CALLING ALL
BUSINESS PROFESSIONALS
What's the Current State of Computer Network Security?
07/25/05
Thanks to the Computer
Security Institute (CSI), we have some pretty good answers to that question.
Please
read below for highlights from the 2005 CSI/FBI Computer Crime and Security
Survey,
based on responses from 700 U.S. corporations, government agencies, financial
and medical institutions, and universities. This is our 10th annual survey
in the information security field and, after reading it, we urge you
to report to us any and all computer intrusions your company may experience.
1. Total financial
losses from attacks have declined dramatically. Down 61% on
a per-respondent basis from last year, but still reportedly $130M.
What kinds of attacks? Virus attacks are #1; unauthorized access is
#2; theft of proprietary information #3; and denial of service attacks
a distant #4.
2. Attacks
on computer systems or (detected) misuse of these systems have been
slowly but steadily decreasing in all areas. Exception to
the rule: a slight increase in the abuse of wireless networks.
3. Defacements
of Internet websites have increased dramatically. 95% of organizations
experienced more than 10 website incidents in 2004.
4. "Inside
jobs" occur about as often as external attacks. The lesson
is—anticipate attacks from all quarters.
5. Organizations
largely defend their systems through firewalls, anti-virus software,
intrusion detection systems, and server-based access control lists. Use
of smart cards and other one-time password tokens increased, while
use of intrusion prevention systems decreased.
6. More organizations
are conducting security audits to serve as a baseline for a meaningful
security program. 87% had conducted one.
7. Computer
security investments per employee vary widely. State governments
lead the pack at $497, followed, in descending order, by utilities,
transportation, telecommuications, manufacturing, and high tech down
to the federal goverment at $49.
8. Despite continuing
discussion, there has been no increased use by organizations
of outsourcing cybersecurity or using insurance to manage risks.
All good things to
mull as you're reviewing your own computer network security. But please
keep in mind we've only given you highlights. To get all the details,
we encourage you to read the full
report.
Resources: Computer
Security Institute | FBI InfraGard
program | Reporting Internet Crime | San
Francisco FBI Computer Crimes