The CSIs 2009 Computer Crime and Security Survey reveals the importance of maintaining defences against the traditional types of threat. Attackers are turning against soft targets, and organisations that are not well protected must expect to incur losses. The good news is that organisations are more comfortable in their security response.
Malware and external threats are still a menace
The strongest message from the survey is that the mix of attack types remains volatile and that the older types of threat are staging a comeback. Trendy views about the demise of threats are dangerous. In particular, malware infection was experienced by 64 per cent of respondents (up from 50 per cent in 2008). More surprisingly, denial-of-service attacks were experienced by 29 per cent of respondents (up from 21 per cent), as these are rarely motivated by financial gain. At the same time, financial fraud and password sniffing rose sharply (12 per cent to 20 per cent, and 9 per cent to 17 per cent respectively). One-third of the organisations knew that they had been fraudulently represented as the sender of phishing email messages, with the consequent damage to customer trust and brand image. Most losses are still due to external attacks, and the majority of losses due to internal users were classified as non-malicious indicating a need for more end-user training. However, the primary focus of security needs to remain with defence against external attacks.
The survey does not represent a typical cross-section of US companies
The CSI survey covered 443 US-based corporations in a broad range of verticals, but with a bias towards larger organisations. The survey was anonymous, to encourage honesty and disclosure, and the respondents chose to participate. Together these factors indicate that the respondents represented organisations with a more active interest in security. Although the results do not represent a typical cross-section of companies, the year-on-year comparisons do give a reliable picture of trends in corporate security. This is the 14th annual report from the CSI, and it covers the 12 months to June 2009.
Organisations are containing the threat, but losses are still substantial
The survey reveals a picture of security professionals who are comfortable with their situation but not complacent. The average loss from security incidents during the year was $234,000 per respondent. This was the second year in which the loss had fallen and was way down on the 2001 loss of over $3 million per respondent, although higher than the average losses in 2005 and 2006. These averages include the organisations that suffered no losses, and are therefore lower than figures quoted in other surveys. The CSI found that the average loss due to financial fraud in companies that suffered such attacks was $450,000.
Sign up for Computerworld eNewsletters.