WASHINGTON, May 4 (UPI) -- A recent survey of U.S. businesses suggests the fight against electronic crime may be paying off, but experts involved in the study warn e-crime remains a costly problem.
The average U.S. business is hit with about $500,000 in loss per year to e-crime, according to the report released Tuesday by CSO magazine.
The "2005 E-Crime Watch Survey" was completed by CSO, a magazine for chief security officers, in cooperation with the U.S. Secret Service and Carnegie Mellon University's Software Engineering Institute's Coordination Center.
The survey reported although the average number of e-crimes decreased from 2003 to 2004, 68 percent of respondents reported at least one e-crime or intrusion committed against their organization in 2004, and 88 percent anticipate an increase in incidents during 2005.
"We want to raise the awareness of e-crimes," CSO publisher Bob Bragdon told United Press International.
The survey is the magazine's second annual report on electronic crime.
Bragdon said measures such as firewalls and anti-virus software have become a basic necessity, but training staff in security is even more important.
"Companies need to build a culture of security," he said.
The value to companies of protecting against e-crime ranges across a spectrum of loss, which "can be anything from loss of productivity to loss of shareholder value," Bragdon added.
CSO's study reported 35 percent of 819 respondents said they experienced an increase in e-crime during the survey period, 30 percent said there was no change, and 13 percent said there was a decrease -- more than double last year's 6 percent.
Also, according to the report, 32 percent of respondents experienced fewer than 10 e-crimes vs. 25 percent in 2004, while the average number of e-crimes per respondent decreased to 86, down from the 136 average reported the previous year.
Respondents reported an average loss of $506,670 per organization due to e-crime, with a total loss of $150 million from the 819 companies responding.
When asked what types of e-crime were committed against their organizations in 2004, respondents cited the following:
--82 percent said virus or other malicious code,
--61 percent said spyware,
--57 percent said phishing, and
--48 percent said illegal generation of spam e-mail.
Bragdon noted 57 percent of respondents reported attempts at phishing -- a form of fraud perpetrated to steal identity online -- up from 31 percent in 2004, the largest single percentage increase of an e-crime.
Of those victimized by e-crime, 55 percent reported operational losses, 28 percent reported financial losses and 12 percent reported harm to their reputations.
Thirty-one percent of respondents said they do not have a formal process or system in place for tracking e-crime attempts and 39 percent do not have a formalized plan outlining policies and procedures for reporting and responding to e-crimes, "demonstrating room for improvement," the CSO report said.
"Security practitioners are faced with new e-crimes on a daily basis. Phishing is a perfect example of a crime that entered the market and has just exploded," Bragdon said in a statement. "It's not enough to just track these crimes. Businesses need to be doing a better job of formalizing their reporting procedures so law enforcement can help them combat the attacks and, over the long haul, minimize the threats."
Bragdon told UPI the survey found both public and private organizations appear to be doing a better job identifying criminals.
Larry Johnson, with the Secret Service's Criminal Investigative Division, noted in a release on the report, "What is important for our partners in the private sector to know is that when an intrusion is not reported to law enforcement, that only enables the criminals to continue to do more -- and possibly greater -- damage elsewhere."
He added: "The Secret Service philosophy is one of prevention. Together with our private industry partners, we have a proven track record of aggressively investigating and preventing electronic crimes that could adversely affect the businesses and citizens of this country."
CSO reported the top technologies used to combat e-crime are firewalls and automated virus scanning, which 99 percent of respondents said they had employed, followed by physical security systems at 94 percent, spyware/adware detection software at 93 percent, intrusion detection systems at 91 percent, and manual patch management at 90 percent.
The magazine also said the top five security policies and procedures in use by respondents "to prevent or reduce an e-crime" included account/password management policies at 74 percent, formal "inappropriate use" policy at 71 percent, employee education and awareness programs at 67 percent, monitoring of Internet connections at 65 percent, and corporate security policy at 62 percent.
T.K. Maloy is UPI's Business Editor. E-mail: firstname.lastname@example.org