2006 CSI/FBI Survey, Part 1
Twelve months and some high-profile security breaches later, has anything changed? A look at this year's results and whether businesses have learned their lesson.
Another year and another CSI/FBI survey has been released.
CSI is definitely good at refining the survey with each new edition and kudos to them for paying attention to what needs to be addressed. Questions that were once too general are now more specific in nature, and thusly, the results have become inevitably become more accurate. While I believe that this year's survey is fairly accurate, there remain some nebulous areas.
I don't think, however, that every area that needs improvement is something that CSI can fix, as some of the discrepancies lie in how forthcoming the respondents are. I'll get into that specific aspect later on. For now, let's begin with the survey results.
Small businesses rarely have the resources to hire someone permanently, if at all, to deal with security. Last summer, I talked with a former boss who runs a small business. It turned out that an employee that she had trusted had ripped her off and had used keyloggers to capture information locally. It was a costly learning experience for her. Until that point she wasn't aware of what could be done on systems.
So how do we reach those small business types?
In some ways, I almost think that an ad-campaign from the likes of Homeland Security or a similar organization would be helpful. The reality is that if small businesses can be affected by a variety of security issues they become entry points to medium and large businesses and other avenues into the overall infrastructure.
The size of companies for the respondents doesn't fully match what is out there, but the larger companies do give an idea of what's going on. Or perhaps what's not going on.
Over 50 percent of the respondents had a minimum of 1,500 employees. Revenue breakdowns show 75 percent earning $10 million or more. 34 percent of those were by businesses earning over a billion dollars a year.
One would think that the respondents would mostly be the geeks watching after all the systems in a company but 35 percent of the respondents came from upper management/high-middle management positions (e.g., CEO, CIO, CSO, CISO, etc.). Only 12 percent were actual system administrators.
In many ways, it is encouraging to see that management is paying attention to security and approach it as an important and necessary aspect of their organizations. But do C-level executives have an accurate view of what the company is experiencing? And while it's good to see that security has reached the upper echelons, how well is it doing in the lower levels?
The reason I mention this is that we still see laptops left unattended and stolen from the average worker and less so from the CEO. I think this is due to a high-ranking executive's responsibility to the organization, particularly public ones. The average employee doesn't have (or perceive to have) the same legal responsibility to the Board of Directors as the CEO would.
And oddly enough, over 50 percent of respondents state that security consumes 5 percent or less of their annual IT budget. This may be due to larger companies leveraging technologies across larger scales for a smaller amount of the budget. Then again, it just might be a result of taking the cheap route to deal with security. Security is still seen by many as a drain on resources rather than moneymaking part of business. Procedures and policies are often the thing that will make companies more efficient, but as you'll see, these are on the low end of the security tool totem pole.