|
|
|
|
According to Computer Security
Institute (http://www.gocsi.com/)
Based on responses from 503 computer security practitioners in
U.S. corporations, government agencies, financial institutions,
medical institutions and universities, the findings of the "2002
Computer Crime and Security Survey" confirm that the threat from
computer crime and other information security breaches continues
unabated and that the financial toll is mounting.
Highlights of the "2002 Computer Crime and Security Survey"
include:
- Ninety percent of respondents (primarily large corporations
and government agencies) detected computer security breaches
within the last twelve months.
- Eighty percent acknowledged financial losses due to computer
breaches.
- Forty-four percent (223 respondents) were willing and/or able
to quantify their financial losses. These 223 respondents reported
$455,848,000 in financial losses.
- As in previous years, the most serious financial losses
occurred through theft of proprietary information (26 respondents
reported $170,827,000) and financial fraud (25 respondents
reported $115,753,000).
- For the fifth year in a row, more respondents (74%) cited
their Internet connection as a frequent point of attack than cited
their internal systems as a frequent point of attack (33%).
- Thirty-four percent reported the intrusions to law
enforcement. (In 1996, only 16% acknowledged reporting intrusions
to law enforcement.)
Respondents detected a wide range of attacks and abuses.
Here are some examples of attacks and abuses:
- Forty percent detected system penetration from the outside.
- Forty percent detected denial of service attacks.
- Seventy-eight percent detected employee abuse of Internet
access privileges (for example, downloading pornography or pirated
software, or inappropriate use of e-mail systems).
- Eighty-five percent detected computer viruses.
- For the fourth year, we asked some questions about electronic
commerce over the Internet. Here are some of the results:
- Ninety-eight percent of respondents have WWW sites.
- Fifty-two percent conduct electronic commerce on their sites.
- Thirty-eight percent suffered unauthorized access or misuse on
their Web sites within the last twelve months. Twenty-one percent
said that they didn't know if there had been unauthorized access
or misuse.
- Twenty-five percent of those acknowledging attacks reported
from two to five incidents. Thirty-nine percent reported ten or
more incidents.
- Seventy percent of those attacked reported vandalism (only 64%
in 2000).
- Fifty-five percent reported denial of service (only 60% in
2000).
- Twelve percent reported theft of transaction information.
- Six percent reported financial fraud (only 3% in 2000).
The complete report may be read at http://www.gocsi.com/press/20020407.html.
|
Over 40 percent of all companies
experiencing some type of information-related disaster never
re-open. Critical applications such as ERP, SCM, CRM, and e-mail
make protecting your information with an integrated business
continuity solution more important than ever before.
Source EMC2 (http://www.emc.com/continuity/index.jsp#)
|
| ROI And
The Costs of Business Continuity Planning
(A VISTASTOR whitepaper at http://www.vistastor.com/briefs/ROI.pdf) We have
all seen the statistics:
- Typical distributed network sites have a downtime cost of
between $20,000 and $80,000 per hour, but for a retail brokerage,
it is estimated that an hour of downtime will cost the company
$6.5 million. (Source: Contingency Planning Research)
- 43 percent of companies experiencing disasters never re-open,
and 29 percent close within two years. (Source: McGladrey and
Pullen)
- It is estimated that 1 out of every 500 data centers will have
a severe disaster each year. (Source: McGladrey and Pullen)
- A company that experiences a computer outage lasting more than
10 days will never fully recover financially. 50 percent will be
out of business within five years. (Source: “Disaster Recovery
Planning: Managing Risk and Catastrophe in Information Systems,”
Jon Toigo.)
Now consider this: A KPMG study shows that only 5% to 6% of an
overall IT budget is generally allocated for disaster-recovery
planning and preparation. Further, among those corporations with
business continuity plans, less than one half meet an acceptable
portion of their recovery objectives, and between 5% and 10% did
not adequately test their plans.
|
Excepted
from Info Security News Magazine, 2000 Cited on http://www.hp.com/hps/briefs/bc_capability.pdf
- 88% of e-commerce is not covered by a data recovery/business
continuity (DR/BC) plan
- 42% of managers do not believe their plans would be effective.
- 92% of companies fail to update their testing or planning
following upgrades or system installations.
- 53% of firms recover less than 25% of their total losses
through insurance.
- An effective DR/BC plan can reduce losses by 90%.
|
|
Excerpted from Mitigating
Disasters in Veterinary Practices and Humane Shelters
http://www.animaldisasters.com/Business%20Continuity.htm#Examples
OSHA requires that all business with more than 10 employees to
have a written Emergency Contingency Plan (ECP). For businesses with
10 or less employees a written plan is not mandated, but highly
recommended. The purpose of an ECP is to prevent accidents, and if
they do occur to be able to effectively control them and reduce
their impact.
Complying with the regulations set out by OSHA are generally
beneficial to companies in that compliance results in lower number
of injuries to staff, decreased severity of injury when accidents
occur and decreased losses due to business disruption and the
consequences of litigation when procedures have not been followed.
