The 2004 E-Crime Watch survey conducted among security and law enforcement executives by CSO magazine in cooperation with the United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center, shows a significant number of organizations reporting an increase in electronic crimes (e-crimes) and network, system or data intrusions.

Forty-three percent of respondents report an increase in e-crimes and intrusions versus the previous year and 70 percent report at least one e-crime or intrusion was committed against their organization. Respondents say that e-crime cost their organizations approximately $666 million in 2003. However, 30 percent of respondents report their organization experienced no e-crime or intrusions in the same period.

When asked what types of losses their organizations experienced last year, 57 percent of the respondents report operational losses, 25 percent state financial loss and 12 percent declare other types of losses. The average number of individual e-crimes and intrusions is 136. However, a third of respondents did not experience e-crime or intrusions, while a quarter experienced fewer than ten.

Interestingly, 32 percent of respondents do not track losses due to e-crime or intrusions. Of those who do track, half say they do not know the total amount of loss. Forty-one percent of respondents indicate they do not have a formal plan for reporting and responding to e-crimes. Slightly more than half state their organization has a formal process in place to track e-crime attempts. Additionally, respondents indicate a higher degree of familiarity with local and national e-crime laws (39 percent and 33 percent respectively), but know little about applicable international laws (8 percent).

"The increase in e-crime over the past year again demonstrates the need for corporate, government and non-governmental organizations to develop coordinated efforts between their IT and security departments to maximize defense and minimize e-crime impact," says Bob Bragdon, publisher of CSO magazine. "There is a lot of security spending going on, but not much planning. It's essential for chief security officers and information technology pros to find the most manageable, responsive and cost effective way to stop e-crime from occurring," Bragdon added.

Nearly a third of respondents in organizations experiencing e-crimes or intrusions in 2003 do not know whether insiders or outsiders were the cause. Respondents who do know report that an average of 71 percent of attacks come from outsiders compared to 29 percent from insiders. Regarding the source of the greatest cyber security threat, hackers were most frequently cited (40 percent) followed closely by current or former employees or contractors (31 percent). When it comes to identifying specific types of e-crimes committed against organizations, the survey shows 36 percent of respondents' organizations experienced unauthorized access to information, systems or networks by an insider compared to 27 percent committed by outsiders. Both sabotage and extortion are committed equally by insiders and outsiders for organizations responding to the survey.

Eighty percent of respondents report they monitor their computer systems or networks for misuse and abuse by employees or contractors. Ninety- five percent of respondents say they use some type of employee monitoring (e.g., internet, email, files) to deter e-crime. Thirty-six percent report using employee monitoring to terminate an employee or contractor for illegal activities. Seventy-two percent of respondents require internal reporting of misuse or abuse of computer access by employees or contractors. However, just under half of respondents say intrusions are handled with the help of law enforcement or by taking other legal action.

"Many companies still seem unwilling to report e-crime for fear of damaging their reputation," says Larry Johnson, special agent in charge, Criminal Investigative Division, United States Secret Service. "However, as we see with this survey, ignoring the problem or dealing with it quietly is not working. The question