Computer Crime and its Cost to the Organization
Computer crimes are divided into two separate categories, namely crimes that are facilitated by a computer and those where a computer or network is the target. In the case of crimes that use the computer as a tool to aid criminal activity, the activities of the perpetrators may include the storage of records of fraud, the production of false identification, the reproduction and distribution of copyrighted material, the collection and distribution of child pornography, and much more. On the other hand, crimes that make targets of computer systems may result in damage or alteration to the computer systems. Computers that have been compromised thus may be employed further to launch attacks on other computers and networks (How the FBI, 2004).
Technology has not only made business easier for organizations around the world, but it has also made it easier for criminals to conceal information about their crimes. The sophistication of the digital environment today makes careful computer forensic investigation necessary for the collection of evidence to combat computer crime. By targeting the computer system to increase its vulnerability for further attacks, the computer criminals do also make it more difficult for careful computer forensic investigation to take place (How the FBI).
The Federal Bureau of Investigation in the United States considers computer crime as one of its highest priorities. The 2005 FBI Computer Crime Survey addressed this priority by involving 2066 organizations to understand the nature of computer security incidents experienced by different sizes and types of organizations in the country. The 23-question survey used across the states of Iowa, Nebraska, New York, and Texas included questions on issues such as computer security technologies used, security incident types, actions taken to combat computer crime, in addition to emerging technologies and trends, for example, wireless and biometrics (2005 FBI). The results of the survey revealed that it is costing U.S. businesses approximately $67.2 billion per year in dealing with viruses, spyware, PC theft and other computer related crimes. Moreover, 1324 out of the 2066 participant organizations in the research had suffered a financial loss due to computer crimes over a period of twelve months. The average cost of computer crime per company is greater than $24,000, while the total cost reached $32 million for the organizations surveyed by the FBI. There are almost 2.8 million U.S. organizations affected by at least one computer security incident, also according to the 2005 FBI Computer Crime Survey (Evers, 2006).
The results of the survey on computer crime affecting organizations have been compared with the effects of other fraud types. Telecommunication fraud losses, for example, only amount to $1 billion per year, according to the United States Secret Service. On the other hand, the overall cost to Americans of identity fraud reached $52.6 billion in the year 2004 (Evers).
Organizations spend nearly $12 million in dealing with worms, viruses, and Trojan horses. Responding to different virus-type incidents is most costly for the organizations. Furthermore, computer theft costs approximately $3.2 million to the organization, followed by financial fraud costing $2.8 million, and network intrusions costing $2.7 million. These figures do not include the cost of staff, technology, time, and software employed in the prevention of security incidents, however. Research has further shown that antivirus software is used by 98.2 percent of organizations, firewalls are utilized by 90.7 percent of the organizations, and about three-quarters of all organizations employ anti-spyware and antispam. Biometrics and smart cards are only used by 4 percent and 7 percent of organizations respectively. Intrusion prevention and detection software are employed by 23 percent of organizations, and virtual private networks (VPNs) are used by approximately 46 percent (Evers).
What is more, organizations are affected by computer crimes despite the use of security products. Nine out of ten participant organizations in the 2005 FBI Computer Crime Survey reported that they had experienced a security incident. “In fact, the most common attacks aligned with the most commonly used defenses,” writes Joris Evers. Around 84 percent of the organizations reported having been plagued by computer viruses, worms or Trojan horses; 80 percent also reported spyware trouble; while 32.9 percent of the participant organizations said that attackers are probing their computer systems by employing network port scans.
Organizations are not only threatened by computer intrusions from outsiders, but also instrusions from within the company. As a matter of fact, 44 percent of the participant organizations in the FBI survey reported that they had experienced intrusions from within the company. Evers writes that policies and procedures to thwart attacks within the company are a good way to combat the problem.
Computer crime is not only a blight for the American organization. Just as the FBI in the United States has considered the combat of computer crime as one of its highest priorities, several European countries, including the United Kingdom and Germany, have decided to tighten laws against computer hacking. These revisions to the computer crime laws are in line with the European 2001 Convention on Cybercrime in addition to similar European Union measures that were passed in early 2005 and agreed on by forty three nations. All the same, companies that use hacking programs to test the mettle of their own security systems are concerned about cases where revisions to the law apply to programs that could be used both for research purposes as well as breaches of security. Hence, security professionals are scrutinizing the revisions to the computer crime laws out of concern for how prosecutors and judges of Europe could apply the laws (Kirk, 2006).
