Companies Losing Millions over Rising Computer Crime

The Statistics

Computer Crime Increasing at an Alarming Rate

A study of 300 Australian companies by accounting firm Deloitte Touch Tohmatsu found that two in five (or 37%) of companies had experienced some form of computer security compromise in 1997. 

In the U.S.A. the 1997 Computer Security Institute study of 563 companies revealed that 75% had lost money due to computer crimes in the previous year. This is a massive 78% increase over the number of incidents reported in 1996 - from 42% of firms in 1996 to 75% in 1997. A November 1997 report released by the Permanent Investigations Sub-Committee of the U.S. Senate estimated that businesses lost around US$800 million in 1995 through break-ins to computer systems at banks, hospitals, and other large businesses.

The Sub-Committee said that few businesses reported security breaches for fear of negative publicity that could scare off customers. Security problems were allegedly worse in the private sector than in government - to which more than $400 million of the calculated losses were attributed.

A 1996 survey of 1,000 companies by the American Bar Association showed that 48 percent had experienced computer fraud in the last five years.

In 1996 the U.K. Association of British Insurers estimated that the cost of computer crime amounted to 250 million pounds (US$417.7 million). However, they claimed that this was only 20 percent of actual losses.

At a conference in Ottawa, Canada early in 1997, well known American security specialist Winn Schwartau estimated that the U.S. economy loses more than US$100 billion per annum through industrial espionage and that this has been growing at a rate of 500% per annum since 1992.

Similarly, in the U.K., the 1996 NCC Information Security Breaches Survey identified a 200% increase in computer crime from 1995 to 1996.

Costs ranging from thousands to millions of dollars

The 1996 NCC Information Security Breaches Survey in the U.K. estimated the average loss at around US$30,000 per incident with a number of organisations losing up to US$1.5 million per incident.

The American estimates are even higher with the American Bar Association reporting that company losses ranged from $2 million to $10 million in 1996. 

Insiders and outsiders to blame

In Australia the Deloitte researchers found that 90% of the companies surveyed had traced the source of a security breach to a person within the organisation - a person with authorised access to corporate computer systems such as an employee, consultant or contractor. However, 60% of the companies also experienced attacks from external sources. In fact, the Co-Sourcing Director of Deloitte Touche Tohmatsu, Mr John Kane, predicted that outsider computer attacks were on the increase.

The study found variation in the types of attacks, confirming fears that information security breaches are no longer the domain of relatively harmless, curious hackers, but are increasingly being conducted by disgruntled employees, professional criminals and industrial spies.

Twenty-six (26) companies lost a total of $24.8 million due to telecommunications fraud, 22 lost $21 million due to theft of proprietary information, 26 lost $4.3 million from sabotage of data or networks, 22 lost nearly $4 million from invalid insider access and 22 lost $2.9 million from outsider system penetration. Computer viruses caused nearly $12.5 million in losses for 165 companies; laptop computer theft caused $6.1 million in losses for 160 firms; and employee abuse of Internet privileges caused more than $1 million in losses to 55 firms.

High-tech industries the most vulnerable

Reasons for rising computer crime

According to Mr Kane, computer crime will continue to threaten Australian businesses. He cited three main reasons: companies' increasing move to networking (from centralised mainframes to decentralised file servers; and from single-vendor to multi-vendor environments); the growth in numbers and technical sophistication of computer users; and the difficulties encountered by companies and law enforcement agencies in maintaining security in such rapidly changing environments. It appears that in many organisations rising technological sophistication is not being accompanied by rising security sophistication. This makes companies and Government departments very attractive targets to hackers, criminals, industrial spies and malicious employees.

Inadequate Security Systems

One of these "weak links" is the inadequate screening, monitoring and controlling of the activities of insiders (employees, contractors and consultants). A 1996 study in the U.K. by accounting firm KPMG found that only 19% of the organisations they surveyed actually obtained a formal undertaking from contractors to abide by the organisation's security rules. Sixty-five percent (65%) of those organisations with Internet connections did not even know, let alone control, their employees' use of the Internet. This is of extreme concern since many serious penetrations of a corporate network are facilitated by unrestricted Internet connections.

Password access to network resources is mandatory in most organisations today. Yet the password policies or systems in use are often weak and easy to avoid or break. One of the keystones of effective password protection is to enforce password changes at least once every 3 months. The KPMG study found that 27% of mainframes, 41% of mini computers and 43% of networks did not enforce quarterly password changes. 

A 1997 study by computer manufacturer Compaq of workers in the financial district of London revealed chronically insecure password policies. Eighty-two percent (82%) of respondents said that they chose passwords based on "a sexual position or abusive name for the boss"(30%), their partner's name or nickname (16%), the name of their favourite holiday destination (15%), sports team or player (13%) and whatever they saw first on their desk (8%).

System back-ups are also an imperative security measure, especially to assist an organisation to recover from accidental or intentional destruction, damage or compromise of a system or network. However, according to the U.K. KPMG study, only 36% of companies back-up their PC data and only 65% test their back-up data.

