Security Breaches

Computer security must take care of threats from both within the company and without. The seventh annual Computer Crime and Security Survey, released in April 2002 by the Computer Security Institute (CSI; www.gocsi.com) and the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad, found that 90 percent of respondents had detected computer security breaches. The losses are staggering. The 223 survey respondents willing to quantify their losses reported total damage at over $455 million (see Chapter 10), and that is just the tip of the iceberg. The CERT Coordination Center at Carnegie Mellon University in Pittsburgh received over 52,000 security incident reports last year, more than double the previous year. Some estimate total losses worldwide may top $100 billion annually. According to the Internet Security Alliance (Arlington, Virginia; www.isalliance.org), three attacks — Code Red, SirCam, and Love Bug — cost corporations more than $13 billion.

While external attacks are serious enough, the threat posed by one's own employees can often be much worse. External attackers are rarely motivated enough to do much damage, do not know what to look for, and are more likely to just stumble into an intrusion detection system. On the other hand, the attacks that tend to hurt most generally come from disgruntled employees who are motivated to do harm. In the CSI survey just mentioned, for example, one third of respondents stated that their internal systems were a frequent point of attack. Another study of 146 companies by Activis (Reading, England) paints a more grim picture: 81 percent of security breaches originated internally, another 13 percent came from ex-employees, and 6 percent came from external hackers. It is these disgruntled current or former employees who steal trade secrets, sell employee lists to headhunters, or plant "time bombs" to bring down the network months after they leave.

In addition to deliberate attacks, employees can compromise a system inadvertently. Seventy-eight percent of the respondents in the CSI survey reported employee abuse of Internet access privileges such as downloading pornography or pirated software. Although doing so represents improper use of company time and resources, it also exposes the company to huge fines from the Business Software Alliance or Software and Information Industry Association.