FBI Says Computer Crime Costs Billions Every Year

JamesAlfaro wrote to mention a C|Net article putting a pricetag on computer crime. From the article: "The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "

Questions?

Who responded to this survey? The accountants? The lawyers? The CFO? The CIO? I'm not saying that computer crime doesn't cost a whole lot of money. I'm just wary of reports like this, especially when the total is arrived at via simple straightline extrapolation from their 1300 respondents. This is simply a report designed to paint a bad picture so that they can secure extra funding for things like "online surveillance."

Re:Questions?

At the company I used to work at (Small to Med Cap Engineering firm), I got a copy of this letter asking me (as the head IT guy, we didn't have a CIO) to fill out the online form.

I filled it out, and really I used numbers off the top of my head. We really never had actual security breeches by hackers, but they were asking for an aggregate of security incidents and measures. I included budgetary expenditures for preventative as well as reactionary security.

I've filled out surveys like this for Gartner and others and I have to say, while the overall methodology followed norms, I really did not get a sense that they had much of a clue as to what the IT industry would classify as loss related to computer crime. Under their model, as I understood it - if you had to buy anti-virus software, that was a business loss due to cybercrime!

Re:Questions?

[samkass]

I think Mitnick made the point that he was accused of causing many millions of dollars in damages, but these (public) companies did not list such a charge on their quarterly reports. In fact, I have yet to see hacker damage appear on any quarterly report, including the more recent ones under the stricter Sarbanes-Oxley rules. So what's happening? Is this being overblown, or are companies mis-representing the damage to shareholders?

The Real Data and CSI Links

[eldavojohn]

This article doesn't even mention the Computer Security Institute (CSI), the organization which conducts and publishes these surveys. The FBI allows them use of crime databases and is just presented the end result. On top of that, they present you with one graph and label it as referenced from the "Computer Crime Survey" when, in fact, this survey also had to do with security and is entitled 2005 Computer Crime and Security Survey. I believe you'll find a wealth of information in that PDF as it contains many graphs that break down respondents of crimes, average security expenditures, types of attacks, etc. If you're interested in what constitutes a "computer crime," check out the policy and sample cases (some amusing) as we all know that what is and isn't illegal with computers can get very fuzzy very fast.

I think this is a case of CSI running a survey and doing a damn fine job on the support but the media (and Slashdot) feel that FBI is better news than CSI.

Some Guy says computer crime creates jobs

[dada21]

I believe the FBI is correct, but I also believe that one should lock the door to their houses, offer potential robbers the thought that the family might be armed, get a decent alarm and security company and insure their belongings for the maximum amount.

My IT business makes about 40% of its income dealing with security issues. We have to turn new business away usually, as most new customers that we go visit are so insecure it isn't even funny. With insecurity comes more than just data theft but spyware and viruses and the rest, as we all know. It amazes me how many companies leave their homes unlocked, the lights on, the alarm off, and a big sign on the front steps saying "Come and get it!"

The solution to computer crime isn't using the FBI -- I'd like to turn their offices off and throw out the key. The solution to computer crime is:

1. Developing a good infrastructure and upgrade cycle
2. Commit to teaching users proper ways to set up their data and desktops
3. Purchasing security sofware and services from companies that do the best job finding the holes and plugging them.

Is the law useful? Not one bit. Most companies aren't going to bother suing civilly for damages, and no one wants to bother calling the cops. The chalk line around your stolen data isn't very useful. Get a good consultant, pay them well, and make them back it up with guarantees. Problem solved.

Who knows what else the FBI says...

Word to the wise:

Next time someone says "XXX Trend is costing us YYY dollars every year", it's probably going to be followed up with "Therefore we should spend ZZZ dollars dealing with it."

XXX = overstated threat
YYY = some made up figure
ZZZ = profit

Maybe?

[SilverspurG]

Now that even the FBI can put a quantifiable sum of money on this may we please begin dismembering the EULA which makes this such an enormous problem?

"We'll just create this broken product... and let everyone else deal with the billions of lost dollars which it causes."

WTF, why 64% to 20% Why not 21% or 19%?

[Doug+Dante]

"Often survey results can be skewed ... the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "

Why? Because that seemed like a good number? This inexplicable change causes me to question the validity of the whole study.

And why the cops will always be behind

[MikeRT]

In old school government thinking, you're not supposed to "get rich off the government" as an employee. The government would often rather spend $2B for a stealth bomber that carries nuclear bombs, but will pinch pennies on the salary of the pilot of the bomber. The reality is that it costs the tax payers less to pay $80,000 starting out for a qualified security official, and let them retire making $200-$250K/year than it does to hire a less competent one at $45,000/year. The better qualified, better paid one will be more effective if not hampered by management and more crimes will get punished, reducing the reward for crimes of this nature, thus decreasing the amount of money that has to be spent on prison and other costs in the long run.

Ultimately, you get what you pay for is a fundamental law of life. If you're not willing to pay well, the people that have the skills won't sign up for the job unless the economy is dying and they're desperate.

Sarcastic question

[Guppy06]

Did they include the NSA's illegal wiretaps in that tally?

"Should have already spent"

[gnovos]

Most, nearly all, of the "cost" of computer crime comes from running a full security audit of your systems and locking down the security procedures and controls you will use to keep it from happenng again. If these companies had a competent computer security policy in the first place, they would find thier "costs" much less.

It's like a thief crashing through your dry-rot, termite-infested walls and then blaming HIM that you have to rebuild your whole house now. This money is almost always money that *should* have been spent, but wasn't in the name of cost-cutting or just general laziness.

Related Note:

[valkraider]

In a related note, the costs associated with train robberies is way down. And cattle rustling related costs have virtually dissapeared.

As the world changes, so does the crime.