Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
4Activity
0 of .
Results for:
No results containing your search query
P. 1
Cybercrime Against Businesses

Cybercrime Against Businesses

Ratings: (0)|Views: 165 |Likes:
Published by Andy Purdy
Among 7,818 businesses responding to the National Computer Security Survey (NCSS), 67 percent detected at least one cybercrime in 2005. Nearly 60 percent of businesses detected one or more cyber attacks, 11 percent detected cyber thefts and 24 percent detected other computer security incidents. Computer viruses were the most common type of cyber attack, detected by 52 percent of reporting businesses.

Revised in October 2008, The NCSS documents the nature, prevalence and impact of cybercrimes against businesses in the United States. Survey respondents represented 7,818 businesses out of the 7.3 million businesses identified nationwide in 2005. Of businesses reporting the number of incidents, 43 percent detected 10 or more cyber attacks, theft or other security incidents during the year. Computer viruses were about 7 percent of the incidents and cyber thefts were less than 1 percent. Other computer security incidents (92 percent) -- primarily spyware, adware, phishing, and spoofing -- were the most common.

This study is presented here by former national cyber czar Andy Purdy as a backgrounder for a proposed series of Cyber Hearings to be globally televised on Cybercrime.TV. For more information and discussion about Cyber Hearings 2010, visit www.Cybercrime.TV and look for Purdy's multi-part blog on the program.
Among 7,818 businesses responding to the National Computer Security Survey (NCSS), 67 percent detected at least one cybercrime in 2005. Nearly 60 percent of businesses detected one or more cyber attacks, 11 percent detected cyber thefts and 24 percent detected other computer security incidents. Computer viruses were the most common type of cyber attack, detected by 52 percent of reporting businesses.

Revised in October 2008, The NCSS documents the nature, prevalence and impact of cybercrimes against businesses in the United States. Survey respondents represented 7,818 businesses out of the 7.3 million businesses identified nationwide in 2005. Of businesses reporting the number of incidents, 43 percent detected 10 or more cyber attacks, theft or other security incidents during the year. Computer viruses were about 7 percent of the incidents and cyber thefts were less than 1 percent. Other computer security incidents (92 percent) -- primarily spyware, adware, phishing, and spoofing -- were the most common.

This study is presented here by former national cyber czar Andy Purdy as a backgrounder for a proposed series of Cyber Hearings to be globally televised on Cybercrime.TV. For more information and discussion about Cyber Hearings 2010, visit www.Cybercrime.TV and look for Purdy's multi-part blog on the program.

More info:

Published by: Andy Purdy on Dec 06, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/31/2013

pdf

text

original

 
Bureau of Justice Statistics
Special Report
September 2008, NCJ 221943
U.S. Department of Justice
Office of Justice Programs
 
Cybercrime against Businesses, 2005
By Ramona R. Rantala
BJS Statistician
Among 7,818 businesses that responded to the NationalComputer Security Survey, 67% detected at least onecybercrime in 2005 (table 1). Nearly 60% detected one or more types of cyber attack, 11% detected cyber theft, and24% of the businesses detected other computer securityincidents. Respondents, representing 36 economic indus-tries, said they detected more than 22 million incidents of cybercrime in 2005. The vast majority of cybercrimes(20 million incidents) were other computer security inci-dents, primarily spyware, adware, phishing, and spoofing.There were nearly 1.5 million computer virus infections and126,000 cyber fraud incidents.The effects of these crimes were measured in terms of monetary loss and system downtime. Ninety-one percent of the businesses providing information sustained one or bothtypes of loss. The monetary loss for these businessestotaled $867 million in 2005. Cyber theft accounted for more than half of the loss ($450 million). Cyber attacks costbusinesses $314 million. System downtime caused bycyber attacks and other computer security incidents totaled323,900 hours. Computer viruses accounted for 193,000hours and other computer security incidents resulted inmore than 100,000 hours of system downtime.Of the businesses responding to the survey, telecommuni-cations businesses (82% of these businesses), computer system design businesses (79%), and manufacturers of durable goods (75%) had the highest prevalence of cyber-crime in 2005. Utilities, computer system design busi-nesses, manufacturers of durable goods, and internet ser-vice providers detected the highest number of incidents,with a total of more than 10.5 million incidents. Administra-tive support, finance, and food service businesses incurredthe highest monetary loss with a combined total of $325 million, more than a third of the total for all busi-nesses.Forestry, fishing, and hunting (44% of businesses) andagriculture (51%) had the lowest prevalence of cybercrimein 2005. Agriculture, rental services, and business andtechnical schools incurred the least monetary loss($3 million).
Table 1. Prevalence of computer security incidents, typesof offenders, and reporting to law enforcement, 2005
Percent of businesses by type of incidentCharacteristicAll incidentsCyber attackCyber theftOthe
All businessesresponding
67%58%11%24%
Number of employees
2-2450%44%8%15%25-995951717100-99970609241,000 or more82722036
Industries with thehighest prevalenceof cybercrime
a
Telecommunications82%74%17%32%Computer system design79721525Manufacturing, dura-ble goods75681532
Suspected offender was an—
b
Insider40%27%74%30%Outsider71743272
Incidents were reported—
c
Within the business80%81%46%69%To another organization151497To law enforcementauthorities1565612Note: A total of 7,818 businesses responded to the National Computer Security Survey. Detail may sum to more than 100% because busi-nesses could detect multiple types of incidents.
a
See appendix table 3 for all industries.
b
Percentages are based on businesses that detected an incident andprovided information on suspected offenders.
c
Percentages are based on businesses that detected an incident andprovided information on reporting incidents to authorities.Detailed information is available in appendix tables in the online versionof this report on the BJS Website at <http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf>.
Revised 10/27/08
 
