Most of this data comes from the most recent CSI/FBI Computer Crime
and Security Survey which is available for free from the Computer
Security Institute web site.
Over half of organizations surveyed typically have unauthorized use
of their computer systems within the last year. There are some
statistics that because of the environment they reside in, that
university computing systems, are sometimes attacked within an hour
of being installed.
Internet connections are increasingly cited as the principle source
of attacks, although attacks from internal systems are also high.
What type of attacks and breaches are typical:
- Independent hackers.
- Disgruntled employees.
- Foreign governments.
- Foreign corporations.
- U.S. competitors.
- Laptop and other computer
- Active wiretaps.
- Telecom fraud.
- Denial of service attacks.
- Unauthorized access from inside
- Insider abuse of network access.
- Financial fraud.
- Virus attacks.
- System penetration.
- Telecom eavesdropping.
- Theft of proprietary
- Attacks on web sites.
- Mistakes such as inadvertently
- Outdated information being used
for business processes such as mailings.
- Very high percentages of
breaches are caused by software being installed and configured
incorrectly. The default installation parameters <> the default
According to the FBI, the of sources
of attacks are split fairly evenly between internal employees and
These attacks typically involve the theft of
proprietary data and those that cause system downtimes such as virus
and denial of service type attacks. Nationally, costs run into
millions of dollars in downtime, lost information, loss of
proprietary information, loss of competitive advantage and other
It is also somewhat ironic, that most organization are typically not
even aware that attacks or system intrusion have occurred. However,
when they did know, they patched the holes. Most organizations do
not report these intrusions or attacks to law enforcement or their
legal counsel. They were concerned with negative publicity, felt
that competitors might use the information to advantage, were
unaware that they could report these incidents or felt that civil
remedy would be the best.
Some key elements of security are related to privacy, reliability
and business integrity and attacks can cause disruptions in any and
all of these areas.
Security also needs to be done by design and by default when you
deploy systems and also communicated to employees when new systems
or business processes are introduced or updated.
Security, data, and information technology issues need to be an integral part of employee
accountability and should be incorporated into
human resource management practices starting with new employee
orientations, to defining jobs and job descriptions and included as
an item in performance reviews.