There are wide variations in the total incidence of malware and the composition of malware across countries, reflecting their level of IT development (and hence their level of security deployment) and to a lesser extent social issues.
The threat can be beaten
Organisations that have sound security practices can beat the attackers.
The figures coming from Microsoft and several other organisations that report on the Internet threat landscape are in sharp contrast to those published by the US CSI earlier in October. The CSI conducts an annual survey of US-based businesses, comprising a detailed questionnaire. A key characteristic of this survey is that the respondents choose to participate and so we can assume that the respondents are passionate about their security efforts. About 10 per cent of questionnaires are returned, and the results are biased towards larger enterprises. This assumption is confirmed by the response to a question that reported that 68 per cent of respondents have a formal information security policy and a further 18 per cent are developing one. We can assume that these are the organisations that are getting security right.
In this survey almost all types of attack decreased in 2008, apart from attacks on domain name servers. ID fraud has decreased by 20 per cent since 2003, and most of these attacks are made by phone or involve stolen personal property rather than online subversion. The average organisation lost $300,000 in IT security incidents in 2008, compared with $3 million in 2001. They did, however, report an increase in the number of targeted attacks that they intercepted in 2008.
Sign up for Computerworld eNewsletters.