FRAMINGHAM (03/22/2000) - Cyberattacks cost U.S. organizations US$266 million last year -- more than double the average annual losses for the previous three years, according to a newly published report.
The study, released by the San Francisco-based Computer Security Institute (CSI) and the San Francisco FBI Computer Intrusion Squad, found that 90 percent of survey respondents detected some form of security breach last year.
Based on information from 273 of CSI's member organizations, 70 percent reported serious security attacks, including theft of proprietary information, financial fraud, system penetration from outsiders, denial-of-service attacks and sabotage of data or networks. This figure, up from 62 percent in 1998, didn't include data from common security problems caused by computer viruses, laptop theft and abuse of Internet access by employees.
According to the report, 74 percent of respondents confirmed that they sustained financial losses due to security attacks, but only 42 percent said they were willing and able to quantify these costs. The figures are based on responses from 643 computer security practitioners in 273 U.S. corporations, government agencies, financial institutions, medical institutions and universities.
The $266 million in verifiable losses claimed by respondents was more than twice the average annual total of $120 million reported from 1996 to 1998.
Sixty-six respondents reported $66.7 million in losses from theft of proprietary information and 53 organizations listed $56 million in losses from financial fraud.
CSI says the study indicates a continuing trend that computer security threats to large corporations and government agencies come from both inside and outside the organization. While media reports often focus on outside computer crackers, 81 percent of respondents were worried about disgruntled employees. Sixty-one respondents said they suffered $27 million in damages from sabotage of data or networks, compared to a combined total of $10.8 million for previous years.
For the third consecutive year, 59 percent of respondents identified their Internet connection as a frequent point of attack, compared with 38 percent who cited internal systems as the target.
CSI Director Patrice Rapalus said the report, entitled "Computer Crime and Security Survey," indicated that unauthorized access and security attacks are widespread. She said the private sector and government organizations must increase their focus on sound security practices, deployment of sophisticated defensive technology and adequate training and staffing of security managers.