Computer Crime Research Center


Report: A Misplaced Sense of Security?

Date: November 09, 2004
By: Jim Wagner

Despite feeling safer now than a year ago, 20 percent of businesses in a network security survey of 300 IT staffers in companies with more than $30 million in annual revenues admitted to unauthorized breaches into their company networks.

The survey, conducted by security software vendor Britestream Networks and Q&A Research, reported that 76 percent of the companies surveyed feel safer than they were last year.

Of the 76 percent who feel safer, 38 percent credit a more effective implementation of security policies, while 23 percent say additional security investments make their networks safer.

This seeming paradox underlies the biggest concern among security experts -- the fact that malicious hackers, called crackers (define), are getting more sophisticated when it comes to network intrusions. The end goal is to obtain customer information, such as credit card numbers, Social Security numbers and the like, as well as intellectual property the company owns.

Mark Salas, Britestream vice president of marketing, said the value on personal information has been increasing lately, making unauthorized intrusions more tempting and common.

"The tools they are using are becoming more and more sophisticated, so what we're seeing here is something of an arms race where, more often than not, the good side wins a great majority of the battles but the bad side is still winning its fair share of the battles," he said.

Some of the other key findings:

* Viruses top the list of IT concerns, at 88 percent.
* Network attacks, though unsuccessful, have increased, according to 62 percent of those surveyed. Of the 62 percent, almost half believe the number of attempts has been increasing.
* 67 percent of companies would spend more to secure their networks if they had the funding.

Getting more money to combat network intrusions is increasingly difficult. Despite the fact that 70 percent of respondents felt their CEOs took security seriously, the average percentage spent on security improvements was 18 percent. It's only expected to increase 2 percent next year. The biggest incentive for security investments comes from those public companies that are governed by regulations (67 percent).

The toughest problem for IT administrators, as Salas sees it from discussions with potential and existing customers, is showing C-level executives how much of an effect a network intrusion or DDoS (define) attack would have on the bottom line.

"You need to make a business case for greater expenditure," he said. "At the end of the day, what you need is specific data to quantify the costs, risks, the return on investments (ROI); how do you measure how much caching costs? How do you measure how much an intrusion costs? What a lot of people surveyed mentioned is that there is real data that's missing out there."

What the report doesn't cover is the financial loss incurred by 20 percent of companies who reported a network intrusion. The annual "Computer Crime and Security Survey," published by the Computer Security Institute (CSI) and the FBI and released in June, actually shows financial losses have decreased since the previous year, though security remains a tangible threat.

In the survey, 494 companies said they lost $141.5 million because of computer crimes, down from 530 respondents who reported $201.8 million the previous year. DDoS attacks have replaced theft of intellectual property as the main security threat. Organizations are also successfully using metrics to evaluate their security decisions: 55 percent use ROI; 28 percent use internal rate of return (IRR); and 25 percent use net present value.

"Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security," the report's statement read. "Their average dollar losses per year have dropped in each survey for four straight years."
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo