Irish firms are suckers for cybercrime and punishment

11 Dec 2008

One in four Irish organisations were victims of external hacking attempts last year, a new survey shows.

One in four Irish organisations were victims of external hacking attempts last year, a new survey shows.

The findings show cybercrime is a serious problem for many Irish businesses, according to Owen O’Connor, vice-president of the Information Systems Security Association (ISSA) and author of the survey.

The second Irish Cybercrime Survey was conducted jointly by the ISSA’s Irish chapter and University College Dublin’s Centre for Cybercrime Investigation, and gathered information based on data for 2007.

Three out of 10 companies suffered denial of service (DoS) attacks last year, and 25pc said their systems or networks had an unauthorised intrusion by an external party. O’Connor says this is an alarming statistic.

“You wouldn’t have one in four organisations affected by regular crime. To say that 30pc of organisations had DoS attacks – or in 25pc of cases, some system or network was interfered with maliciously – that’s a fair number of people. If one in four companies had a break-in at a business park, they would be looking to move,” he says.

The survey also showed a significant level of crime within companies: some 18pc experienced an internal systems intrusion and 10pc suffered an internal financial fraud. “To me, that seems extremely high,” says O’Connor.

The nature of these incidents is reflected in how companies dealt with them. The most common outcomes from cybercrime were internal disciplinary procedures (61pc). Employee contracts were terminated in 37pc of cases, 16pc resulted in resignation and 4pc led to criminal prosecution.

Some 28pc of firms said their databases had been accessed inappropriately in 2007, and 26pc said confidential information had leaked electronically – a worrying figure given some high-profile data breaches such as those at Bank of Ireland and the Comptroller & Auditor General’s office.

Almost four fifths of organisations (79pc) said productivity suffered as a result of cybercrime. More than a quarter (27pc) of firms suffered loss of data and 15pc of events led to litigation. One in 10 firms reported a significant loss of business or profit.

O’Connor is concerned by findings that suggest a considerable gap between the IT security issues of greatest concern and the technology products that Irish organisations use to protect themselves against risks.

Two thirds of respondents (66pc) said theft of sensitive IT assets such as laptops, backup tapes or hard drives worried them most. However, just 30pc encrypt the data on their laptops, although a further 21pc said they plan to do so.

Similarly, 41pc are concerned about an electronic leak of information, but just 14pc fully encrypt their email. Just 12pc are concerned about non-criminal misuse of systems such as inappropriate email or internet usage, yet 68pc of organisations have implemented full email content monitoring.

Only 8pc rated internal intrusions in their top-three security concerns, and just 14pc were worried by employees accessing data they shouldn’t.

“It’s a frustrating aspect of the survey. People are seeing attacks and are concerned, but are not doing anything about them,” says O’Connor. “They are spending on something they can’t control, as opposed to focusing on internal issues, where there is a huge amount of things they can do.”

For example, O’Connor says the survey showed very few organisations monitor their databases. If an employee reported their laptop stolen, this would allow an IT specialist to estimate what information may have been on the computer.

“They can reasonably estimate how many people are affected by the loss and they can define the category of exposure,” he says. 

Other areas of concern cited in the survey were: a system or network intrusion (36pc), malware infection (29pc), DoS attacks (20pc) and electronic financial fraud (15pc).

Infections by viruses, worms or other forms of malware were down on the previous year’s figures, with 59pc saying it occurred in 2007, compared to 77pc in 2002–2006.

Perhaps understandably, not every respondent chose to answer the question about the financial cost of their most serious cybercrime incident. However, some 39 did, and of that number, 51pc said the cost was less than €5,000 and 23pc said it cost between €5,000 and €24,999. In 14pc of cases, the cost was more than €100,000, and for 3pc of companies, the damage was priced at over €1m.

There are some caveats to the survey – there were 61 responses, a higher number than the previous year, but still a small sample set.

More than half of the respondents are IT security professionals (55pc). In addition, there were no responses from small firms that don’t employ an IT specialist.

This suggests the extent of the cybercrime problem could be even greater than the survey indicates.

By Gordon Smith

Gordon Smith was a contributor to Silicon Republic