Survey: Cybercrime down, costs up

Computer Security Institute's summary of survey

The latest results of an annual survey on computer crime and security show a drop in the number of computer security breaches to government and private-sector systems.

In last year's survey, 90 percent of survey respondents reported that they had detected a security breach in the past 12 months. This year, 85 percent reported security breaches.

However, the California organization that conducted the survey — with the cooperation of the FBI's San Francisco office — could not say whether government or the private sector is the greater victim of computer crime.

"We don't really break down the survey results based on government or private sector," said Patrice Rapalus, director of the Computer Security Institute (CSI). "But from 10 years in the business, I'd say it's pretty much even."

What is clear is that the cost of computer crime to victims is carrying a higher price than a year ago, according to highlights of the survey released Monday.

The complete survey will be released at the end of March, according to Rapalus, though some findings are available at CSI's Web site.

Among the findings is that 35 percent of the 538 respondents — 186 respondents — volunteered that they lost a combined $377.8 million last year through computer crime. The year before, 42 percent, or 249 respondents, owned up to losing a total of $265.5 million in the 12 months prior, according to CSI.

Rapalus said it is difficult to say whether the overall numbers mean things have gotten better or worse, although Bruce Gebhardt, the head of the FBI's northern California office, said the results "again demonstrated the seriousness and complexity of computer crimes."

The vulnerability of conducting business online is a law enforcement challenge that requires continued cooperation between government and industry, Gebhardt said in a statement.

Furthermore, Andrew Black, a spokesman for the bureau's San Francisco office, said governments must follow the same security rules as businesses do for their sites and networks.

"Unless all employees follow their [computer] security plan, they become vulnerable," Black said. "We impress on the system administrator to stay on the employees to follow the security safeguard plan. That would make our job a lot easier."