Financial Fraud Incidents Average $463,100

MBA (10/14/2008 ) Palaparty, Vijay
Losses from financial fraud have cost businesses an average of $463,100 so far this year, according to the 2008 Computer Security Institute Crime & Security Survey.
Average total losses stemming from various types of computer security incidents, however, dropped to $288,618 per business in 2008 after rising to $345,505 last year—though still higher from $167,713 reported in 2006.

“There seems little question that several sweeping changes in the overall state of IT practices—coupled with equally broad changes in the habits of the criminal world—are making significant, hard-hitting attacks easier and more lucrative for their perpetrators,” said Robert Richardson, director of CSI, San Francisco. “On most days at most organizations, attacks are less imaginative than what’s currently theoretically possible—which, for the moment, is good news.”

The survey said dealing with loss of either proprietary information or loss of customer and employee confidential data averaged $241,000 and $268,000, respectively.

“Most attacks respondents see are relatively standard attacks like viruses and theft of mobile devices like laptop computers.” Richardson said. “Although the loss of a laptop computer may be quite expensive if it contains unencrypted confidential data, many laptops are lost that don’t cost more than replacement and associated administrative costs. Virus incidents cost organizations that reported financial loss data an average of only $40,141; hardly a threat to the viability of most organizations.”

Virus incidents, the most popular source of crime, occurred at 49 percent of respondents’ organizations, the survey said. Insider abuse of networks was second-most frequent, reported by 44 percent of organizations, followed by theft of laptops and other mobile devices, reported by 42 percent of organizations. Unauthorized access accounted for 29 percent.

The 2008 Verizon Business Data Breach Investigations Report reported financial services institutions face greater data breach risk from insiders than external or partner sources as well. The report also cited deceit and misuse as the most common forms of attack.

“Enterprises should assess their security strategies knowing that challenges differ significantly and that a one-size-fits-all approach is rarely effective,” said Peter Tippett, vice president of research and intelligence at Verizon Business Security Solutions, Basking Ridge, N.J., an authors of the report. “Good security does not lend itself to a cookie-cutter approach. Understanding what happens when a data breach occurs is critical to prevention.”

End-users were responsible for 53 percent of breaches in institutions while IT administrators accounted for 31 percent, the report said. Eight percent of breaches were instigated by agents or spies and an additional 8 percent were from anonymous sources.

In the CSI survey, 27 percent of respondents said they had detected at least one targeted attack—a malware attack—aimed exclusively at their organizations or at organizations with a small subset of the general business population.

Sixty-eight percent of organizations reported that they had, and 18 percent said they were developing, formal information security policy. Only 1 percent said they had no security policy.

By November 1, U.S. financial institutions and other creditors must be compliant with the Red Flag Rules of the U.S. Fair and Accurate Credit Transactions Act of 2003, a consumer information security compliance measure. The rules require lenders to develop and implement a written Identity Theft Prevention Program to prevent, detect and mitigate ID theft.

“While there are handfuls of spectacular crimes in a year, there are millions of [crimes on] enterprise networks that do not make headlines,” Richardson said. “Furthermore, we must draw a distinction between developing threats and actual successful attacks. There is cause for great concern regarding the sorts of attacks that become possible as we move to a more service-oriented web, but these are not threats that have seen widespread use yet.”