Report: Cybercrime Outpacing Security Spending

Cybercrime is skyrocketing despite increased spending on security measures, according to “The 2000 Information Security Survey,” a study released Thursday by Information Security magazine.

“Results of this survey prove that spending millions of dollars (US$) adopting security practices doesn’t guarantee effectiveness,” said Andy Briney, editor-in-chief of Information Security, a publication of Internet security firm ICSA.net.

Inside Attacks

The survey found that more media attention is given to so-called “sexy cyberattacks” — such as denial-of-service (DoS), Web defacements, and buffer overflows — committed by outsiders. However, most cybercrimes are committed by insiders.

The survey also revealed that compared to last year, nearly twice as many companies were the victim of insider attacks, such as theft and the intentional destruction of computer equipment.

For example, only 37 percent of the 1,897 high-tech and info-security professionals who responded to the survey said that their company had sustained a DoS attack from a source outside the company. By contrast, 58 percent of the respondents said that insiders had abused computer access controls, and 41 percent reported that employees or other insiders had electronically destroyed or distributed confidential company information.

The Cost of Insider Attacks

Outsider attacks may make the front page, but insider attacks are just as costly, if not more so. In one insider cybercrime case, Timothy Lloyd was convicted of planting a bomb on Omega Engineering’s computer system after he found out he was about to be fired. The bomb systematically erased all of the company’s contracts, as well as proprietary software used by the company’s manufacturing tools.

Lloyd’s act of insider terrorism cost the company an estimated $12 million and its competitive position in the electronic manufacturing market.

E-Commerce Most Risky

E-commerce, the survey indicated, is the most risky of all Web activities for companies. According to the survey respondents, business-to-business (B2B) and business-to-consumer (B2C) e-commerce companies experience “significantly higher” risk of both insider and outsider security breaches.

E-commerce sites are also 25 percent more likely to experience attacks from insiders. The survey found that while 18 percent of companies not involved in e-commerce reported that insiders had electronically stolen or destroyed sensitive information, that number rose to 29 percent for e-commerce companies.

At least a portion of the insider attacks came from partners in B2B supply chains who have access to confidential information.

Increased Spending

The soaring number of security breaches come at a time when companies are spending more money than ever before on security. The Information Security survey found that the number of companies spending more than $1 million annually on computer security nearly doubled in the last year.

Security budgets are also up an average of 188 percent over the last two years.

Spending the most money on security are consulting firms, whose average security budgets are $2 million. Other high spenders include banking and finance companies, at $950,000; high-tech service providers, at $900,000; and high-tech hardware and software manufacturers, at $775,000.

At the low end of the spending spectrum are educational institutions, with average security budgets of $100,000; and medical/health care organizations, and non-military government entities, which had average security budgets of $250,000.

Best Defense

The best defense against cybercrime is not throwing more money at the problem, but spending more time thinking about security solutions, according to Briney.

A layered defense that uses overlapping computer technologies to detect and react to security breaches and incidents is one of the preferred solutions, the survey said. According to the survey, companies with multiple security tools detected a “far greater number of attacks” than companies with security tools.