Month: June 2004

Nearly 500 computer security professionals in US corporations, government agencies, financial institutions, medical institutions and universities responded to the 2004 survey, with 53 per cent reporting that their organization experienced unauthorized use of computer systems during the prior 12 months – down from 56 per cent in 2003.

Thirty-five per cent believed they had not been breached, and 11 per cent said they didn’t know.

Overall financial losses totaled out to $141m for the 269 respondents willing to quantify their losses, down significantly from 251 respondents reporting $202m in losses in 2003.

Reported losses to intellectual property theft plummeted to $11m in 2004, putting denial of service attacks in the number one spot as the most expensive computer crime, allegedly causing $26m of the total losses.

Twenty-eight per cent of the respondents said their organization had insurance policies to help manage cybersecurity risks.

Despite federal government efforts to encourage information sharing between industry and the Department of Homeland Security, the survey “detected no increase in the disposition to share information about security intrusions,” according to the report.

The percentage of companies suffering intrusions who reported them to law enforcement dropped from 30 per cent to 20 per cent; the most common reason for keeping an intrusion quiet was fear of negative publicity, a factor for 51 per cent of the companies that failed to report a breach.

While comparisons with previous years may be enlightening, the CSI/FBI survey is decidedly unscientific: the sample pool is self-selected from a panel of computer security professionals. CSI director Chris Keating cautioned against drawing overly optimistic conclusions from the downward trends reported in the study. “Obviously, computer crime remains a serious problem and some kinds of attacks can cause ruinous financial damage,” Keating said in a statement. We don’t believe that all organizations maintain the same defenses as our members – financial damages for less protected organizations are almost certainly worse.”

More info: http://www.theregister.co.uk/2004/06/11/csi_fbi_computer_intrusion/

The Computer Security Institute’s survey of security professionals at nearly 500 companies found that damages related to cyberattacks declined, reaching about $290,000 per company versus $400,000 per company a year ago.

The report, conducted in cooperation with the FBI, also said respondents thought denial-of-service attacks outpaced intellectual property theft as the most costly type of information threat. Such a shift may indicate that companies are shoring up internal-network defenses, said Robert Richardson, editorial director for CSI and an author of the report. “If you get more effective in protecting what is inside your networks, then (attackers) have to resort to other things,” he said. “One thing you can resort to is denial-of-service attacks.”

Unlike thefts, which require an attacker to break into a system, DoS attacks typically involve an online miscreant sending a flood of data to a Web site to prevent others from accessing the site. This is the first time DoS attacks have topped the list of threats.

The survey, which measures responses mainly from information technology managers who work for companies that are CSI members, is considered an indicator of general trends but not a reliable measure of specific detail, said Richardson. “You have to be careful in general of results of this kind,” he said. “It highlights a lot of interesting things, but it also raises questions that can’t be answered by the data.”

Most companies kept security functions inside the company, with only 12 percent of those surveyed indicating they outsourced more than 20 percent of security procedures. Larger companies typically benefited from economies of scale and paid less per employee for security, the survey found. Companies with annual sales of more than $1 billion typically paid a little more than $100 per worker on security, while companies with revenue of less than $10 million spent an average of $500 per worker.

The survey also indicated that more companies are interested in computer security because of new government regulations. The financial, utility and telecommunications sectors believe that the Sarbanes-Oxley Act, which requires a company’s executives to be accountable for their financial statements, has resulted in management focusing on information security, Richardson said. This is the first year that the survey asked companies about the effect of the law.

More info: http://news.com.com/Survey%3A+Security+efforts+paying+off/2100-7355_3-5230787.html?tag=nefd.top