The State of Computer Security
Internal Threat Rises to the Top
Two recently released computer and information security surveys provide data on the subject:
- The 2007 Global State of Information Security survey by CIO and CSO magazines in conjunction with PricewaterhouseCoopers
- The 2007 CSI Computer Crime and Security Survey by the Computer Security Institute, with input from the FBI
Some key points from the surveys:
Losses are Greater in Size
The average size of the loss suffered due to a breach is up, after declining for several years. However, average size remains low relative to very high levels in 2001 and 2002 before companies had widely adopted security measures.
More Attacks are Targeted Attacks
This may account for the new increase in loss size as perpetrators go after specific targets rather than random hacking.
The Insider Threat Continues to Rage
It has been common wisdom for several years that insiders (employees and former employees) constitute the greatest threat. This has been confirmed in surveys over the years, and it striking in its clarity in these two 2007 surveys. Insiders are a far greater risk than hackers from outside, due to their access to systems and information, and in the case of disgruntled ex-employees , due to motive.
In fact it is now becoming clear that the $7 billion trading loss suffered by French company Societe Generale in 2007 was enabled by a security breach, in that the employee had access to areas of the network he should not have had.
More Companies are Getting Serious About Security
57% of respondents to the CIO survey reported having an overall security strategy, as opposed to only 37% in 2004.
We will address the state of the insurance market for computer and data security in a follow-up bulletin.
May 08, 2008