
 Computer Crime Continues to Increase,
 Reported Losses Total Over $100 Million

 Source: PR Newswire 

 SAN FRANCISCO, March 11 /PRNewswire/ via Individual Inc. -- The Computer
 Security Institute (CSI) announced today the results of its second annual "Computer
 Crime and Security Survey."

 The "1997 Computer Crime and Security Survey" was conducted by CSI and
 composed of questions submitted by the Federal Bureau of Investigation (FBI)
 International Computer Crime Squad's San Francisco office. The effort is meant to
 raise the level of security awareness as well as help determine the scope of computer
 crime in the United States. The survey was sent to security practitioners in a variety of
 U.S. corporations, government agencies, financial institutions and universities. This
 year, responses were obtained from 563 organizations, a significant increase over last
 year's 428 responses.

 Perhaps the most compelling aspect of the 1997 survey results is the light it sheds on
 the cost of computer crime.

 * 75% of respondents reported financial losses due to various computer security
 breaches ranging from financial fraud, theft of proprietary information and sabotage on
 the high end to computer viruses and laptop theft on the low end.

 * Of those reporting financial losses, 16% cited losses due to unauthorized access by
 insiders; 14% cited losses due to theft of proprietary information; 12% cited losses due
 to financial fraud; 11% cited losses due to sabotage of data or networks; and 8% cited
 losses due to system penetration from outside.

 * Less sophisticated security breaches were more widespread (or more easily
 detected). For example, 57% cited losses due to theft of laptop computers, 31% cited
 losses due to employee abuse of Internet privileges (for example, downloading
 pornography or inappropriate use of e-mail), 16% cited losses due to
 telecommunications fraud.

 Fifty-nine percent of survey respondents who reported financial losses were able to
 quantify them; the total dollar amount for the 249 organizations that could came to
 US$100,119,555.

 * 26 respondents reported a total of $24,892,000 in losses due to financial fraud. 35
 respondents reported $22,660,300 in losses due to telecommunications fraud. 22
 respondents reported $21,048,000 in losses due to theft of proprietary information. 26
 respondents reported $4,285,850 in losses due to sabotage of data or networks. 22
 respondents reported $3,991,605 in losses due to unauthorized access by insiders. 22
 respondents reported $2,911,700 in losses due to system penetration from outsiders.

 * 165 respondents reported losses due to computer virus infestations for a total of
 $12,486,150. 160 respondents reported losses due to laptop theft for a total of
 $6,132,200 in losses. 55 respondents reported losses due to employee abuse of Internet
 privileges for a total of $1,006,750.

 Other highlights of the survey include:

 * The number of organizations that experienced some form of intrusion or other
 unauthorized use of computer systems within the last 12 months rose from 42% in
 1996 to 49% in 1997.

 * The number of organizations that cited their Internet connection as a frequent point
 of attack rose from 37% in 1996 to 47% in 1997. Meanwhile, internal systems
 remained the greatest problem with over 50% citing it as a frequent point of attack.
 Concern over remote dial-in as a frequent point of attack declined slightly from 39% in
 1996 to 34% in 1997, probably due to increased reliance on Internet connectivity.

 * Organizations have experienced multiple attacks from both inside and outside the
 perimeter. For example, 43% reported from one to five attacks from the inside, 47%
 reported from one to five attacks from the outside. These responses indicate the
 "conventional wisdom" that "80% of information security problems are internal" is no
 longer true. It is not that the threat from within has diminished, it is simply that the
 threat from the outside has risen dramatically due to Internet usage.

 * Although over 80% of respondents perceive disgruntled employees as a likely source
 of attack, over 70% perceive hackers as a likely source. Over 50% also consider
 U.S.-owned corporate competitors a likely source. Over 50% of respondents also cited
 that information sought in recent attacks would be of use to U.S.-owned corporate
 competitors. And reflecting the increased competition in the global marketplace, 26%
 cited foreign competitors as a likely source of attack and 22% also cited foreign
 governments as a likely source of attack.

 In terms of security procedures in place, the results of the 1997 survey showed some
 incremental progress from the results of the 1996 survey:

 * In the 1996 survey, over 70% of respondents cited that their organizations did not
 have a "Warning" banner stating that computing activities may be monitored. In the
 1997 survey, over 50% cited that they did have a "Warning" banner in place. (Absence
 of "Warning" banners hampers investigations and exposes an organization to liability.)

 * In the 1996 survey, over 60% of respondents didn't have a policy for preserving
 evidence for criminal or civil proceedings. In the 1997 survey, the number dropped to
 55%.

 * The number of respondents who indicated that they had been attacked and had
 reported the attack to law remained relatively unchanged (16% in 1996, 17% in 1997).

 * Those citing fear of negative publicity as the primary reason for not reporting,
 dropped from 74% to 65%.

 On the other hand, over 60% still don't have a computer emergency response team in
 place.

 CSI Director Patrice Rapalus sees a vital message in this year's survey results.

 "The survey results concerning financial losses due to security breaches should sound
 the alarm for corporations and government agencies. This $100 million figure is very
 conservative. The message is clear -- don't be penny-wise and pound-foolish. It is
 better to be proactive and spend shrewdly on information security products, training
 and services than to incur heavy financial losses and a public relations nightmare later
 on."

 CSI, established in 1974, is a San Francisco-based association of information security
 professionals. It has thousands of members worldwide and provides a wide variety of
 information and education programs to assist practitioners in protecting the information
 assets of corporations and governmental organizations.

 Charles Mathews, Associate Special Agent in Charge of the FBI's San Francisco
 Office, underscored the importance of this survey, stating that the results continue to
 provide law enforcement with valuable data that the FBI can use to assess and fight
 this emerging crime problem. "I'm still concerned," he said, "that there appears to be a
 reluctance on the part of the private sector to report allegations of computer crime to
 law enforcement. The FBI has and will continue to listen to and work with the private
 sector with the goal of increased reporting."

 The FBI has established international Computer Crime Squads in selected offices
 throughout the United States. The mission of these squads is to investigate violations of
 Computer Fraud and Abuse Act of 1986, including intrusions to public switched
 networks, major computer network intrusions, privacy violations, industrial espionage,
 pirated computer software and other crimes where the computer is a major factor in
 committing the criminal offense. SOURCE Computer Security Institute

 /CONTACT: Patrice Rapalus, Director of Computer Security Institute, 415-905-2310,
 or prapalus@mfi.com/ CO: Computer Security Institute ST: California IN: CPR MLM
 SU:  TC-RB -- SFTU020 -- 3826 03/11/97 11:00 EST
 http://www.prnewswire.com [03-11-97 at 12:00 EST, PR Newswire] 
