Firms Intensify Battle Against Computer Crime

The lure of e-commerce and the need for reliable security in online transactions have forced large corporations and government agencies to dramatically step up their response to computer crime, according to a report to be released today by the FBI and the private Computer Security Institute in San Francisco.

More than 500 organizations were surveyed about attacks on their computer networks or Internet Web sites--including theft of proprietary information, sabotage, data or voice wiretaps and financial fraud. In response, 32% of the organizations sought help from law enforcement agencies, up from 17% a year ago.

Although severe vandalism, espionage and sabotage against computer networks began years ago, the rapidly growing importance of the World Wide Web in business appears to have shaken corporate complacency about network security, experts say.

Recent apprehensions of high-profile hackers--such as a team that penetrated Defense Department computers last year--and an increasing sense of urgency about the year 2000 problem have prompted many corporations to act, according to Kathy Fithen, manager of the CERT Coordination Center. CERT is an emergency response team for network intrusions, based at Carnegie Mellon University in Pittsburgh.

Changes in security posture have also been forced by the need to open once-sacrosanct corporate networks to a range of suppliers, customers and business partners that demand access to subsets of a company’s proprietary data, said Dan Erwin, an information security official for Midland, Mich.-based Dow Chemical, one of the companies surveyed.

Like Dow, many corporations are rapidly adding technical security managers, said Richard Powers, editorial director of the institute that conducted the survey. Such experts have become a hot commodity.

The increased vigilance by companies may be showing a preventive effect. Reported financial losses from the full range of security breaches dropped modestly, from $137 million in 1997 to $124 million in 1998, the survey showed.

But losses from financial fraud and theft of proprietary data rose sharply. These figures suggest a staggering effect of computer crime on American business, said Powers, who estimates nationwide losses in the tens of billions of dollars annually.

Those losses will continue, experts say, because organizations face mounting complexity and cost, as well as the challenge of protecting information assets against the very people who need access most--their own employees. The majority of survey respondents suspect disgruntled employees as a source of attacks.

But some experts blame naivete.

“It’s not that [employees] are stealing the information per se, but they are not aware that they should not send a piece of information over the Internet without encryption,” said Ernest Hernandez, senior security consultant for Sprint Paranet in Houston. Encryption is a method of scrambling data so that it is accessible only by those with the correct password.

One client, a pharmaceutical company, probably lost control of secret plans for a new antihistamine this way, Hernandez said. A competitor then beat the company to market with a nearly identical drug--one of many such cases, he said.