Never too soon to boost IT security
Despite all the warnings about computer security to executives, the financial toll continues to mount from this form of break-in, according to the Computer Security Institute (CSI) annual computer crime and security survey.
Meanwhile, Ernst & Young's 2002 information security survey indicates why these break-ins continue to occur. The E&Y survey found that only 40 percent of US organisations surveyed were confident they would detect a systems attack. Even more troubling is the finding that 40 percent do not even bother to investigate information security incidents.
The CSI survey found that 90 percent of respondents, made up primarily of large corporations and government agencies, have detected computer security breaches within the last twelve months, according to the survey. Eighty percent of the 503 institutions surveyed acknowledged financial losses due to computer breaches.
Only 223 respondents were willing, or were able, to give figures for their financial losses. These respondents reported a staggering US$455,848,000 in financial losses, or about an average of $2 million each. The most serious financial losses occurred through theft of proprietary information, with 41 respondents reporting a total of $170,827,000, in losses. Financial fraud cost 40 respondents a total of US$115,753,000.
The CSI is a San Francisco-based association of information security professionals. About 74 percent of those surveyed cited their Internet connection as a frequent point of attack. Thirty-four percent reported the intrusions to law enforcement compared to 16% reporting in 1996.
Forty percent detected system penetration from the outside. Forty percent detected denial of service attacks, while 85 percent detected computer viruses. Seventy-eight percent detected employee abuse of Internet access privileges, for example, by downloading pornography or pirated software, or inappropriate use of e-mail systems.
Of those surveyed 98 percent have Internet sites, through which 52% percent conduct electronic commerce. Of that number 38 percent detected unauthorised access or misuse on their Web sites within the last twelve months. The scary figures are these: 21 percent said that they didn't know if there had been unauthorised access or misuse, while 39 percent reported ten or more incidents, and 12 percent reported theft of transaction information.
The CSI says the survey shows that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. The survey also challenged some of the profession's “conventional wisdom,” for example that the “threat from inside the organisation is far greater than the threat from outside the organisation' and that “most hack attacks are perpetrated by juveniles on joy-rides in cyberspace.”
“There is much more illegal and unauthorised activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement,” the CSI concluded. “Incidents are widespread, costly and commonplace.” Meanwhile Ernst & Young's 2002 information security survey found that less than 50% of organisations have information security training and awareness programmes. However, in contrast to the CSI survey, Ernst & Young says published data continues to confirm that more than 75% of attacks originate from within organisations.
A period of economic downturn serves to increase the risk, as it provides an opportunity for disaffected staff to damage systems, make downsized firms rely on fewer individuals, and place increased pressure on budgets creating increased vulnerabilities, Ernst & Young said.
Company board members may put a firm in danger by feeling confident that the organisation is adequately protected, when in reality significant technical investments are being undermined by a lack of concern, Ernst & Young says.
“Information security is still often regarded as a technical issue to be left to the IT department alone,” Ernst & Young said.
The danger lies in inadequate business processes, a lack of awareness or training, third parties and business partners, and an absence of testing and assurance processes. This means that if you are a board member or key executive, now is the time to review your IT security strategy. Do it now and not as a panic reaction after the company becomes a victim.
“An information security strategy provides a framework for making decisions and agreeing priorities,” the survey states. “Many businesses develop technical plans. These may include policies, procedures and some indication of technologies - in other words, focus on technical specification. For a security strategy to be of real value it must be driven and embraced by line and functional business leaders across disciplines, and include sound consideration of the nature of the business risks and the organisation's culture. It must be a living document which drives tactical and operational decisions in all business areas. Components often overlooked are training and awareness, sourcing strategy, and performance and assurance measures.” The CSI survey can be found at www.gocsi.com.
The Ernst & Young survey can be downloaded at Ernst & Young's Bermuda Internet site: http://www.ey.com/global/gcr.nsf/bermuda/home.
lTech Tattle deals with topics relating to technology. You can contact Ahmed at editoroffshoreon.com or (33) 467901474.