[ISN] Computer crime costs $67 billion, FBI says

From: InfoSec News (isn@private)
Date: Thu Jan 19 2006 - 22:15:02 PST


By Joris Evers 
Staff Writer, CNET News.com
January 19, 2006

Dealing with viruses, spyware, PC theft and other computer-related
crimes costs U.S. businesses a staggering $67.2 billion a year,
according to the FBI.

The FBI calculated the price tag by extrapolating results from a
survey of 2,066 organizations. The survey, released Thursday, found
that 1,324 respondents, or 64 percent, suffered a financial loss from
computer security incidents over a 12-month period.

The average cost per company was more than $24,000, with the total
cost reaching $32 million for those surveyed.

Often survey results can be skewed, because poll respondents are more
likely to answer when they have experienced a problem. So, when
extrapolating the survey results to estimate the national cost, the
FBI reduced the estimated number of affected organizations from 64
percent to a more conservative 20 percent.

"This would be 2.8 million U.S. organizations experiencing at least
one computer security incident," according to the 2005 FBI Computer
Crime Survey. "With each of these 2.8 million organizations incurring
a $24,000 average loss, this would total $67.2 billion per year."

By comparison, telecommunication fraud losses are about only $1
billion a year, according to the U.S. Secret Service. Also, the
overall cost to Americans of identity fraud reached $52.6 billion in
2004, according to Javelin Strategy & Research.

Other surveys have attempted to put a dollar amount on cybersecurity
damages in the past, but the FBI believes its estimate is the most
accurate because of the large number of respondents, said Bruce
Verduyn, the special agent who managed the survey project.

"The data set is three or four times larger than in past surveys," he
said. "It is obviously a staggering number, but that is the reality of
what we see."

Responding to worms, viruses and Trojan horses was most costly,
followed by computer theft, financial fraud and network intrusion,
according to the survey. Respondents spent nearly $12 million to deal
with virus-type incidents, $3.2 million on theft, $2.8 million on
financial fraud and $2.7 million on network intrusions.

These figures do not include much of the staff, technology, time and
software employed to prevent security incidents, Verduyn said. Also,
losses to individuals who are victims of computer crime or victims in
other countries are not included, he said.

The FBI's next fiscal year, for which budgets must be reviewed and
approved, begins Oct. 1. Protecting the U.S. against high technology
crimes is third on the agency's list of priorities.

Defenses in place

Survey respondents use a variety of security products for protection.  
Antivirus software is almost universally used, with 98.2 percent of
respondents stating they use it. Firewalls follow in second place,
with 90.7 percent, and anti-spyware and antispam are each used by
about three-quarters of respondents, according to the survey.

The results mean that close to one in 10 organizations does not have a
hardware or software firewall. Or perhaps they don't know they have
one--the Windows Firewall in Windows XP, for example. "Some are very
small businesses that should have that technology, but they don't,"  
Verduyn explained.

Biometrics and smart cards--both relatively new security
technologies--were used only by 4 percent and 7 percent of survey
respondents, respectively. Intrusion prevention or detection systems
were used by 23 percent and VPNs, or virtual private networks, by 46

Organizations were attacked despite use of security products, with
nine out of 10 respondents saying they experienced a security
incident. In fact, the most common attacks aligned with the most
commonly used defenses. Computer viruses, worms or Trojan horses
plagued 84 percent of respondents, 80 percent reported spyware
trouble, and 32.9 percent said attackers were probing their systems
using network port scans.

Not all threats came from outside the organization. More than 44
percent of the survey respondents reported intrusions from within the
company. "Companies may be unaware of the internal potential for
computer security incidents," Verduyn said. He recommends applying
policies and procedures to thwart attacks from the inside.

The FBI surveyed companies in Iowa, Nebraska, New York and Texas.  
Companies older than three years, with more than five employees and
with more than $1 million in revenue were asked to participate. Survey
participants were asked to provide their responses by the end of July
2005, with their answers covering the previous 12-month period.

Copyright 1995-2006 CNET Networks, Inc. All rights reserved.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Thu Jan 19 2006 - 22:49:54 PST