These are the identical goals of any business or community disaster
preparedness program. Adaptation of the principles of human safety
in emergencies, such as evacuations, can be readily adapted by
animal health professionals to the care of animals.
This site should be visited by all
planners. Well researched general and specific
information.
|
|
Over the last decade, the overall cost of disasters to the United
States has grown significantly.
From 1989 to 1993, the average annual losses from disasters were
$3.3 billion. Over the last 4 years, the average annual
losses have increased to $13 billion.
On the Federal side alone, disasters have cost over $20 billion
over the last four years. The disaster losses are equally as
staggering for the American public.
Since 1993, over 1.4 million Americans have been impacted by
Presidentially declared disasters, resulting in the loss of their
homes, property, communities, jobs, and in some cases their lives.
This figure does not include the hundreds of thousands of people
impacted by natural hazard events that were managed entirely at the
State and local levels, and involved the personal savings and
private resources of property owners.
(The) emphasis on mitigation led FEMA to introduce a National
Mitigation Strategy in December of 1995 to encourage a national
focus on hazard mitigation. (See Federal Emergency Management
Agency, "National Mitigation Strategy: Partnerships for Building
Safer Communities," Washington, DC: Government Printing Office,
1995)
Source: FEMA (http://www.fema.gov/mit/cb_intro.htm)
|
|
"Mitigation saved the Anheuser Busch facility in Los Angeles
after Northridge. The Anheuser-Busch Engineering Department
retrofitted the plant to conform to the LA seismic code -- and the
plant was functioning within days of the earthquake.
"Without those revisions -- they would have sustained more than
$300 million in direct and interruption losses."
Source: James L. Witt, Director,
Federal Emergency Management Agency (http://www.fema.gov/mit/cb_bus.htm)
|
|
Using the results of the (Castaic Union School) District's risk
analysis, it was determined that the potential economic costs from
either a dam failure or oil pipeline break following an earthquake
were enormous. The first potential cost to the School District would
be incurred from both building and content damage. Replacement of
the school buildings would cost an estimated $7.7 million in direct
construction costs (1995 dollars).
Second, if such an earthquake occurred, alternative school
facilities would have to be located and rented at an estimated
cost of over $500,000 per year.
Third, the community would have to absorb the costs of losing the
educational services provided by the District in the time period
between the actual loss of the facilities and the relocation to
temporary facilities. The School District calculated the cost of the
lost public services based on the operating expenses required to
provide the services. The daily cost of lost educational
services was estimated at $28,601.
Source: FEMA (http://www.fema.gov/mit/cb_aqmul.htm)
|
|
| Business |
Average Hourly
Impact |
| Retail
Brokerage |
$6.45
million |
| Credit Card Sales
Authorization |
$2.6
million |
| Home Shopping
Channels |
$113,750 |
| Airline
Reservation Centers |
$89,500 |
| Package Shipping
Service |
$28,250 |
| Source: Contingency
Planning Research |
When you consider that most businesses experience two hours of
downtime per week, those are incredible numbers. At Ontrack, we've
uncovered even more eye-opening facts about data loss and the life
of your business.
- Most companies value 100 megabytes of data at more than $1
million.
- 43 percent of lost or stolen data is valued at $5 million.
- 43 percent of companies experiencing disasters never reopen,
and 29 percent close within two years. (Source: McGladrey and
Pullen)
- It is estimated that 1 out of 500 data centers will have a
severe disaster each year. (McGladrey and Pullen)
- 40 percent of respondents to a computer security survey had
detected and verified incidents of computer crime during the
previous year. (NCSA Annual Worry Report)
- Computer crimes cost firms who detect and verify incidents of
computer crime between $145 million and $730 million each year.
(NCSA Annual Worry Report)
- A company that experiences a computer outage lasting more than
10 days will never fully recover financially. 50 percent will be
out of business within five years. (Disaster Recovery Planning:
Managing Risk & Catastrophe in Information Systems by Jon
Toigo)
Source: Ontrack Data International,
Inc. (http://www.ontrack.com/)
|
|
| Average Hourly Cost
of Downtime |
| Brokerage
House1 (or large e-commerce site) |
$ 6.4
million |
| Credit Card Sales
and Authorization1 |
$ 2.6
million |
| Catalog
Sales1 |
$ 90
thousand |
| Package Shipping
and Transportation Industry1 |
$ 28
thousand |
| UNIX
Networks2 |
$ 75
thousand |
| PC
LANs2 |
$ 18
thousand |
| Average Hourly
Cost to Re-create Data2 |
$ 50
thousand |
- Contingency Planning Association Research
- Strategic
Research
|
Source: Quantum Corporation (http://www2.dlttape.com/proveit/is_white/continuity.htm)
|
|
"On-line systems fail an average of nine times a year, with an
average outage duration of 4 hours per failure." Stratus Computers
Study quoted in Action Plan for Disaster (SRS-013), SunGard
Recovery Services Inc.
"In the three years prior to 1992, there were a total of nearly
1.5 million (IT) security breaches. wracking up costs of more than
$330 million." Information Week quoted in Action Plan for
Disaster (ibid.).
|
|
