Organized crime has taken to the Internet in a big way. Cybercrime forms a significant ongoing risk for all organizations: if it is worth taking action to secure premises, it is even more worthwhile to secure digital business areas.
A 2001 global study by the UK DTI found that lapses in security policy had cost businesses between 5.7 per cent and 7 per cent of annual revenues in 2000. European businesses alone, it claimed, lost more than £4.3 billion in that year due to Internet-related crime.
PricewaterhouseCoopers’s European Economic Crime Survey 2001 questioned 3,400 organizations in both the public and private sectors. 43 per cent of them are reported to have said that cybercrime would be the ‘biggest and most dangerous form of criminal activity’ in the future. The consultancy firm IDC, on behalf of the global outsourcing business EDS, polled IT directors of 250 companies in the UK, France and Germany and released the results of this survey to the UK press. While half the respondents were ‘concerned’, 43 per cent said that they had already encountered cases of internal information theft.
Europol, the European Police agency, observed in its 2003 report on EU organized crime: ‘The establishment of worldwide financial markets, economic globalization, and the creation of the EU common market, have provided good opportunities for organized crime groups.’ In section 4.4, the report observes that ‘organized crime groups are clearly among the major beneficiaries of technological progress…crucially, the development of cyberspace [has] provided great opportunities and a vast arena in which organized crime groups can operate…High technology crime will continue to represent one of the major areas of crime in the future, paralleling the development of e-commerce and internet banking.’
The Computer Security Institute (CSI), with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad, has now conducted nine annual surveys into information security at the CSI member firms. The results of the most recent survey showed that 2004 total financial losses to criminal abuse, across the 269 respondents who participated, was $141 million. While the biggest loss arose from virus attacks ($55 million) and denial of service attack ($26 million), $11 million of these losses was from theft of proprietary information against $8 million for financial fraud and $7 million in laptop thefts. It was clear that nearly half of those who took part in the overall survey were unable (because they had no method of tracking) or unwilling (because of the possible reputational damage) to provide estimates of their financial losses from the successful attacks they had experienced. Equally clear is the fact that incidents of cybercrime originate equally from outside and inside the attacked computer systems.
The conclusions of the Confederation of British Industry’s (CBI) 2001 Cybercrime Survey, which polled 154 member firms and found that two-thirds of them had suffered serious computer crime in the previous twelve months, are even more valid today. Nearly 60 per cent predicted that cybercrime would become even more of a problem in the future. The Director-General of the CBI, Sir Digby Jones, was quoted as saying, ‘Fears about potential losses and damage to reputation from cybercrime are stalling the growth of e-business, especially for b2b transactions. That growth will only come when all parties are reassured that adequate security is in place to protect them.’
‘Over its seven-year lifespan’ concluded the CSI, ‘the survey has told a compelling story. A sense of the “facts on the ground” has emerged. There is much more illegal and unauthorized activity occurring in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace.’