Virus is no.1 source of financial loss

August 24, 2004

The latest CSI/FBI reported in its ninth annual 2004 survey that virus attack and denial of service (DOS) has outpaced theft of proprietary information as the top security incidents generating the largest financial losses among the U.S. firms surveyed.

Total loss from virus attack was estimated at U$55 billion while losses from denial of service was at U$26 billion.

Although total dollar loss was at a decline and the frequency of successful attacks against corporate information systems in the United States is decreasing, it also reports that more than half or 51% of the respondents recognize that the main reason an organization may not report intrusion to law enforcement is because of negative publicity—that it would hurt their stock or image.

CSI (Computer Security Institute) is the world’s premier membership association serving and providing training to the information security community in the United States.

According to the 2004 CSI/FBI Computer Crime and Security Survey, although in the initial stages, computer security focused largely on technical issues like encryption, access controls and intrusion detection systems, there is increased concern on the economic, financial and risk management aspects of computer and information security and not just on the physical or technical aspect. 

The survey provided interesting insights into the level of computer crime being experienced by companies, as well as how they are responding to security breaches. 

Commenting on the survey report, the Security News Portal reported that “computer security has evolved from being purely the domain of IT resources to the point now where even the board of a company take an interest. This growing concern about security has come about as the internet has emerged to be a ubiquitous business tool.”

According to Jun Malacaman, president of the Information Systems Security Society of the Philippines (ISSSP), the Philippines has no surveys or statistics on Internet intrusion or cybercrime in general. But there is definitely a need to make the country’s business and government leaders aware of the need for more vigilance and security measures in place if the country is to address and reduce what many believe to be a growing corporate threat and menace.

A high 82 percent of the respondents in the CSI/FBI survey indicated that their organizations conduct security audits. For the first time, the survey also addressed the extent and importance of security awareness training. The areas perceived to be most valuable are: security policy (70 percent) and network security (70 percent), followed by access control systems (63 percent), security management (62 percent) and economic aspects of computer security (51 percent).

As a result of the CSI/FBI report, ISSSP will be conducting a yearly survey on computer crime and security to assist the National Computer Center and the Cyber Security Work Group or CySWG under the auspices of the Task Force for the Security of the Critical Infrastructure (TFSCI). According to NCC Director General Tim Diaz de Rivera, who also chairs the CySWG, the effort to address the issue of cybercrime and critical infrastructure security is going to be a joint undertaking of government and the private sector.

The ISSSP survey will be launched on September 9, 2004 at the 3rd Annual Security Conference to be held at the Hotel Intercontinental in Makati. Malacaman explained that those attending the 3-day management and technical seminar and conference will benefit the most since they will not only be made aware of the need to know and take the necessary security measures but also will be provided with basic guidelines on how to do security audits and risk management surveys.

The annual security conference is dubbed Manilacon@911:Business at Risk and is intended for both management (first two days) and techies (third day). A special Elite Hacking workshop will be conducted on the afternoon of the third day for a limited number of techies only by Van Hauser, Europe’s renowned security hacker and expert.

“We have taken the pains to bring Van Hauser into the country because we need his expertise and experience, now and not later when it is too late,” says Francis Pineda, vice president of ISSSP.

Executive and IT professionals interested in the survey or the conference may check the ISSSP website at www.isssp.org.ph or contact the ISSSP secretariat at tel. 920-0101 local 112/ 194  or text 0916-4876541 for more details.

ISSSP is a non-stock, non-profit association of security-concerned professionals in the country promoting information security awareness and support to both business and government institutions.