Australia is another developed nation where increases in attacks by electronic viruses and other computer crimes ask for stringent preventive measures. A survey conducted in the year 2004 involving seventeen private industry sectors and all tiers of government revealed that the average annual losses for electronic attack, computer crime, or computer access misuse or abuse had increased to $116,212 per organization compared to the survey results of 2003. Moreover, the survey results showed that in 2003, 42 percent of the organizations reported having experienced electronic attacks to harm the confidentiality, integrity, or availability of network data or systems – as compared to 49 percent of the organizations experiencing the same problem in 2004. Approximately 88 percent of the organizations in 2004 reported that the sources of computer attacks were external, while 36 percent reported that the sources were internal. Additionally, for the third consecutive year, the results of the survey revealed that infections from viruses, worms, and Trojans were the most common form of electronic attacks in the organizations. Such attacks were the greatest cause of financial losses, accounting for 45 percent of the total loss of 2004. Laptop theft and abuse and misuse of computer network access or resources were next in line as the cause of financial loss to the organization in terms of computer crime (Media Release, 2004).
Respondents in Australia’s survey of computer crimes further reported that although they had taken steps to improve their Information Technology systems, their responses to computer crime were not sufficient. In addition, it was found that organizations that seek to protect their IT systems do not appear to be keeping pace with the rapidly changing nature of threats and vulnerabilities in the area, particularly the increasing number and severity of system vulnerabilities and the number and swift propagation of Internet worms and viruses. Organizations also find it difficult to keep up to date with information about the latest computer threats and vulnerabilities. Moreover, the most difficult task of the organization is to change user attitudes and behavior with respect to computer crimes. Approximately 49 percent of Australian organizations surveyed in 2004 reported that their staff was inadequately trained and educated in security practices. Hence, 60 percent of the organizations faced unprotected software vulnerabilities, and 45 percent asked for greater support for IT security issues from senior management (Media Release).
Back in the United States, organizations are becoming more vigilant about computer security risks. Yet, only 90 percent of organizations that experienced attacks reported them to law enforcement, according to a statement made by the FBI. In July 2005, the results of a survey conducted by both FBI and the Computer Security Institute (CSI) revealed that attacks on computer networks and losses from computer attacks are actually decreasing in the country. This survey involved 700 U.S. corporations and government agencies in addition to financial and medical institutions (Roberts, 2006). The results of this survey can be compared to the results of the 1998 Computer Crime and Security Survey conducted by CSI in collaboration with the FBI International Computer Crime Squad. Based on the the responses of 520 security practitioners in corporations, government agencies, financial institutions and universities in the United States, the survey results had shown that computer crime and other information security breaches were on the rise in the late 1990s, and the cost to U.S. corporations and government agencies was increasing. Moreover, the average cost of computer crimes to the organization in 1998 was approximately $567,726 per year (Annual Cost, 1998).
The fact that computer crimes in the U.S. organizations are now decreasing – possibly due to an increase in law enforcement efforts to combat computer crime – does not invalidate the truth that computer crimes continue to be widespread in the organizational landscape of the country. The 2005 FBI Computer Crime Survey results further revealed that security software and hardware had failed to prevent more than 5000 incidents of computer crime among the organizations under study. And, the most common intrusion attempts from outside the organizations had originated in United States, China, Nigeria, Germany, Russia, and Romania (Brenner, 2006).
The reasons that many organizations fail to report computer crime to law enforcement are manifold. Approximately 700 organizations participating in the 2005 FBI Computer Crime Survey reported that there was no criminal activity to report; another 700 reported that the incident of computer crime was too insignificant to report; while 329 or 23 percent of the organizations believed that law enforcement would not be interested in the report on computer crime. About the organizations that had failed to report the incidents of computer crime to law enforcement, it was additionally revealed that many of these organizations do not believe that the law enforcement could help them. According to the FBI survey report:
This may be due to the nature of the security incident or it may be the public’s perception
(or experience) that law enforcement was not equipped to investigate computer crime….
While some individual law enforcement officers are not trained to respond to computer
security incidents, local, state, and federal law enforcement agencies have become
increasingly equipped to both investigate and assist in the prosecution of such violations….
Computer related crime is the third-highest priority in the FBI, above public corruption, civil
rights, organized crime, white collar crime, major theft and violent crime (Brenner).
