Cyber-crime may be more pervasive than many people thought.
A study by a year-old Baltimore research and consulting firm says 58 percent of the 205 companies surveyed, mostly Fortune 1,000 firms, had had outsiders try to misuse their computer systems during the past year, frequently costing companies more than $1 million to fix.
Of companies that had detected hackers trying to get into their ** systems, 82 percent said at least one intruder got in from the outside. The most common intrusions: stealing a look at electronic mail or private documents and introducing viruses. Among the least common: stealing money, which accounted for only 0.3 percent of the incidents reported.
The results suggest that much of the cyber-crime stems not from hackers, but from competitors trying to sniff out a target company's business secrets, said Mark Gembicki, executive vice president of War Room Research LLC, which did the study after conferring with the staff of a U.S. Senate subcommittee investigating computer security.
"This is just an indication of what is going on," Gembicki said. "What surprised me is that e-mail and documents are a big target and that people are admitting it. That people are admitting it is what surprised me the most."
Denial has been a big problem in computer crime, Gembicki said, and parts of his study highlighted why. Most incidents are never reported to law enforcement authorities, and the most common reasons given are the fear of public disclosure and the possible loss of customer confidence.
But cyber-crime can cost big money. Two-thirds of the companies said intrusions by outsiders cost $50,000 or more, with almost 18 percent saying each successful intrusion can cost more than $1 million.
Gembicki said the survey was sent to about 500 companies in July, and 205 acceptable, anonymous responses had come in by last month. Gembicki said all but about 2 percent to 3 percent of the institutions surveyed were for-profit companies in the Fortune 1,000, making the study a look into the problems of major corporations rather than small business.
A more detailed study, involving a smaller number of companies that are willing to tell researchers much more about their security issues, is being organized for next year, Gembicki said.
But one problem suggesting that even War Room's figures may be low is that more than one-fourth of the companies said they do not have confidence in their ability to detect whether outsiders have been trying to get into their systems.
The fight to keep corporate computers secure has sparked a run in initial public offerings for companies that sell computer system firewalls and other security products, including Trusted
Information Systems Inc. of Glenwood and V-One Corp. of Rockville. Both went public in October, and both said War Room's findings were consistent with what their customers tell them.
"It comes as no surprise," V-One spokesman Jim Reed said. "The more you take people off the record, the worse the stories get."
Joan Winston, director of policy analysis for Trusted, said War Room's numbers were also consistent with findings of previous studies. She agreed with Gembicki's point that security systems such as firewalls or encrypting computer files are not the whole answer to protecting sensitive information.
Both said companies must also take routine management steps to protect themselves. Gembicki, a former National Security Agency employee, said corporations need to give separate security classifications to distinguish routine private information jTC from vital secrets that need more protection, change e-mail addresses and passwords often and make sure junior employees understand that they have to button their lips, as well as their computer files, around outsiders.
"It's certainly true that there's no magic bullet," Winston said. "If Dumpster divers get the printout you put in the garbage, your firewall doesn't do you much good."
Pub Date: 12/02/96