Released today, the 2003 Australian Computer Crime and Security Survey found that total losses from computer crime and misuse was almost $12 million over the 214 organisations surveyed, more than double the quantified losses for 2002 at $5.7 million.
Financial fraud topped the list as the biggest cause of loss at around $3.5 million. Laptop theft ($2.25 million), virus, worm and trojan infection ($2.23 million), and insider abuse of resources ($1.27 million) were the other largest cause of financial loss. The number of respondents that experienced laptop theft increased 21 percent on last year's results.
In terms of attacks, external attacks were more prevalent than internally-sourced attacks. Of those who experienced attacks, 91 percent experienced externally-sourced attacks and 36 percent experienced internally-sourced attacks, the survey stated. Most, 51 percent, of these attacks were believed to be indiscriminate. The most common suspected motive after this, at 41 percent, was in order to use company's network or bandwidth resources.
Average losses for those who quantified the cost of computer crime, attack or system abuse in 2003 is up by 18 percent at $93,657 compared to $77,084 in 2002.
Australian businesses also increased its' expenditure on network security in the past 12 months as a result of computer security incidents, said the survey.
The Australian survey was carried out by Australia's Computer Emergency Response Team (AusCERT - the Australian arm of CERT) in conjunction with the Australian Federal Police, and Queensland, South Australian and Western Australian police agencies and the Attorney General's department. AusCERT surveyed 214 public and private sector organisations, including many of the top public sector companies in Australia to get an insight into the level of damage caused by IT security incidents against Australian business.
The survey results demonstrated that most organisations are still finding it difficult to manage a multitude of issues concerning the proper protection of their information systems, AusCERT general manager Graham Ingram said.
“The fact that greater numbers are reporting harmful externally-sourced attacks and fewer are reporting internally-sourced attacks simply means that with increased connectivity and exposure to the Internet, the opportunities for external attacks are occurring at a faster rate,” he said.
“In some cases, it is clear that organisations aren't aware of some relatively basic security issues and have paid dearly.”
Other key findings of the survey include:
• 42 percent of respondent organisations experienced one or more computer attacks which harmed the confidentiality, integrity or availability of network data or systems.
• A mere 11 percent of respondents felt they were managing all computer security incidents of concerns, despite overall lower levels of incidents being reported.
• Only a minority of respondent organisations hold specialist IT security certifications with industry vendor IT security certifications at 36 percent and vendor-neutral IT certifications at 15 percent.
• Despite high use of anti-virus software and security policies, a staggering 80 percent were infected with a virus, worm or trojan and 57 percent suffered a financial loss as a result. This was more than last year.
The survey results are expected to help police across Australia fight computer crime. Alastair MacGibbon, director of the Australian High Tech Crime Centre, a Commonwealth State Initiative hosted by the Australian Federal Police, said the survey sent the following key messages to the police:
• Most IT security incidents are not reported to police;
• Many of the incidents occur as a result of poor (or no) IT security policies and procedures and could therefore be prevented;
• IT security incidents will never be eradicated, but they can be reduced and their damage minimised; and
• Law enforcement has a vital role in partnering with business and to contributing to IT security education.
The survey was released today at the AusCERT security conference on the Gold Coast this week.