CSI Survey 2007, Part 2: Meat and Potatoes
In Part 2, we get to the juicy part. The good news is that attacks are down this year. The bad news? Insider abuse and targeted threats abound.
Missed Part 1? Click here.
Let's start with the good news. When it comes to the percentage of companies that experienced an attack or security incident, the number continues to decline; 46 percent versus last year's 53 percent. And while you may have noticed that there are roughly 100 fewer respondents this time around, it is not likely enough to account for the decline percentage-wise.
If one theme emerges from this year's survey, it is that the face of security is changing drastically after some hard lessons learned.
That said, one of the more disturbing revelations is the fact that the number of security incidents saw an unusual jump in the "more than 10" category, rising from 9 percent for last year to a whopping 26 percent this year. This increase means that quite a few companies were seeing "repeat business" from attacks. As to why, one can only guess as to the specifics.
Fox in the Hen House?
A few theories include internal espionage, not determining the true cause of attacks and not keeping antivirus and/or other detection tools current. Given that there was a 4 percent increase in the number of companies that thought insiders didn't account for any of their breaches, this particular aspect may be OK to eliminate. That, or insiders are getting better at covering their tracks. Additionally, the actual cost of insider attacks may not be as visible as other types since they often target intellectual property and private information such as blueprints, source code, customer databases and the like.
Nonetheless, the insider threat can't be dismissed. Some attack types are on the wane -- sabotage weighed in at 4 percent -- while insider abuse of the Net access saw a sharp increase to 59 percent. Awareness programs are the ideal method to address this. Given the lack of training, however, it's not surprising to see this statistic rank rather high.
Website defacements, virus attacks and DoS attacks, normally the things that make news, remain relatively low on the attack scale. The survey included new categories of attacks including phishing, DNS exploitation, sniffing, bots and theft of customer/employee data.
As time progresses, the inclusion of newer attacks should help narrow down the prominence of certain attacks and the likelihood of others. I believe this will help security individuals determine where the greatest risk is for an attack or policy violation.
One of the most interesting drops was in the percentage of website incidents. Last year over 59 percent experienced 10 incidents or more against their website. This year, that number plummeted down to 2 percent!
This is a major achievement. Either we're getting better at securing our websites (this would include front-end as well as back-end) or they are losing their attack appeal. While I suspect both are part of the equation, I do believe that the front-door attack is starting to go by the wayside and we're seeing more sophisticated attacks against companies via social engineering and other stealthier methods.
Additionally, these attacks were not specifically targeted or at least not believed to be so. When asked, the majority of respondents, 67 percent, simply didn't know, compared to the 28 percent that were aware. This is a figure to continue watching as attacks become more targeted.
Your Business in the Crosshairs
Malware developers are adding specificity to their efforts, increasingly opting to strike surgically than employ often fruitless shotgun approaches. Comparatively, mass attacks are not as effective and do not necessarily generate a specific financial gain. Attacks are no longer motivated by "because it was there" sort of ideals. Rather, today's attacker is more likely to think, "How much can I scam out of this?"
So how much did these attacks cost companies? Unfortunately, we saw a jump and an interesting one at that.
Last year, 313 respondents said that attacks costs them over $52 million. This year, 194 admitted that attacks cost them over $66 million.
This would represent a substantial increase but given that the major security infraction was due to inappropriate Web surfing, it's likely that a lot of it was tied to loss of employee productivity and phishing/bot attacks.
Yet the biggest chunk of attack costs was attributed to financial fraud. It would be interesting to see how much additional money was lost on an individual basis and study its impact on companies in terms of lost productivity due to employees dealing with personal issues.
This was also the first year that viruses or other attacks weren't at the top of the pile. In fact, last year, financial fraud only accounted for $6 million in costs. That figured ballooned to $21 million this year, earning it the top spot.
The fact that the virus was dethroned may also indicate that we're getting better at containing malware before it gets too far out of hand. Yes, we can all agree that virus infections can and will occur, but they do not have to deliver the network debilitating effects of the I Love You virus of 2000, for example. Even so, we are nowhere near the point where we can count viruses out, and so vigilance, as always, is recommended.
Look out for Part 3 where we delve into how businesses are protecting their networks.
This article was first published on EnterpriseITPlanet.com.