CSI/FBI Security Survey: Questions Behind The Numbers
Despite average losses of more than $2 million each, only one-third of companies reporting computer crimes this year contacted law enforcement authorities, according to the annual security survey. What were the other two-thirds thinking?
As the CSI freely admits, the survey is not intended to be scientific in any way. Rather, it is intended to "heighten security awareness, promote information protection, and encourage cooperation between law enforcement and the private sector."
I'm for all of that, so I humbly offer my take on this, the seventh annual CSI/FBI security survey, based on responses from 503 computer security practitioners. Many of these folks work at large companies; 36% work for organizations with at least 5,000 employees and, among commercial respondents, 61% are from companies with at least $100 million in annual revenue.
Some of the more compelling statistics that come out of the survey have to do with financial losses from security breaches. This year, 80% of respondents said they sustained financial losses, although only 44% were willing and/or able to quantify those losses. On average, those 223 respondents reported losses of more than $2 million each, or a total of $455,848,000. In other words, real money.
|Related CSI/FBI Article|
|Employee Abuse Of Internet Rampant: Nearly 80% of companies polled in the annual CSI/FBI survey detected employee misuse of the Internet. Read about what some IT managers have done, and what you can do to address this problem.|
If someone steals $2 million from me, or even $200 for that matter, I'm calling the cops. Not this crowd. Only 34% of respondents reported intrusions to law enforcement. (You can't tell from the numbers whether those who reported to law enforcement were the same ones who got hammered with big losses, but that's beside the point; if they weren't, the 34% figure is even more mind-boggling.) CSI considers 34% a relatively good number, up from 16% in 1996, the first year it conducted the survey.
I think it stinks. I know the rap; companies don't want to call in law enforcement because they're afraid of bad press, of tying up their computer systems in endless forensics exercises, even of losing face within their own organization.
In effect, they let the bad guys off scot-free. Here's a flash for the 66% who didn't report breaches: law enforcement agencies are on your side. You want to see more cyber criminals get caught and punished? Start helping out law enforcement.
Another stat I couldn't fathom: 85% of respondents detected computer viruses. That says to me that 15% didn't detect any computer viruses. Either they're not looking very hard, or, gasp, they're not using anti-virus software. Say it ain't so. Indeed, only 90% of respondents said they were using anti-virus software. Meanwhile, viruses were the type of attack that most frequently resulted in financial losses. Another flash to the 10% (or is it 15%?): Stop reading this right now and go buy some anti-virus software.
Internet access is another sore point, for a number of reasons. On one hand, 78% of respondents detected employee abuse of Internet access privileges, meaning employees are doing things like downloading pornography, exchanging filthy jokes or, worse, emailing corporate trade secrets to the competition. This, too, can be stopped, with Web and email content filtering software.
Internal Attacks Declining
Tougher to tackle is the problem of intruders using an Internet connection as the point of attack. It's a problem that has grown steadily in each year of the survey's existence. In 1996, 38% of respondents cited the Internet as a frequent point of attack while this year the figure was 74%. Respondents are fighting the good fight, for the most part; 89% of them use firewalls and 60% use intrusion detection systems.
The flip side of the Internet connection question is the steady decline in the number of respondents who said their internal systems were a frequent point of attack. This year, the figure was down to 33%, from 54% in 1996. Can we please now stop throwing around that stat that says it's the insiders, the ubiquitous "disgruntled employee," wreaking all the havoc? Yes, there are employees who cause trouble, and when they do it can be real ugly in terms of financial losses, but there are far more outsiders to worry about.
Finally, Web sites seem to be a growing cause for concern, with 38% of respondents saying they have suffered from unauthorized access or misuse of their site within the last year; another 21% didn't know whether there had been misuse or unauthorized access. Here again, there are products that can help protect your Web sites from this kind of behavior. (The eSecurityPlanet site has a product listing that will get you started.)
The 2002 CSI/FBI Computer Crime and Security Survey can be downloaded at no charge here.
Paul Desmond is a writer and editor based in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at firstname.lastname@example.org.