Category: Statistics

The median tally came to $3.8 million per organization, but the range spanned from $1 million to almost $52 million, according to researchers.

“Through actions such as the appointment of a chief information security officer [CISO], the rollout of an enterprise security strategy, and investments in technologies capable of addressing sophisticated threats and managing complex security events, companies are able to reduce the financial impact of cyber crime.”

http://esj.com/articles/2010/08/10/tallying-cost-of-cyber-crime.aspx

Threats on portable storage devices rose to the top of the list as the most popular malware, evident by a rash of AutoRun infections that held the No. 1 and No. 3 spots for top five malware over the last quarter. Security experts contend that attacks delivered via portable storage devices have experienced a revival in recent months, after being dormant for an extensive period of time. “It’s kind of like your old-school style of malware, one device to another device” said Dave Marcus, security research and communications manager for McAfee Labs.

All of the top five threats remained consistently popular worldwide.

Marcus said that social-engineering attacks, particularly those targeting social networks, are continuing on a rapid upward trend. “A lot of people don’t realize the bad guys read the same news the good guys do,” Marcus said.

And despite reports of copious malware sourced internationally, the report also showed that the U.S hosted the vast majority of new malicious URLs, totaling 98 percent.

http://www.crn.com/security/224900212

“Cloud computing applications hold a great deal of promise for organizations, but regarding their adoption as a fait accompli and expecting IT to accommodate their use is an approach fraught with risk,” Ponemon says.

While some organizations might be pushing ahead with cloud implementations, however, some are drawing the line at their most sensitive data, Ponemon reports.

http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=224701726

Business leaders at enterprises have been moving the organization to cloud computing to cut costs by outsourcing the management of IT infrastructure.

The down economy has driven many firms to consider cloud-based services, including utility-type computing offered by Amazon’s EC2 utility service and Microsoft’s Azure cloud computing platform.

The risks identified included the ability of hackers to infiltrate cloud computing platforms and use the cloud infrastructure to attack other machines as well as insecure application programming interfaces (APIs) that can leave holes that lead to data leakage. Robert Stroud, vice president of ISACA, said the survey results shouldn’t be surprising given that IT professionals, especially members of ISACA, take a cautious approach to new technologies and carefully measure cloud computing risks, he said. “A good training regime and process automation can go a long way towards making risk a consideration, but also making it be accepted,” said Stroud, vice president of IT service management strategy at New York-based CA Inc. said.

Only 10% of respondents’ organizations plan to use cloud computing for mission-critical IT services and one in four (26%) do not plan to use it for any IT services.

“For mission critical data we’re just starting on that journey,” Stroud said.

Regulations, standards obstruct cloud adoption Compliance is a major hindrance causing enterprises to take a slow approach to many cloud-based projects, said Jim Reavis, co-founder and executive director of the Cloud Security Alliance. About half of those surveyed said IT risk and compliance related projects will receive roughly the same investment in 2010 as in 2009. For example, the group has worked with the PCI Security Standards Council to develop a framework — a cloud controls matrix — to determine a reasonable set of controls that a cloud-based provider must implement versus the controls that must be implemented by the enterprise.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1508319,00.html?track=sy160&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+techtarget%2FSearchsecurity%2FSecurityWire+%28SearchSecurity+%3A+Security+Wire+Daily+News%29

“Companies are finding that the frequency and sophistication of threats is out of control for them to handle internally and they’re looking for service providers with competency to be able to handle that for them,” Kark said.

In the recent Forrester report: “Market Overview: Managed Security Services,” Kark lays out ways the broad industry is shaping out and what companies should look for in a service provider. To do that, companies need to evaluate a number of different kinds of MSSPs, from telecommunications providers that bundle security with their services, to value-added resellers and system integrators that provide a mixture of services.

Robert T. Ferrilli, president and CEO of the Ferrilli Information Group, turned over nearly all his systems to managed service providers when the company’s Exchange server went down unexpectedly while he was on a business trip. The firm, which provides business applications for universities and colleges, has a team of 20 developers spread out across the United States.

Many firms have a suite of services and are happy to sell everything they offer, but enterprises with a solid set of priorities of what they want to gain from a MSSP will be able to better evaluate what partner is right for them, Kark said. Instead of just gaining Web filtering or email protection, enterprises are seeking guidance from their MSSPs on security related issues, forcing some firms to invest in creating consulting services divisions. According to Kark, content security in the form of email and Web content filtering still has the most market penetration, but other technologies are quickly gaining ground.

Companies are outsourcing log management and event correlation and analysis services as well as distributed denial-of-service (DDoS) protection services. The growth of cloud computing, with more company data spread out beyond the company walls, has forced some firms to seek out specialized security providers.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1508261,00.html?track=sy160&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+techtarget%2FSearchsecurity%2FSecurityWire+%28SearchSecurity+%3A+Security+Wire+Daily+News%29

For instance, decision makers should identify which information is the most valuable.

Another smart move would be to “create a ‘risk register’ of data security risks [that] divides the risks your firm faces into two categories: compliance risks and misuse of secrets.”

The survey, which was carried out in November and December, polled 163 U.S.-based companies and 102 European companies, as well as 40 based in Australia and New Zealand.

http://www.esecurityplanet.com/trends/article.php/3874791/Microsoft-Cyber-Security-Survey-Finds-Businesses-Most-Valuable-Data-at-Risk.htm