2
Cybercrime against Businesses, 2005 
Insiders (i.e., employees, contractors, or vendors workingfor the business) were responsible for the cyber theftsagainst nearly 75% of businesses victimized by cyber theft.Conversely, more than 70% of businesses victimized bycyber attacks or other computer security incidents said thesuspected offenders were outsiders (i.e., hackers, competi-tors, and other non-employees).Overall, few businesses that detected an incident (15%)reported cybercrimes to official law enforcement agencies.More than 50% of victimized businesses reported cyber thefts to police, while cyber attacks and other computer security incidents were reported to authorities by 6% and12% of victimized businesses, respectively.
The National Computer Security Survey provides thenation’s first large-scale measure of cybercrime
The President’s National Strategy to Secure Cyberspacedirects the Department of Justice to develop better dataabout the nature and prevalence of cybercrime and elec-tronic intrusions.
1
Other data collections address cyber-crime, but no large-scale (or nationally representative) sur-vey collects sufficient information to accurately measurecybercrime and its consequences or to develop risk factors.The National Computer Security Survey (NCSS) wasdeveloped by the U.S. Department of Justice (DOJ), Officeof Justice Programs, Bureau of Justice Statistics in partner-ship with the U.S. Department of Homeland Security,National Cyber Security Division.
 
The DOJ Computer Crime and Intellectual Property Section, the Computer Intrusion Section of the Federal Bureau of InvestigationCyber Division, and the U.S. Secret Service also collabo-rated on the project. The survey was also supported by awide variety of trade associations and industry groups.(A complete list is available online at <http://www.ojp.usdoj.gov/bjs/survey/ncss/ncss.htm>.)The NCSS documents the nature, prevalence, and impactof cyber intrusions against businesses in the United States.This report examines three general types of cybercrime:
Cyber attacks
are crimes in which the computer systemis the target. Cyber attacks consist of computer viruses(including worms and Trojan horses), denial of serviceattacks, and electronic vandalism or sabotage.
Cyber theft 
comprises crimes in which a computer isused to steal money or other things of value. Cyber theftincludes embezzlement, fraud, theft of intellectual prop-erty, and theft of personal or financial data.
Other computer security incidents
encompass spyware,adware, hacking, phishing, spoofing, pinging, port scan-ning, and theft of other information, regardless of whether the breach was successful or damage or losses weresustained as a result.
More than 8,000 businesses participated in the survey
The National Computer Security Survey sample was astratified, random sample of businesses designed to pro-duce national and industry-level estimates. The samplewas stratified by industry, risk level, and size of business.Thirty-six industries, as defined by the North AmericanIndustrial Classification System (NAICS), were within thescope of the survey. (See appendix table 1 for a full list anddefinitions of industries,
Methodology 
for details of thesample design, and page 11 for a glossary.)To produce national and industry-level estimates a sampleof nearly 36,000 businesses was selected (table 2).Responses were received from more than 8,000 busi-nesses, giving an overall response rate of 23%. Responserates varied by business size, with larger businessesresponding at a higher rate. Response rates also varied byindustry. Response rates were highest for utility businesses(37%). Telecommunications (16%) had one of the lowestresponse rates. (See appendix table 2 for response ratesfor all industries). Though response rates were not suffi-cient to support national or industry-level estimates, theywere the highest of any survey of this kind.
Table 2. Universe, sample, and response,by business size and selected industries, 2005
Number of businessesResponserateCharacteristicsUniverseSampleResponse
All businesses
7,278,10935,5968,07923%
Number of employees
2 - 246,771,02611,4792,05618%25 - 99396,3555,6011,23622100 - 99998,58511,4722,894251,000 or more12,1437,0441,89327
Risk level
a
Critical Infrastructure1,680,60611,6942,71923%High2,074,0417,5641,73723Moderate774,4945,2941,18422Low2,748,96911,0442,43922
Industries with highestresponse rate
b
Utilities11,85090633637%Social services180,37696731733Health care577,4991,44442329Manufacturing, durablegoods275,3191,85950327
Industries with lowestresponse rate
b
Internet service providers23,87477613517%Telecommunications26,54782113416Accommodations60,9441,00614314Motion picture and soundrecording31,9026428814
a
Risk level is based on Department of Homeland Security classifica-tions and industry’s risk of incidents, monetary loss, or downtime.
b
See appendix table 2 for all industries. ______ 
1
The National Strategy to Secure Cyberspace, February 2003;Recommendation A/R 2-1.
Revised 10/27/08
 
