May 29, 2003

FOR IMMEDIATE RELEASE
Contact: Robert Richardson, Editorial Director, Computer Security Institute
610-604-4604; Internet: rrichardson@cmp.com

CYBER ATTACKS CONTINUE, BUT FINANCIAL LOSSES ARE DOWN

251 organizations report almost $202 million in financial losses, but that's 56 percent improved over last year.

SAN FRANCISCO — Computer Security Institute (CSI) announced today the results of its eighth annual Computer Crime and Security Survey. The Computer Crime and Security Survey is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.

Highlights include:

• Overall financial losses from 530 survey respondents totaled $201,797,340. This is down significantly from 503 respondents reporting $455,848,000 last year. (75 percent of organizations acknowledged financial loss, though only 47% could quantify them.)
  
  
• The overall number of significant incidents remained roughly the same as last year, despite the drop in financial losses.
  
  
• Losses reported for financial fraud were drastically lower, at $9,171,400. This compares to nearly $116 million reported last year.
  
  
• As in prior years, theft of proprietary information caused the greatest financial loss ($70,195,900 was lost, with the average reported loss being approximately $2.7 million).
  
  
• In a shift from previous years, the second-most expensive computer crime among survey respondents was denial of service, with a cost of $65,643,300--up 250 percent from last year's losses of $18,370,500.
  

Survey results illustrate that computer crime threats to large corporations and government agencies come from both inside and outside their electronic perimeters, confirming the trend in previous years. Forty-five percent of respondents detected unauthorized access by insiders. But for the fourth year in a row, more respondents (78 percent) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (36 percent).

Based on responses from practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the 2003 Computer Crime and Security Survey confirm that the threat from computer crime and other information security breaches continues unabated.

Chris Keating, CSI Director, believes that the Computer Crime and Security Survey, now in its eighth year, has delivered on its promise to raise the level of security awareness and help determine the scope of crime in the United States.

"The trends the CSI/FBI survey has highlighted over the years are disturbing. Cyber crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks," Keating notes. "Furthermore, such incidents can result in serious damages. The 251 organizations that were able to quantify their losses reported a total of over $200 million. Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government."

The complete survey is published on the CSI website at www.gocsi.com. For more information on the CSI/FBI Computer Crime and Security Survey contact Robert Richardson at rrichardson@cmp.com, phone 610-604-4604. For more information on CSI go to www.gocsi.com, phone 415-947-6320, email csi@cmp.com.

###

Computer Security Institute (CSI) is the world's premier membership association and education provider serving the information security community. For 30 years CSI has helped thousands of security professionals to protect their organizations' valuable information assets through conferences, seminars, publications and membership benefits. NetSec '03 will be held June 23-25 in New Orleans and the 30th Annual Computer Security Conference and Exhibition will be held November 3-5 in Washington, D.C.

The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established the National Infrastructure Protection Center (NIPC) located at FBI headquarters and the Regional Computer Intrusion Squads located in selected offices throughout the United States. The NIPC, a joint partnership among federal agencies and private industry, is designed to serve as the government's lead mechanism for preventing and responding to cyber attacks on the nation's infrastructures. (These infrastructures include telecommunications, energy, transportation, banking and finance, emergency services and government operations.) The mission of Regional Computer Intrusion Squads is to investigate violations of Computer Fraud and Abuse Act (Title 8, Section 1030), including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes.

Copyright 2003, Computer Security Institute, 600 Harrison Street, San Francisco, CA 94107. Telephone: 415-947-6320 Fax: 415-947-6023, email csi@cmp.com.