FBI: 90% of Organizations Face Computer Attack; 64% Incur Financial Loss

The FBI reports that 9 out of 10 organizations in the country are victims of some sort of computer security incident, and one-fifth are hit more than 20 times a year.

Almost two-thirds suffer financial loss as a result of the cyber incidents.

The 2005 FBI Computer Crime Survey is based on responses from a cross-section of more than 2,000 public and private organizations. Among its findings:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year’s time; 20% of them indicated they had experienced 20 or more attacks.

Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.

Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement’s response. And 81% said they’d report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.

Bruce Verduyn, a special agent in Houston’s Cyber Squad, which administered the survey, said that this new survey differs from the annual CSI/FBI Computer Crime and Security Survey conducted by the Computer Security Institute and the FBI. “We surveyed about three times as many organizations and focused more on new technologies, where attacks originated, and how organizations responded,” he said.

Agent Verduyn believes the survey is a clear sign of the urgent need for vigilance against both internal and external cyber assaults.

Frank Abagnale, security consultant and subject of the movie “Catch Me If You Can,” echoed those comments, saying: “Every company, both large and small, should study this survey and use the data as the basis for making changes. Those who ignore it do so at their peril.”

The survey can be found at http://www.fbi.gov/publications/ccs2005.pdf

Source: FBI