Total Members: 14197
Posted by: Amker
« on: 17. September 2007., 16:24:25 »The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.
CSI has been running this survey for over a decade and has seen average losses from security breaches drop every year from 2002 to 2006. Investments in security seemed to be paying off; in 2006, the average breach cost companies an estimated $168,000, way down from five years earlier. But in 2007, the numbers skyrocketed. Each breach this year costs an estimated $350,454 to repair.
Financial fraud and viruses caused most of the monetary losses, but both have fallen in frequency over the last few years. Only 12 percent of all respondents reported financial fraud at their institutions. Viruses, which used to plague 90 percent of all companies in 2001, now affect only 52 percent.
It's internal users who are now causing the greatest number of problems, though they may also cause minimal damage. Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents, though all pale in comparison to one successful phishing trip. These sorts of internal incidents can be pesky, though, and 59 percent of all respondents had to deal with them in the last year.
The CSI study has a major weakness: it's an "informal" study distributed to CSI members and conference-goers. The estimates of money lost to damages are, in one author's own words, "estimates." "Some of them," in fact, "are probably altogether approximate guesses."
Still, the study has been sampling this group of computer security people for a decade, so the report's conclusions seem to accurately track their perceptions of security; whether they represent reality is another question. But as the report notes correctly that "when a group of professionals reports a significant reversal in a five-year trend of diminishing losses, we should be inclined to perk up our ears."
By Nate Anderson
Ars technica
CSI has been running this survey for over a decade and has seen average losses from security breaches drop every year from 2002 to 2006. Investments in security seemed to be paying off; in 2006, the average breach cost companies an estimated $168,000, way down from five years earlier. But in 2007, the numbers skyrocketed. Each breach this year costs an estimated $350,454 to repair.
Financial fraud and viruses caused most of the monetary losses, but both have fallen in frequency over the last few years. Only 12 percent of all respondents reported financial fraud at their institutions. Viruses, which used to plague 90 percent of all companies in 2001, now affect only 52 percent.
It's internal users who are now causing the greatest number of problems, though they may also cause minimal damage. Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents, though all pale in comparison to one successful phishing trip. These sorts of internal incidents can be pesky, though, and 59 percent of all respondents had to deal with them in the last year.
The CSI study has a major weakness: it's an "informal" study distributed to CSI members and conference-goers. The estimates of money lost to damages are, in one author's own words, "estimates." "Some of them," in fact, "are probably altogether approximate guesses."
Still, the study has been sampling this group of computer security people for a decade, so the report's conclusions seem to accurately track their perceptions of security; whether they represent reality is another question. But as the report notes correctly that "when a group of professionals reports a significant reversal in a five-year trend of diminishing losses, we should be inclined to perk up our ears."
By Nate Anderson
Ars technica