CSI Study Reveals Shifts in Security Threats

The latest Computer Crime and Security Survey shows cybercrime incidents and the cost of security breaches are decreasing, but Web site attacks and thefts of sensitive information are rising quickly.

What’s the most damaging type of security breach? Financially speaking, viruses cost businesses the most, followed by unauthorized access to systems, theft of proprietary information, and denial-of-service attacks.

Overall, however, the cost of the average security breach dropped by 61 percent, from $526,000 in 2003 to $204,000 in 2004. Furthermore, the incidence of cybercrime is decreasing.

Those results come from the recently released 10th annual Computer Crime and Security Survey of 700 information security practitioners from U.S. organizations, including businesses, government agencies, medical institutions, and universities. The report was released by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad.

Despite the decrease in the number of breaches, two types of attacks are on the rise: unauthorized access to information, which accounted for a quarter of all reported losses; and theft of proprietary information, which since last year’s survey replaced denial-of-service attacks as the third most-damaging type of attack. The number of thefts of proprietary information doubled from 2003 to 2004.

It’s no surprise, then, that more organizations are reporting “financial damage due to theft of sensitive company data,” says Chris Keating, the director of CSI. “This is an ominous, though not unexpected, development and underscores the need to insist that enterprise networks be properly safeguarded.”

Web Sites at Risk

Web sites are also increasingly at risk, and “one of the most dramatic findings from this year’s survey is the exponential increase in Web site incidents,” notes the report. In last year’s survey, 89 percent of organizations reported only one to five Web site security incidents during 2003, and only five percent reported more than 10. According to this year’s survey results, however, “there was a total flip, with 95 percent of responding organizations experiencing more than 10 Web site incidents and a mere two percent experiencing between one and five such incidents.” The report’s authors surmise that the relatively low financial impact from Web site defacements has led organizations to spend less, relatively speaking, on Web-site security.

Continuing a multi-year trend, fewer organizations are reporting intrusions to law enforcement. According to the report, “the key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.”

One surprise from the report is that outsourcing isn’t on the increase. “Despite talk of increasing outsourcing, the survey results related to outsourcing are nearly identical to those reported last year and indicate very little outsourcing of information security activities,” notes the report. “Among those organizations that do outsource some computer security activities, the percentage of activities outsourced is quite low.” Large companies, however, are a notable exception; they outsource much more of their information security needs.

Another surprise: use of cyber-insurance doesn’t appear to be on the rise, despite what many experts predicted. In 2004, about a quarter of organizations had some kind of cyber-insurance, which is virtually unchanged from 2003. The report’s authors, however, think uptake will increase soon.

Of course, combating security breaches isn’t just about technology and processes; training is also part of the equation. According to respondents, the top five areas for training (in order of importance) are security policy, security management, access control systems, network security, and cryptography. The once change in that list since 2003: cryptography replaced training users on economic aspects of computer security. The majority of organizations surveyed spent eight percent of their IT budget on security. Many also conduct financial assessments of their security expenditures. According to the report, 38 percent calculate return on investment, 19 percent use internal rate of return, and 18 percent use net present value.

Since this is the tenth version of the report, what overall information security trends can be drawn? “Survey respondents are getting better and better results from their ongoing focus on information security,” says Robert Richardson, CSI’s editorial director. “But that’s not to say that all organizations are protecting themselves with equal vigor. And it’s more clear than ever, not only that organizations are always under attack, but that security breaches—especially when widely publicized—can be disastrous both in terms of customer relations and financial results.”

You'll find the report at http://www.gocsi.com/press/20050714.jhtml.

Related Article

Corporate Security Awareness Grows but Funding Lags

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.