March 12, 2001, 6:28 PM — The cost of cyberattacks on U.S. companies, government agencies, banks and universities continues to rise, reaching $377 million annually, according to a Computer Security Institute (CSI) survey released Monday. The figure is 41 percent more than the loss reported in the last CSI survey.
CSI conducted its sixth computer crime and security survey last year, asking computer security officials across the U.S. several questions about the nature of the attacks and where they believed their systems were most vulnerable. The survey was conducted in conjunction with the U.S. Federal Bureau of Investigation (FBI).
The most serious losses involved theft of proprietary information. That type of security breach accounted for $151 million of the $377 million total. Financial fraud was the second highest security breach in terms of cost, resulting in a $92 million loss. Of the 538 computer security specialists who participated, only 186 were willing to share the estimated amount of money their organization lost due to security breaches. That was down significantly from last year when 249 respondents shared the amount of their loss.
Patrice Rapalus, director of the CSI, said it was difficult to discern why fewer computer security specialists were willing to share the estimated loss figure. However, she said she thinks the higher estimated amount of loss compared with last year was due to improved techniques for measuring the loss.
Other findings of the survey, which has been posted at the CSI's Web site (www.gocsi.com) include:
- For the fourth year in a row more respondents cited their Internet connection as a frequent point of attack -- 70 percent -- than cited their internal systems as a frequent point of attack -- 30 percent.
- Thirty-six percent of respondents reported the intrusions to law enforcement, an increase from the 25 percent that reported them in the 2000 survey.
- The types of attacks included penetration from the outside, mentioned by 40 percent of the respondents; denial of service attacks, mentioned by 38 percent; employee abuse of Internet access privileges, cited by 91 percent; and computer viruses, detected by 94 percent.
- In response to questions about their electronic-commerce Web sites, 23 percent said they suffered unauthorized access or misuse and 21 percent of the officials who acknowledged attacks reported from two to five incidents, while 58 percent reported 10 or more.
- Thirteen percent reported theft of transaction information and 8 percent reported financial fraud.