CSI survey: Data breaches still being swept under the rug

Article

CSI survey: Data breaches still being swept under the rug

Bill Brenner, Senior News Writer
On the surface, the results of the 11th annual CSI/FBI Computer Crime and Security Survey are positive, with fewer companies reporting financial loss from data breaches compared to last

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

year. But a majority of companies are still reluctant to report security breaches to law enforcement, suggesting that the survey isn't capturing the full extent of the problem.

The Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad released its 2006 report Thursday after surveying 616 computer security practitioners in U.S. corporations, government agencies, financial and medical institutions and universities. The average loss reported by respondents was $167,713, an 18% decrease over last year's average loss of $203,606.

"This year's survey -- coupled with results from recent years -- suggests that the news within the enterprise security perimeter is good. Respondents tell us that they are keeping their cybercrime losses lower," CSI Director Chris Keating said in a statement. "At the same time, our economic reliance on computers and technology is growing and criminal threats are growing more sophisticated, so we shouldn't overestimate our strengths."

Despite lower losses, this year's survey results suggest data breaches remain the leading cause of financial loses. Virus attacks, unauthorized access to networks; lost or stolen laptops and other mobile hardware; and theft of proprietary information or intellectual property accounted for more than 74% of financial losses, according to the CSI report, which can be downloaded from the organization's Web site.

Meanwhile, the number of companies reporting security breaches to law enforcement increased from last year, suggesting more are willing to acknowledge when there's a compromise. About 25% of respondents said they reported computer intrusions to law enforcement, compared with 20% in the previous two years.

But the percentage is still small, and CSI said a big reason for the drop in financial losses, as reflected in the overall survey results, is a decrease in the number of respondents able and willing to provide estimates.

"Negative publicity from reporting intrusions to law enforcement is still a major concern for most organizations," CSI said. "Even in an anonymous survey, only half of the 616 U.S companies surveyed were willing to share overall cost figures from financial losses resulting in security breaches."

The survey findings also show that:

  • Most organizations conduct some form of economic evaluation of their security expenditures, with 42% using return on investment (ROI), 21% using internal rate of return (IRR) and 19% using net present value (NPV). "These percentages are all up from last year's reported numbers," the report said. "Moreover, in open-ended comments, respondents frequently identified economic and management issues -- such as capital budgeting and risk management -- as among the most critical security issues they face."

  • More than 80% of respondents said their companies conduct security audits.

  • Government mandates and regulatory compliance issues remain a hot topic within IT departments. "The impact of the Sarbanes-Oxley Act on information security remains substantial," the report said. "In fact, in open-ended comments, respondents noted that regulatory compliance related to information security is among the most critical security issues they face."

  • Security outsourcing is not as widespread as some might think. Despite talk of increasing outsourcing, CSI said the survey results indicate very little outsourcing of information security activities, with 63% of respondents saying their organizations do not outsource any computer security functions.

  • IT groups want to educate and train internally to mitigate security risks. "Once again, the vast majority of the organizations view security awareness training as important," the report said. "In fact, there is a substantial increase in the respondents' perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area."