CyberSecurity Institute

A survey by Bank of Scotland (BoS) found that 37 per cent of UK small firms were being badly hit in the pocket by spam and viruses, such as the SoBig outbreak which hit many businesses earlier this year. The study found that the while the cost of minor data losses and firewalls is less than £1,000 a year for two-thirds of small firms, a full-scale virus attack can be terminal for entrepreneurs on tight budgets.

For one in fifty businesses polled, the cost of computer viruses was over £10,000 per year. A further 40 per cent of bosses claimed that junk email significantly added to their costs, with one in ten losing an estimated £10,000 year through lost productivity and the cost of filtering systems.

Multiple unwanted faxes are also a headache for small firms, with over half of those surveyed claiming that the cost of receiving and handling junk faxes was a significant problem.

Firms in London were most concerned about the impact of computer viruses, while Newcastle businesses were most likely to suffer from a high volume of spam. The research suggests that anti-spam laws, introduced by the government last year, have done little to ease business concerns over the impact of junk email on productivity and profits. Although individuals are now banned from sending emails and other communication to users without prior consent, the laws only apply in the UK and has done little to stem the flood of junk from the USA.

Computer viruses continue to pose a serious threat to small firms, who often do not have the resources to properly protect their IT systems or recover lost data. Eddie Morrison, of BoS, said that computer viruses are clearly one of the scourges of our business age. “The cost of protecting systems with ever more advanced firewalls can be expensive in itself but compare to that the devastation of losing important files to a virus. It has also become increasingly easy for small firms to be bombarded with multiple unsolicited emails and faxes for advertising and other purposes. Though less often seen as a direct threat, it can generate significant costs to the unsuspecting recipient.”

More info: http://www.theregister.co.uk/2004/06/15/viruses_hit_small_biz/

Nearly 500 computer security professionals in US corporations, government agencies, financial institutions, medical institutions and universities responded to the 2004 survey, with 53 per cent reporting that their organization experienced unauthorized use of computer systems during the prior 12 months – down from 56 per cent in 2003.

Thirty-five per cent believed they had not been breached, and 11 per cent said they didn’t know.

Overall financial losses totaled out to $141m for the 269 respondents willing to quantify their losses, down significantly from 251 respondents reporting $202m in losses in 2003.

Reported losses to intellectual property theft plummeted to $11m in 2004, putting denial of service attacks in the number one spot as the most expensive computer crime, allegedly causing $26m of the total losses.

Twenty-eight per cent of the respondents said their organization had insurance policies to help manage cybersecurity risks.

Despite federal government efforts to encourage information sharing between industry and the Department of Homeland Security, the survey “detected no increase in the disposition to share information about security intrusions,” according to the report.

The percentage of companies suffering intrusions who reported them to law enforcement dropped from 30 per cent to 20 per cent; the most common reason for keeping an intrusion quiet was fear of negative publicity, a factor for 51 per cent of the companies that failed to report a breach.

While comparisons with previous years may be enlightening, the CSI/FBI survey is decidedly unscientific: the sample pool is self-selected from a panel of computer security professionals. CSI director Chris Keating cautioned against drawing overly optimistic conclusions from the downward trends reported in the study. “Obviously, computer crime remains a serious problem and some kinds of attacks can cause ruinous financial damage,” Keating said in a statement. We don’t believe that all organizations maintain the same defenses as our members – financial damages for less protected organizations are almost certainly worse.”

More info: http://www.theregister.co.uk/2004/06/11/csi_fbi_computer_intrusion/