Security incidents -- everything from viruses and worms to hacks and insider sabotage -- are expected to skyrocket in 2003, according to a new report out by the Aberdeen Group, an industry analyst firm based in Boston. There were 52,000 incidents reported to the CERT Coordination Center in 2001. That number topped out at 100,000 in 2002 and it's predicted to surpass 200,000 this year.
But those numbers only account for reported incidents. They don't account for all the attacks that go unreported, even unnoticed. In 2001, Aberdeen's Eric Hemmendinger reports that the number of unreported attacks hit 4.1 million. The number then jumped to 7.9 million last year and is expected to hit 15.9 million this year.
Hemmendinger, research director for the Security and Privacy group at Aberdeen, says while attacks and viruses are getting worse, most companies aren't any more prepared to fend off these coming attacks than they were a few years ago.
Q: What do you see happening in terms of security incidents this year?
Based on the trend we've seen over the last couple of years and what we see in terms of vulnerabilities and relatively easy access to tools used to do compromises, a doubling of reported incidents is pretty easy to figure. But that's what is reported. What's really going on is about 16 million incidents a year. Companies still aren't reporting attacks. How many large companies want it publicized that they've been undressed. Why publicize it? It's pretty infrequent that these folks are caught. It's less frequent that there's a successful prosecution. Law enforcement doesn't have the tools they need. They don't have the training and they don't have the experience.
Q: What kind of incidents will be top of the list this coming year?
Anything and everything. We'll see everything from viruses to Web site defacements and hacks into internal networks, applications and data servers. There will be theft of devices with sensitive information on them. It runs a pretty wide gamut.
Q: Do you expect companies to face more or less insider-based threats?
I think it will be pretty much the same ratio of attacks. I don't think companies are more prepared for it but they have a better sense of how to deal with it once it happens. They find out who did it and they fire them. If they've had experience with it before, they probably have the tools and information to find the attacker at their disposal. Lightning frequently strikes two or three or more times in the same place. If it happens once, somebody else is going to get the same idea.
Q: With so many attacks expected this year, do you think companies are better prepared to deal with it than they were a year ago or two years ago?
I doubt it. Companies tend to look at this as an area where you self-insure. You assume these things are going to happen and you look at what you can do to keep the damage at an acceptable level... We have more awareness of the issues than we had a few years ago. The economic slow down has crippled spending and that has kept people from going off and solving the problems they might have otherwise.
Q: Spam increased four-fold last year. Do you expect it to continue increasing at the same pace this year?
We expect that if last year spam was on the order of 25% of corporate email, it will be in the range of 50% this year. The spammers are getting smarter. Every time they see a new technique for stopping them, they find a new way to bypass it.
Q: Will IT leaders be more aggressive in battling spam this year, turning increasingly to black lists and more stringent filters?
They're starting to realize that in addition to spam being a nuisance for users, it's sucking up valuable bandwidth. And it's acting increasingly as a covert channel for some pretty nasty stuff to come into the enterprise. More companies will spend money to solve the problem. It's hard to say how.
Q: You've predicted that identity theft will shoot up from $8.75 billion in losses in 2002 to hit $24 billion in 2003. Will that begin to erode consumer's faith in online transactions, harming the e-commerce industry?
Today, the price of identity theft is largely paid by financial service organizations, as opposed to consumers. If it relates to credit card misuse, the credit card company usually eats it or pushes it back onto the merchant. They don't push it back onto the consumer, so it won't curtail people's comfort level or reliance on the Internet as a channel for shopping.