Cybercrime against Businesses, 2005 
3
Computer virus infections were the most prevalentcybercrime among businesses in 2005
Of the 8,000 respondent businesses representing 36 eco-nomic industries, more than 7,800 used some type of com-puter system. Two-thirds of the businesses that used com-puters detected at least one computer security incident(5,081 businesses) in 2005 (table 3). Nearly three-fifthsdetected one or more types of cyber attack. A tenthdetected a cyber theft. A quarter of the businessesdetected other computer security incidents, such as spy-ware or phishing.Computer virus infection was the most prevalent type of cyber attack, detected by 52% of responding businesses.Nearly 90% of respondents reported that they were able tostop a virus before it caused an infection (not shown in atable). Of those businesses able to intercept viruses, 40%said they were successful in preventing all virus infections.Cyber fraud was the most common type of cyber theft, hav-ing been detected by 5% of the businesses responding tothe survey (table 3).Of the businesses detecting theft of intellectual property,70% indicated at least one incident involving the theft of trade secrets (table 4). For victims of theft of personal or financial data, names and dates of birth were taken from60% of businesses. More than 75% of the businessesdetecting other computer security incidents indicated thatsome type of malware (primarily adware) was installed, and58% of victims discovered spyware or keystroke loggingapplications. Slightly more than 50% of the businessesdetecting other computer security incidents were victims of corporate identity theft in the form of phishing or spoofing.Prevalence of cybercrime varied by industry and risk level.In 2005, telecommunications businesses (82% of thesebusinesses), computer system design businesses (79%),and manufacturers of durable goods (75%) had the highestprevalence of cybercrime (appendix table 3.) These threeindustries also showed the highest prevalence of cyber attacks. Finance (33% of businesses) and Internet serviceproviders (21%) had the highest proportion of businessesdetecting cyber theft. About a third of responding telecom-munications businesses, manufacturers of durable goods,and architecture and engineering businesses detectedother computer security incidents.Forestry, fishing, and hunting (44% of businesses) andagriculture (51%) had the lowest prevalence of cybercrimein 2005. Forestry, fishing, and hunting also had the lowestproportion of businesses detecting cyber theft (3%), fol-lowed by warehousing (4%) and social services (5%).
Table 3. Prevalence of computer security incidents amongbusinesses, by type of incident, 2005
Businesses detectingincidentsType of incidentAll businesses
*
NumberPercent
All incidents
7,6365,08167%
Cyber attack
7,6264,39858%Computer virus7,5383,93752Denial of service7,5171,21516Vandalism or sabotage7,5003505
Cyber theft
7,56183911%Embezzlement7,4922513Fraud7,4883645Theft of intellectualproperty7,4922273Theft of personal or financial data7,4762493
Other computer securityincidents
7,4921,79224%Note: Number of businesses and detail may sum to more than totalbecause respondents could answer questions about more than onetype of incident. See appendix table 3 for prevalence, by industry.
*
Based on businesses that indicated whether they detected an incident.
Table 4. Detailed characteristics of selected types of computer security incidents, by type, 2005
Incident characteristicPercent of businesses
Intellectual property
Trade secrets70%Copyrighted material47Patented material14Trademarks8Number of businesses*
198Personal or financial information
Names or dates of birth60%Social security numbers49Credit card numbers34Account or PIN numbers27Debit or ATM card numbers14Other21Number of businesses*
235Other computer security incidents
Adware or other malware77%Spyware, keystroke logging58Phishing or spoofing53Scanning, pinging or sniffing33Hacking16Theft of other information3Other8Number of businesses*
1,762
Note: Detail may sum to more than 100% because respondents couldprovide more than one type.*Based on businesses that detected an incident and provided detailedcharacteristics.

Activity (4)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Ragu liked this
fallkutsetnov liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->