A survey of U.S. businesses, government agencies, and universities by the Computer Security Institute confirms that few companies and organizations are prepared to fight the type of crime that has found a new home on the Internet.
Of the 428 organizations surveyed by the CSI using questions supplied by the FBI, 41 percent reported that they have experienced some form of intrusion or unauthorized use of their computer systems within the last year. Some of those reported as many as 1,000 incidents, but more than half of the discovered intrusions were traced to employees.
While many of those break-ins involved innocuous changes to data without explicit permission, others were attempts to steal passwords, block authorized users, or even more blatant criminal acts.
More than half of the respondents did not have a written policy for breaches of network security, and more than 60 percent did not have a policy for preserving evidence. Fewer than 17 percent of those attacked reported the breaches to police or other law-enforcement agencies, mainly for fear of negative publicity, and about 20 percent said they didn't know if they'd been subject to intrusion.
Instead of turning to the law, companies often report them first to private crime-watch organizations like the Computer Emergency Response Team based at Carnegie Mellon University in Pittsburgh. Companies feel more comfortable sharing sensitive security problems with these organizations because they keep requests for help strictly confidential.
The surveys were sent to all 5,000 members of the CSI, a private group of large companies interested in computer security, including most of the Fortune 500 list companies, according to CSI director Patrice Rapalus. Although the rate of return was less than 10 percent, Raplus said the results were statistically correct.
Nevertheless, some statisticians caution about using the survey to make generalizations about all U.S. corporations. "If you're just targeting your survey to members of a particular group, you can't really say anything [about organizations] outside that group," said Ann Kalinowski, senior statistician at Failure Analysis Associates.
Regardless of the statistical validity of the survey, several Internet rights organizations, such as the Center for Democracy and Technology, are citing the survey to garner support for a new bill introduced last week by Senator Conrad Burns (R-Montana) to loosen the government's regulation of encryption technology. They claim that a broader use of encryption technology, now limited by commerce laws that forbid the exportation of encryption software, would cut down on the incident of Net break-ins.