Another year and another CSI/FBI survey has been released.
CSI is definitely good at refining the survey with each new edition and kudos to them for paying attention to what needs to be addressed. Questions that were once too general are now more specific in nature, and thusly, the results have become inevitably become more accurate. While I believe that this year's survey is fairly accurate, there remain some nebulous areas.
I don't think, however, that every area that needs improvement is something that CSI can fix, as some of the discrepancies lie in how forthcoming the respondents are. I'll get into that specific aspect later on. For now, let's begin with the survey results.
Small businesses rarely have the resources to hire someone permanently, if at all, to deal with security. Last summer, I talked with a former boss who runs a small business. It turned out that an employee that she had trusted had ripped her off and had used keyloggers to capture information locally. It was a costly learning experience for her. Until that point she wasn't aware of what could be done on systems.
So how do we reach those small business types?
In some ways, I almost think that an ad-campaign from the likes of Homeland Security or a similar organization would be helpful. The reality is that if small businesses can be affected by a variety of security issues they become entry points to medium and large businesses and other avenues into the overall infrastructure.
The size of companies for the respondents doesn't fully match what is out there, but the larger companies do give an idea of what's going on. Or perhaps what's not going on.
Over 50 percent of the respondents had a minimum of 1,500 employees. Revenue breakdowns show 75 percent earning $10 million or more. 34 percent of those were by businesses earning over a billion dollars a year.
One would think that the respondents would mostly be the geeks watching after all the systems in a company but 35 percent of the respondents came from upper management/high-middle management positions (e.g., CEO, CIO, CSO, CISO, etc.). Only 12 percent were actual system administrators.
In many ways, it is encouraging to see that management is paying attention to security and approach it as an important and necessary aspect of their organizations. But do C-level executives have an accurate view of what the company is experiencing? And while it's good to see that security has reached the upper echelons, how well is it doing in the lower levels?
The reason I mention this is that we still see laptops left unattended and stolen from the average worker and less so from the CEO. I think this is due to a high-ranking executive's responsibility to the organization, particularly public ones. The average employee doesn't have (or perceive to have) the same legal responsibility to the Board of Directors as the CEO would.
And oddly enough, over 50 percent of respondents state that security consumes 5 percent or less of their annual IT budget. This may be due to larger companies leveraging technologies across larger scales for a smaller amount of the budget. Then again, it just might be a result of taking the cheap route to deal with security. Security is still seen by many as a drain on resources rather than moneymaking part of business. Procedures and policies are often the thing that will make companies more efficient, but as you'll see, these are on the low end of the security tool totem pole.
Continued from Page 1.
One question that CSI should consider asking is what kind of training is being done. Defining the training types might help explain some of the figures for the cost of training. Training lags behind other aspects of security expenditures but it would have a far greater impact than say a firewall or IDS. When training is a mere $18 per employee (for companies earning over $1 billion), I question how many employees are actually getting trained and what the training encompasses. For instance, was it a short lecture on confidentiality when they were hired or a few days worth of intensive training by a professional?
The other question would be: are some of the smaller businesses realizing the importance and finally spending on security training to protect themselves? Initial capital outlay is often the biggest expense for security. It would be interesting to see how this trend goes over the next few years to see if it drops for the smaller companies over time. We should see an overall leveling in regards to training over time because at some point the cost will account for refresher courses rather than from scratch.
Security's Effect on the Bottom Line
How companies define security — in relation to Return on Investment (ROI), Net Present Value (NPV) and Internal Rate of Return (IRR) — shows that ROI went up 4 percent after dropping last year to 38 percent. Security is likely still seen as an expense and largely still based on ROI. And it leads me to believe that a lot of security is still done as a reactive measure rather than a proactive one. Once companies do take a proactive response to security we'll see a lot fewer simple attacks succeeding.
It was heartening to note that security is rarely outsourced. Well over half of the respondents said that they didn't outsource security, although this is a 2 percent drop from previous years. It does mean that those that are concerned about security for the company are aware of how the company works. It is evident that security is an IT function that is important enough to keep in-house rather than trusting an outsider to fiddle with.
One interesting question was the one of hiring a reformed "hacker" (let's call them what they are – malicious attackers) and more than 85 percent said no. This would mean that the hiring of virus writers and famed-formerly-jailed attackers are rare occurrences and we shouldn't assume them the norm when the media yaps about them.
The last financial issue is the question of cybersecurity insurance. You'd think that since we saw things like Katrina and other natural disasters along with some heavy-duty lawsuits over information breaches that more companies would look into insurance but the majority, nearly 75 percent, of the respondents said no to cyber-insurance. It appears that companies are willing to accept risk and deal with it rather than make a monthly payment.
It doesn't have to be an all-or-nothing proposition. Much like the fire alarms that alert you to potential dangers and the home insurance you have in case the fire department can't stop the fire, companies should invest in some sort of data protection from cyberthreats.
In the part 2 of this article, I'll look at where the attacks were coming from, old habits and more.This article was first published on EnterpriseITPlanet.com.