Yet another reason proposed by FBI with regards to organizations that fail to report computer crime to law enforcement is that these organizations are concerned about minimizing public knowledge of a computer intrusion. In the case of a public company, it is important to minimize public knowledge of security breaches because of concern over the effects of the crime report on stock prices (Brenner). Similarly, companies that store personal information on their consumers fear losing their consumers if computer crimes are reported. Therefore, at least 3 percent of the respondents in the 2005 FBI Computer Crime Survey reported that they did not report the incident to law enforcement in an effort to minimize the potential negative public exposure (Brenner). Marc Rogers (1999) believes that it is impossible to find an accurate measure of the extent of organized computer crime because organizations try to minimize potential negative public exposure. He writes:
There have been some attempts to estimate the financial impact of general computer crime
on the corporate world, but unfortunately compiling accurate, valid, and meaningful statistics
in relation to computer attacks is problematic. There are several factors that influence the
accuracy of surveys and research into computer crime rates. One such factor is that victims
are hesitant to admit they were attacked, and fewer still report the attacks to authorities. The
common belief among researchers is that reported figures are an under-estimation of the true
problem. The CSI/FBI indicated that in the most recent survey they conducted that the cost of
network security breaches in general was in excess of $126 Million USD. This is a significant
number and becomes even more staggering when we consider it to be an under-estimation.
Yet another reason why the cost to the organization facing computer crimes might be underestimated is that surveys do not take into account the responses of all organizations in a nation. Hence, the estimated cost of computer crime is always a conjecture. In point of fact, the surveys conducted on computer crime may be leaving out many organizations that face the most extensive range of computer crimes. Not including every organization in the country, survey results are only based on guesses. In reality, the cost of computer crime to the organization may be much higher than the estimation. Likewise, the cost of computer crime to the organization may be lower than the estimated amount of financial loss as a result of computer crime.
With regards to the public disbelief concerning the ability of law enforcement agencies to take appropriate measures to combat computer crime, the Carnegie Mellon Software Engineering Institute reports on the federal statues to investigate computer crimes. The report, “How the FBI Investigates Computer Crime” reads: “The FBI is sensitive to the victim’s concerns about public exposure, so any decision to investigate is jointly made between the FBI and the United States Attorney in order to take the victim’s needs into account.” The following federal statutes are used most frequently by the FBI to investigate computer related crimes: (1) 18 U.S.C. 875 Interstate Communications: Including Threats, Kidnapping, Ransom, Extortion; (2) 18 U.S.C. 1029 Possession of Access Devices; (3) 18 U.S.C. 1030 Fraud and related activity in connection with computers; (4) 18 U.S.C. 1343 Fraud by wire, radio or television; (5) 18 U.S.C. 1361 Injury to Government Property; (6) 18 U.S.C. 1362 Government communication systems; (7) 18 U.S.C. 1831 Economic Espionage Act; and (8) 18 U.S.C. 1832 Trade Secrets Act. Moreover, every state of America has different laws and procedures pertaining to the investigation and persecution of computer crimes (How the FBI).
Organizations that combat computer crime by involving law enforcement are expected to reduce the overall costs of computer crime in the long run. This is because the involvement of law enforcement should act as a deterrent for future computer related criminal activity. The Carnegie Mellon Software Engineering Institute additionally informs the organization of America about the conditions in the presence of which the FBI normally investigates incidents of computer crime. These conditions include a violation of the federal criminal code that occurs within the jurisdiction of the FBI; and the United States Attorney’s Office supporting the investigation and agreeing to prosecute the subject if the elements of the federal violation could be substantiated. What is more, the Carnegie Mellon Software Engineering Institute informs the organization that federal law enforcement may only gather proprietary information concerning an incident if there is a request for voluntary disclosure of information; a court order; a federal grand jury subpoena; or a search warrant (How the FBI).
According to the Internet and mobile security services provider, F-Secure Corp. based in Helsinki, Finland, the year 2006 saw a remarkable slow down in worm attacks and widespread malware assaults around the world (Arrelland, 2007). This suggests that Australia, too, might be facing a decrease now in computer crimes just as the United States is experiencing, as compared to the experience of both countries in the 1990s and early 2000s. F-Secure Corp. has warned, however, that in 2007 organizations are likely to witness an increase in targeted attacks, “with backdoors, booby trapped documents and rootkits.” A backdoor allows the computer criminal to bypass normal authentication or secure remote access to a computer while trying to remain hidden from routine inspection. In the year 2007, the backdoor may take the form of an installed program, or be employed as a modification to a legitimate program used by the organization (Arrelland).
The chief research officer at F-Secure Corp. said regarding expected computer crimes in 2007: “Instead of transmitting millions of e-mails with infected attachments, attackers are sending as few as five infected e-mails to a single target.” By so doing, hackers may use a cloaking device such as a rootkit to hide a backdoor and extract important information from a target organization. Further, the forged emails may include booby-trapped Microsoft Office documents, if not Excel spreadsheet files that seem as though they have come from a legitimate source or even the organization itself (Arrelland).
