Network specialist Russ Schadd wakes up in a cold sweat in the middle of the night worrying about how to protect his US$1.5 billion printing company's proprietary information.
And well he should.
According to results of the sixth-annual Computer Crime and Security Survey, released today, intellectual property theft and security breaches are on the rise while the costs of those intrusions are skyrocketing.
Conducted by the Computer Security Institute of San Francisco and the US Federal Bureau of Investigation, the survey of 538 security administrators from industry, government and academia shows that 85 percent of respondents reported security breaches in this year's survey, and 26 percent reported intellectual property theft, up from 20 percent in 2000.
But the survey also shows that the cost of that theft is exploding. While only 34 respondents could quantify the financial losses associated with intellectual property theft, that number added up to more than $151 million. The amount is up from almost US$67 million in 2000 and $20 million in 1997. In total, 186 respondents said losses from all types of security breaches cost more than $377 million. That means theft of intellectual property accounts for 40 percent of all losses tabulated in the survey, despite the fact that such a small number of companies could quantify it.
"I'm not worried about someone [hacking] in and destroying data because we have backups," says Schadd, who is a network specialist for Wallace Computer Services. It would be difficult to calculate how badly the company would be hurt if somebody stole that information. "It would be devastating if that information was given to a competitor," he says.
Richard Power, editorial director of the Computer Security Institute, says companies are figuring out how to protect their financial data, customers' credit information and personnel records. The problem is many companies aren't aware that they should be protecting the information that fuels their businesses - such as marketing plans, source codes and research information.
"You lock up rooms so people can't steal laptops . . . but if your [company is] based on information and information systems and that can't be secured, then you're in line to lose your cash crop," Power says.
"Industrial espionage is giving way to information age espionage. It used to be that you turned to an insider. You bribed them. You blackmailed them. But why risk someone getting caught . . . when you can just hack in and take what you need?" he asks.
The survey also points to several other aspects of computer security that are on the rise:
- Forty percent of respondents reported outside system penetration. That number is up from 20 percent in 1997- Thirty-eight percent detected denial-of-service attacks. That number is up from 24 percent in 1998 and 27 percent in 2000.
- In last year's survey, 249 people were able (and willing) to quantify financial losses. That number totaled $265 million.
- Thirty-six percent of respondents reported security breaches to law enforcement agencies. That's up from 17 percent in 1997 and 25 percent in 2000.
Industry analysts and corporate users agree that more administrators should be focused on protecting their valuable proprietary information.
"Companies that collect credit card numbers and personal information about people take on that [security] responsibility," says Tim Belcher, CTO for RipTech Inc., a security monitoring and consulting company. "What they're not doing is protecting their own information, records, n plans [and] technologies."
For some IT administrators, getting the message through to upper management is another matter.
"I have to work on this all the time. It's never-ending," says Michael Culp, systems administrator for Worthington Industries, a $2 billion company in Columbus, Ohio, largely focused on the steel industry. "On an importance level, I don't see proprietary information as high in their minds. They don't think the information isn't valuable, but they don't feel there's enough threat to warrant any significant attention."
Once management buys into th