Survey Shows E-Crime Incidents Are Declining Yet Impact is Increasing; 2006 E-Crime Watch Survey from CSO Magazine Reveals Insider Threats are on the Rise

FRAMINGHAM, MA – September 6, 2006 – CSO magazine today releases results of the 2006 E-Crime Watch survey, which reveals a decline in security events(1), yet an increase in the financial and operational losses caused by such electronic crime(2) incidents. The third annual survey of 434 security executives and law enforcement personnel was conducted in cooperation with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT(R) Coordination Center and Microsoft Corp.

According to findings, while the average number of security events per respondent continues to decline (34 in the last 12 months vs. 86 in 2005 and 136 in 2004), the impact of these crimes is increasing as reflected by both financial and operational losses. Sixty-three percent of respondents report operational losses as a result of e-crime, with 40 percent reporting financial losses (averaging $740,000 vs. $507,000 in 2005) and 23 percent reporting harm to their organization's reputation.

According to Bob Bragdon, publisher of CSO magazine, "Better perimeter technologies are helping organizations fight against e-crime's depleting effect on time, money and resources; however, we're also seeing increased reports of 'harm to reputation' and 'lost current/future revenues.'"


Survey results also show that while respondents continue to be most concerned with intruders from outside their organization (58 percent of events were reportedly committed by outsiders(3); 27 percent by insiders(3)), the insider threat is getting worse. Of those organizations experiencing security events, the majority (55 percent) report at least one insider event (up from 39 percent the year prior).

"Just having policies in place is not good enough – organizations need to focus on implementation and enforcement of their policies," says Dawn Cappelli, Senior Member of the Technical Staff at CERT. "Nearly all respondents report having account and password management policies yet over half of the insiders compromised accounts, a third used backdoors and others used password crackers or sniffers."

As for the types of e-crime incidents, survey results reveal automated attacks like viruses, worms, and malicious code remain the most common form of e-crime with 72 percent of respondents reporting such incidents. Other common offenses include unauthorized access to or use of information systems or networks (60 percent), spyware (51 percent) and illegal generation of spam email (40 percent). While automated attacks have increased the number of incidents, targeted attacks are also on the rise with theft of proprietary information such as customer records reported by 36 percent, system sabotage by 33 percent and theft of intellectual property by 30 percent.

Preparedness and Response:

The 2006 E-Crime Watch survey reveals the most effective e-crime fighting technologies include statefull firewalls (87 percent), electronic access or control systems (86 percent), password complexity (80 percent), network-based anti-virus (74 percent) and encryption (74 percent). The study also shows continued investment in security with respondent organizations spending an average of $20 million on IT security and $19 million on physical security.

"The results of the E-Crime Watch survey show some progress, but also point to the work ahead," says Doug Cavit, chief security strategist for Trustworthy Computing at Microsoft. "Along with our own research and dialogue with customers and partners, the survey reaffirms that organizations need to continue to invest not only in technology solutions, but also in partnerships to assist in the development of policies and best practices that can help fight evolving cyber crime threats."

Overall, the survey shows organizations have better visibility into what is going on in their enterprises and are better prepared to respond. The majority of respondents (69 percent) say they are more prepared to prevent, detect, respond and recover from cyber security threats to the organization than in the past year. At the same time, more than half (56 percent) are more concerned about those threats than they were a year ago.

According to Ron Layton, Assistant to the Special Agent in Charge of the Criminal Investigative Division of the United States Secret Service, "The key is for law enforcement and the private sector to build and maintain close relationships regarding e-crime threats and incidents. It is law enforcement's hope that businesses and organizations will feel more comfortable and prepared to report cyber crime incidents to law enforcement."

About the 2006 E-Crime Watch Survey

The 2006 E-Crime Watch survey was conducted by CSO magazine in cooperation with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT(R) Coordination Center and Microsoft Corp. The survey was deployed June 28, 2006, through July 30, 2006. An email invitation containing a link to the survey was sent to 15,000 CSO magazine readers (CSOs, security and law enforcement professionals), yielding 434 respondents. Margin of error is +/- 3.4 percent. Respondent answers cover the period between July 2005 and June 2006.

