Even more important, said Robert Richardson, the editorial director of CSI and the author of the report based on the poll, was the finding that the percentage of those polled who have experienced attacks of various types continued to tail off in 2004.
Most categories of cyber crimes have been on the downturn since 2001, the survey’s figures show, with the biggest drop found in denial-of-service (DoS) attacks. In 2001, DoS attacks were experienced by over 90 percent of those polled; in 2005, fewer than 50 percent said they’d been the victim of a DoS attack in the last 12 months. “It’s a four-year trend now, which is good news,” said Richardson.
Losses reported per respondent due to unauthorized access crimes was up a huge 580 percent in 2005 over 2004, while theft of proprietary information because of a security breach rose 211 percent. “This is where you see the spike related to things like identity theft,” said Richardson.
“When Acme Credit Card Authorization Transaction Co. finds out they’ve had an intruder who may have stolen records, that’s certainly a bad thing, but while that discovery is going on, credit card transactions are still being processed.” Acme’s explicit loss, which is what this survey measures, may be the cost of accessing the damage, which would probably be small. What may not be small would be the loss due to customers lost because of that disclosure.
Another thing that can’t be gleaned from the survey, said Richardson, is a solid risk assessment of current dangers, even though that might be tempting. “The wrong thing to take away [from the positive data here] is that the risk of attack has dropped,” he said.
“Security breaches, especially when widely publicized, can be disastrous, both in terms of customer relations and financial results, such as a loss of market capitalization due to bad publicity. What you can take away from this year’s survey is that we’re getting better at handling the routine security stuff, but not the much more aggressive attacks,” he continued. “Why? Because we haven’t seen one, not the kind that people keep predicting will sweep through the Internet before companies can react.”
http://www.techweb.com/wire/security/165702436