The growing focus on IT security is making it harder for hackers to inflict financial damage on organizations, if a new survey from the Computer Security Institute (CSI) and San Francisco FBI's Computer Intrusion Squad is any indication.
The ninth annual Computer Crime and Security Survey showed overall financial losses totaled from 494 respondents were $141.5 million; down significantly from 530 respondents reporting $201.8 million last year. The CSI and FBI polled IT security managers from American corporations, government agencies, financial and medical institutions, and universities.
"Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to American organizations, our survey respondents appear to be getting real results from their focus on information security," said CSI Director Chris Keating. "Their average dollar losses per year have dropped in each survey for four straight years."
According to this year's survey, 46% of respondents said security accounted for up to 5% of their organizations' total IT budgets and 23% said more than 5% of their IT spending was for that purpose. Only 16% said security received less than 1% of the budget.
A majority – 269 of the 494 polled – said denial-of service-attacks cost them the most, followed by information theft, which topped the list in recent surveys. Denial-of-service attacks accounted for $26.1 million of last year's total losses among those surveyed. Information theft accounted for $11.5 million. This came as no surprise, given the rise in recent months of viruses and worms specializing in DoS attacks. The vast majority of respondents -- 89% -- said their organizations experienced one to five Web site incidents in the last year.
More than 80% of those surveyed said their companies conduct security audits. A majority also said their organizations view security awareness training as important, though they don't think enough is spent for it. Security awareness training was perceived most valuable in the areas of security policy and network security (70%), access control systems (63%), security management (62%) and economic factors (51%). Training seen as the least valuable applied to security systems architecture (47%), investigations and legal issues (43%) and cryptography (28%).
While applauding the survey as a useful tool to measure how seriously organizations take their network security, some IT experts caution the masses not to interpret it as a sign that the war against hackers is being won.
Carter Schoenberg, a senior analyst with the Atlanta-based ISS X-Force threat intelligence service, worked with the FBI on investigations when he was a homicide detective for the Dekalb County police in Georgia. He noted that the survey only takes the responses of 494 people into account, not much when you consider how many IT professionals are working for organizations across the United States. He said it's important to note that reports of hacking to law enforcement also decreased because of companies' concerns over bad publicity.
Keating acknowledges the survey only accounts for a piece of a larger puzzle.
"Obviously, computer crime remains a serious problem and some kinds of attacks can cause ruinous financial damage," Keating said. "We don't believe that all organizations maintain the same defenses as our members. Financial damages for less protected organizations are almost certainly worse. And hackers won't become complacent anytime soon. New attacks are devised every day. So we still have our work cut out for us. The message here is that it makes sense to continue our focus on adherence to sound practices, deployment of sophisticated technologies, and adequate staffing and training."