Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, July 13, 2006

CSI survey: Data breaches still being swept under the rug

The Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad released its 2006 report Thursday after surveying 616 computer security practitioners in U.S. corporations, government agencies, financial and medical institutions and universities.  The average loss reported by respondents was $167,713, an 18% decrease over last year’s average loss of $203,606.  Virus attacks, unauthorized access to networks; lost or stolen laptops and other mobile hardware; and theft of proprietary information or intellectual property accounted for more than 74% of financial losses, according to the CSI report, which can be downloaded from the organization’s Web site.  Despite talk of increasing outsourcing, CSI said the survey results indicate very little outsourcing of information security activities, with 63% of respondents saying their organizations do not outsource any computer security functions.

On the surface, the results of the 11th annual CSI/FBI Computer Crime and Security Survey are positive, with fewer companies reporting financial loss from data breaches compared to last year.  But a majority of companies are still reluctant to report security breaches to law enforcement, suggesting that the survey isn’t capturing the full extent of the problem.  Respondents tell us that they are keeping their cybercrime losses lower,” CSI Director Chris Keating said in a statement.  “At the same time, our economic reliance on computers and technology is growing and criminal threats are growing more sophisticated, so we shouldn’t overestimate our strengths.”

About 25% of respondents said they reported computer intrusions to law enforcement, compared with 20% in the previous two years.  But the percentage is still small, and CSI said a big reason for the drop in financial losses, as reflected in the overall survey results, is a decrease in the number of respondents able and willing to provide estimates.

“Even in an anonymous survey, only half of the 616 U.S companies surveyed were willing to share overall cost figures from financial losses resulting in security breaches.  The impact of the Sarbanes-Oxley Act on information security remains substantial,” the report said.,289142,sid14_gci1199280,00.html

Posted on 07/13