The chief research officer has additionally warned about an increase in phishing scams and use of bogus domain names. “”Obviously phishing works since the attacks continue to build in force and complexity,” he explained. And so, clever social engineering schemes and counterfeit albeit well-constructed websites or phishing emails could separate the unsuspecting from their money and private information. What is more, scam artists are known to increasingly deploy sites with a lifespan of just an hour in order to entice users and then vanish. PayPal and EBay are some of the most targeted outfits by phishers. Certain German banks are also becoming popular targets. Lastly, F-Secure Corp. warned about sites that deploy login boxes asking users to type in valid PayPal user numbers, passwords, and credit card numbers (Arrelland).
Nestor E. Arrelland writes that despite the growing threat a huge number of Canadian companies do not have adequate security training for their employees. As we have seen, this problem is not limited to Canada alone. Rather, the threat of computer crime grows in a different direction at all times with advances in technology; computer crimes are also becoming technologically advanced by the day. Hence, it is difficult for many companies to keep up with the advancements in computer crime. Nevertheless, to combat the problem of computer crimes is crucial to a business. Seeing that computer crime is costing a lot of money to organizations, despite the fact that computer crime may now be on the decrease with law enforcement agencies taking a deeper interest in solving the problem – fighting computer crime is a constant struggle for the organization. No company may let down its guards because it does not expect computer crime to occur in future. Instead, companies must be training their staff in security measures, learning all the laws concerning computer crime, and applying the laws by contacting law enforcement on the subject of computer crime when and if required. Companies may do well to develop separate departments involved in security measures for their computers and computer systems. Moreover, organizations must be made to realize by the law enforcement agencies or researchers, or both, that negative public exposure could turn into positive public exposure when computer crime is combated and the stakeholders of the organizations find out about the necessary action taken by the organization to protect their interests. If, however, a company refuses to involve law enforcement in the event of a computer crime, its stakeholders will feel cheated when and if they discover that a computer crime did occur to the detriment of their interests in the organization.
Companies today are required to remain vigilant. Technology is a great boon for the organization. Even so, companies must remain on guard with regards to the same boon turning into a curse. Computer crime is not expected to disappear in the near future. Only the organizational method to deal with this fraud type is expected to change. Fortunately, the law enforcement agencies are willing to show one hundred percent support to the organizations affected by computer crime. Nevertheless, it is the responsibility of the organization to play it fair by being honest about the crime, even if it reduces the company’s revenues and stock prices in the short run.
2005 FBI Computer Crime Survey. Federal Bureau of Investigation. Retrieved from http://www.fbi.gov/publications/ccs2005.pdf. (27 February 2007).
Annual cost of computer crime rise alarmingly: Organizations report $136 million in losses. (1998, August 26). Retrieved from http://www.gocsi.com/prelea11.htm. (27 February 2007).
Arrelland, Nestor E. (2007, January 3). Computer Crime: Top Threats in 2007. Computer Crime Research Center. Retrieved from http://www.crime-research.org/. (27 February 2007).
Brenner, Bill. (2006, January 11). FBI says attacks succeeding despite security investments. Search Security. Retrieved from http://searchwinit.techtarget.com/news/0,289141,sid14,00.html. (27 February 2007).
Evers, Joris. (2006, January 19). Computer crime costs $67 billion, FBI says. CNET News. Retrieved from http://news.com.com/Computer+crime+costs+67+billion,+FBI+says/2100-7349_3-6028946.html. (27 February 2007).
How the FBI Investigates Computer Crime. (2004, June 22). Carnegie Mellon Software Engineering Institute. Retrieved from http://www.cert.org/tech_tips/FBI_investigates_crime.html. (27 February 2007).
Kirk, Jeremy. (2006, September 28). Computer crime laws worry security pros. Computerworld. Retrieved from http://www.computerworld.com/. (27 February 2007).
Media Release – Australian Computer Crime and Security Survey. (2004, May 24). Australia’s National Computer Emergency Response Team. Retrieved from http://www.auscert.org.au/index.html. (27 February 2007).
Roberts, Paul F. (2006, January 20). FBI Computer Crime Survey Finds Widespread Attacks. EWeek. Retrieved from http://www.eweek.com/site_map. (27 February 2007).
Rogers, Marc. (1999, June 16). Organized Computer Crime and More Sophisticated Security Controls: Which Came First the Chicken or the Egg? Retrieved from http://homes.cerias.purdue.edu/~mkr/Org.doc. (27 February 2007).