Senior Management Reluctance

In 1997 the publication Information Week surveyed 1,271 U.S. system/network managers. Only 22% believed that their own senior managers regarded information security as "extremely important." Much higher on their list of concerns were "reducing costs" and "improving competitiveness." Unfortunately, there appears to be little recognition of the crucial role information security plays in keeping costs down and preventing the erosion of competitiveness. On the contrary, as Richard Parris, Chief Executive Officer of Intercede (a specialist security vendor in the U.S.) points out, companies will generally spend far larger sums of money on the "cure" - in dealing with security breaches once they occur.

Even many law enforcement agencies have failed to institute proper security mechanisms. Kasten Chase, a U.S. security networking company, surveyed police departments across the U.S. in 1996. The research revealed that only 25% of police forces had or were formulating an information technology security policy. Although 75% were "aware or concerned" about I.T. security, none had budgeted to protect their systems from being illegally accessed. This attitude prevailed in an environment where 58% of police departments used a non-secure Wide Area Network (WAN) to share information between sites. Forty-two (42%) of those interviewed believed that outsourcing their WAN from a third party, value-added network meant that their network was inherently secure.

Even at the highest Government levels, the security mechanisms have been found wanting. After testing 15,000 Pentagon systems whose vulnerabilities had been identified in a previous audit, the Information Warfare Division of the Defence Information Systems Agency of the U.S. Department of Defence found that 90% of the systems were still vulnerable to common intrusion techniques.

In a 1996 U.S. study, networking company Novell found an overwhelming degree of ignorance at company board level with regard to information technology. As a result, I.T. managers were struggling to implement new technology. For example, 51% of I.T. managers reported problems convincing their board or managers about the benefits of installing an intranet. This is hardly surprising since the study found that over 37% of board-level directors were unfamiliar with the term "intranet".

Given that information technology managers are battling to introduce new technology into their organisations, it follows that they find it even more difficult to convince their senior managers of the need for additional security mechanisms. In addition, calls for the appointment of a security officer (someone to administer network security) also commonly fall on deaf ears. The KPMG researchers found that only 25% of U.K. organisations had a security officer. In the organisations without a security officer, the responsibilities and roles associated with security were generally assumed by the I.T. department. However, 17% of large organisations (with a turnover above £10 million) had nobody responsible for security.

Furthermore, KPMG U.K. found that of those organisations which had experienced a security breach, a large number had not even developed a security plan. Of those companies that had drawn up plans, a significant proportion had not tested their plans!

Supporting this finding was an observation made by Dan Farmer, the creator of the well-known security scanning tool SATAN. Farmer studied 660 banks in the U.S. and found that 68% had inadequate network security. His explanation was that system administrators were under-funded and under pressure "just to keep things running - not necessarily secure."

To some extent, senior managers and boards can be forgiven for objecting to extra investments in "security" when hardware and software vendors preach that their products are already sufficiently secure. However, that view is as naïve as believing that a house is secure because it was built by a reputable builder. Deadlocks and alarms are still necessary to protect one's house; security controls are as necessary to protect an organisation's network.

Unfortunately, several myths seem to be perpetuated at senior management level which are holding security enhancements back:

the "it won't happen to us" myth - "no one (inside or outside our organistion) would be interested in stealing from us, or penetrating, damaging, destroying or otherwise tampering with our network";

the "we run the best systems so they must be secure" myth - "our hardware, operating systems and software are made by (insert vendor's name) or "we have the most recent version of (insert name of product)";

the "our vendor will look after us" myth - "our vendor will tell us if a vulnerability is found in our system" (perhaps the most common myth);

the "we don't need to test our systems" myth - "we've taken all the precautions that need to be taken so penetration tests are not needed";

the "it's the I.T. department's job" myth - "they look after the systems so they look after security as well" (without giving them the resources, time and money to do so…);

the "our sub-contracted I.T. company will take care of security" myth (traditionally, their emphasis and skill set has not been on security);

the "we can't afford it" myth - "security is a luxury that for which we don't have the budget".

There are other mistaken beliefs. As indicated earlier, one of these is the assumption that the implementation of one or several specific security controls is adequate to protect a network. Firewalls, password management systems, the encryption of data, and other authentication procedures, are all necessary, but they are not sufficient in themselves. Firstly, a given security control may not be the most cost-effective in its class (not all firewalls, or password systems, or encryption methods, etc are equal). Secondly, a system - the combination of a number of integrated tools - is generally required to protect an entire network. A "holistic" approach to security is therefore necessary.

Conclusion

In some cases, the monetary costs of increasing the organisation's level of security will be low. However, in most instances, some commitment of manpower, time and money will be required. This means that information technology professionals may need to undergo the arduous task of educating and persuading their senior managers of the need for greater security. The best way to argue the case is to give them the facts: computer crime is increasing, computer crime costs organisations large sums of money, and computer crime can be cost-effectively prevented.

*Anna Johnson is the editor of the Shake Security Journal and a director of Shake Communications Pty Ltd. She specialises in developing security policies, cost-benefit and risk analysis, and writing about security.