NOTE TO EDITORS: Any references to the data from the 2006 E-Crime Watch survey must be sourced as originating from the following: CSO magazine, U.S. Secret Service, CERT Coordination Center, Microsoft Corp.

Complete results available at .

(1) "Security Event" is defined as an adverse event that threatens some aspect of computer security. This does not include spam; phishing emails sent to employees; virus-carrying emails or routine network and port scanning activity that are blocked by standard perimeter defenses; discovery of vulnerabilities in packaged software. It does include actual virus infections (a single outbreak affecting multiple machines is one "Event") or worms or denial-of-service attacks that affect system performance/availability, anomalous Internet/network activity that appears targeted specifically at your organization, including successful or unsuccessful targeted hacks/exploits, and loss or theft of backup tapes or laptops with sensitive data, or other inadvertent exposure of data.

(2) "Electronic crime" is defined as a crime (an illegal act) that is carried out using a computer or electronic media.

(3) "Insider" is defined as current employee, service provider or contractor. "Outsider" is defined as a non-employee or non-contractor, currently or previously.

About CSO Magazine

Launched in 2002, CSO magazine, its companion website ( ) and the CSO Perspectives(TM) conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets–from people to information and financial value to physical infrastructure. The magazine is read by 27,000 security leaders from the private and public sectors. The U.S. edition of the magazine and website are the recipients of 80 awards to date, including the American Society of Business Publication Editor's Magazine of the Year award as well as eleven Jesse H. Neal National Business Journalism Awards. Licensed editions of CSO magazine are published in Australia, France, Poland and Sweden. The CSO Perspectives(TM) conference, the first face-to-face conference designed for CSOs and featuring speakers from the national stage and the CSO community, offers educational and networking opportunities for pre-qualified corporate and government security executives. In addition, CSO magazine produces a series of one-day events on privacy and data assurance. CSO magazine, and the CSO Perspectives conference are produced by International Data Group's award-winning business unit: CXO Media Inc.

About CERT

The CERT(R) Program is located at Carnegie Mellon University's Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania, U.S.A. The SEI is a Department of Defense-sponsored federally funded research and development center. CERT's primary goals are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit and ensure survivability – the continuity of critical services – in spite of successful attacks, accidents, or failures. The four major areas of work that constitute the CERT Program, which includes the well-known CERT Coordination Center (CERT/CC) are vulnerability and incident analysis, education and training, research and development, and evaluations and best practices.

About the Secret Service's Electronic Crimes Task Forces (ECTF)

The USA PATRIOT ACT OF 2001 (HR 3162, 107th Congress, First Session, October 26, 2001, Public Law 107-56) mandated the United States Secret Service to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States for the purpose of preventing, detecting and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.

The ECTF mission is to establish a strategic alliance of federal, state and local law enforcement agencies, private sector technical experts, prosecutors, academic institutions and private industry in order to confront and suppress technology-based criminal activity that endangers the integrity of the nation's financial payments systems and poses threats against the nation's critical infrastructure. The ECTF model is built on trust and confidentiality without regulators or other outside influences. ECTF law enforcement members develop personal pre-incident relationships with corporate and academic ECTF members and are educated in business concepts such as risk management, return on investment and business continuity plans. As trained first responders to various forms of electronic crimes, ECTF law enforcement members approach incidents with the focus on business designs and information sharing with known corporate and academic individuals. Currently, 24 ECTFs are proving successful in Atlanta, GA; Baltimore, MD; Birmingham, AL; Boston, MA; Buffalo, NY; Charlotte, NC; Chicago, IL; Cleveland, OH; Columbia, SC; Dallas, TX; Houston, TX; Las Vegas, NV; Los Angeles, CA; Louisville, KY; Miami, FL; Minneapolis, MN; New York, NY / Newark, NJ; Oklahoma City, OK; Orlando, FL; Philadelphia, PA; Pittsburgh, PA; San Francisco, CA; Seattle, WA; and Washington, DC.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.