive Programs, a series of conferences that provide educational and networking opportunities for corporate and government leaders. CXO Media Inc. is a subsidiary of IDG, International Data Group (IDG), the world's leading technology media, research and event company. A privately-held company, IDG publishes more than 300 magazines and newspapers including Bio-IT World, CIO, CSO, Computerworld, GamePro, InfoWorld, Network World and PC World. The company features the largest network of technology-specific Web sites with more than 400 around the world. IDG is also a leading producer of more than 170 computer-related events worldwide including LinuxWorld Conference & Expo®, Macworld Conference & Expo®, DEMO®, and IDC Directions. IDC provides global market research and advice through offices in 50 countries. Company information is available at http://www.idg.com.

About CERT

The CERT® Coordination Center (CERT/CC) is located at Carnegie Mellon University's Software Engineering Institute in Pittsburgh, Pennsylvania, U.S.A. The Software Engineering Institute is a Department of Defense-sponsored federally funded research and development center. The CERT/CC was established in 1988 to deal with security issues on the Internet. It now partners with and supports the Department of Homeland Security's National Cyber Security Division and its US-CERT to coordinate responses to security compromises; identify trends in intruder activity; identify solutions to security problems; and disseminate information to the broad community. The CERT/CC also conducts R&D to develop solutions to security problems and provides training to help individuals build skills in dealing with cyber-security issues.

About the Secret Service-Led Electronic Crimes Task Forces (ECTF)

The USA PATRIOT ACT OF 2001 (HR 3162, 107th Congress, First Session, October 26, 2001,

Public Law 107-56) ordered the Director of the United States Secret Service to take appropriate actions to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States for the purpose of preventing, detecting and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.

The ECTF mission is to establish a strategic alliance of federal, state and local law enforcement agencies, private sector technical experts, prosecutors, academic institutions and private industry in order to confront and suppress technology-based criminal activity that endangers the integrity of the nation’s financial payments systems and poses threats against the nation’s critical infrastructure. The ECTF model is built on trust and confidentiality without regulators or other outside influences. ECTF law enforcement members develop personal pre-incident relationships with corporate and academic ECTF members and are educated in business concepts such as risk management, return on investment and business continuity plans. As trained first responders to various forms of electronic crimes, ECTF law enforcement members approach incidents with the focus on business designs and information sharing with known corporate and academic individuals. Currently, 15 ECTF models are proving successful in Atlanta, GA; Boston, MA; Charlotte, NC; Chicago, IL; Cleveland, OH; Columbia, SC; Dallas, TX; Detroit, MI; Houston, TX; Las Vegas, NV; Los Angeles, CA; Miami, FL; New York, NY; Philadelphia, PA; San Francisco, CA; Washington, DC. The current ECTF success models will be utilized for the additional 15 ECTFs scheduled to open prior to 2010.

NOTE TO EDITORS: Complete findings from the 2004 E-Crime Watch survey can be found at http://www.csoonline.com/releases/052004129_release.html. If you report any of the data from the 2004 E-Crime Watch survey, the data must be sourced as originating from: CSO magazine/U.S. Secret Service/CERT Coordination Center.