Three of the key findings, according to the report are, (1) Unauthorized use of computer systems is on the decline, as is the reported dollar amount of annual financial losses resulting from security breaches. (2) In a shift from previous years, the most expensive computer crime over the past year was due to denial of service. (3) The percentage of organizations reporting computer intrusions to law enforcement over the last year is on the decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.

The survey was based on responses from 486 businesses, organizations, and governmental agencies which represent a broad cross section of institutional computer users. Sixty-two percent of the respondents spend five percent or less of their annual IT (Information Technology) budgets on security, and indicate that security is either not terribly expensive, or security is not maximized with the latest in technologies. The medical, retail, and local government segments have the lowest per-employee spending on computer security, and the telecommunications, federal government, and transportations spend the most on cyber security on a per-employee basis. In dollar terms, annually and on a per-employee basis, the transportation industry spends about 60 times more on computer security ($608) than does the medical community, despite recent legislation (HIPAA) that requires the enhanced security of medical information. Local governments are also woefully lax in spending on IT security, at about $17 annually per employee.

Some apparent good news is that as we have become more aware of security issues, and have begun to implement better security procedures, 53% of respondents reported unauthorized use of their systems, the lowest since the survey started in 1999. Thirty-five percent said that there was no unauthorized access of their systems, the highest rate ever reported. Surprisingly, 11% had no idea if their systems had been improperly accessed or not, in my opinion an indication that there is still much blissful ignorance in terms of cyber security.

Computer viruses remain the number one type of incident, with 78% of respondents reporting infections, compared to nearly 100% in 1999, a positive indicator that antivirus software is being better utilized, but still not being utilized as well as it should be used. The second most reported problem at 59% was insider abuse of internet access, compared to almost 100% in 1999; this is due to the creation and implementation of policies regulating employee internet use, as well as the increased utilization of internet use at home. The other major problems reported were laptop (notebook) computer theft at 49%, system penetration (hacker attacks) at 39%, and unauthorized access of information at 37%. Less common, but the most financially damaging were the denial of service attacks, reported by 17%, where the networks or websites were the targets of organized mass attacks intended to cripple them or shut them down. This type of attack has become a favorite of virus and worm writers, and the victims are typically chosen for political, financial, or exposure reasons. Denial of Service attacks cost those who could quantify the cost over $26 million. Ten percent reported that they were the victims of Theft of Proprietary Information, a type of espionage which can also create significant financial damage, as well as other forms of security related problems. Parallel to this was the almost 5% who were victims of sabotage, which can also create major financial problems as well as produce significant safety and security hazards. Five percent were also the victims of financial fraud ranging from unauthorized access to financial accounts, identity theft, Nigerian 419 scams, and other forms of financial fraud; while only 5% reported this problem, the financial losses can be staggering for many companies and agencies. Also, about 5% were the victims of telecommunications fraud, where unauthorized individuals utilized private networks or restricted internet access, or made unauthorized long distance calls on the company phone systems by illegal access to their computer infrastructure.

Only 269 participants could quantify financial losses due to computer crime, and these losses totaled over $141 million. It should be noted that these figures reflect only 269 organizations reporting, and that there are millions of others who suffered staggering losses which were not reported in this survey. Some other published estimates put the total domestic losses in the billions.

Despite the horrendous losses, 48% of institutional victims did not report cyber criminal activity to law enforcement or any other entity, citing embarrassment as the leading reason. Fifty-one percent of those not reporting illicit activity explicitly cited the negative publicity that could adversely impact their image or stock prices. Thirty-five percent of the victims were afraid that competitors would take advantage of the incidents. Imagine how much a financial institution would lose in client confidence and fees if it was known that their computer networks had been the victim of attack, and penetrated. A shameful 20% of victims reported their victimization to a law enforcement agency. Another 16% reported their victimization to legal council, rather than law enforcement.

The losses stated in this report are but a tiny portion of cyber losses, and these statistics do not include the huge losses incurred by non-participants, both organizational and home users, who were not surveyed.

For more information on the Tulsa Computer Society click here