2007 E-Crime Watch Survey shows security incidents, electronic crimes and their impact steady versus last year
5050 RGB Remote Controller LD-CON-12-WLFRAMINGHAM, Mass. -- CSO magazine today releases results of the 2007 E-Crime Watch Survey. This year's study revealed that while security events and electronic crimes were steady against last year's findings, there are real concerns that security executives may be becoming over confident.
Conducted with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT[R] Program and Microsoft Corp., the fourth annual survey polled 671 security executives and law enforcement officials on a variety of security topics, including commitment to security, the source of e-crimes, the top e-crimes professionals are experiencing, methods of attack, security technologies being deployed to defend against attacks, and the legal steps organizations are taking after they've been attacked.
"There is little doubt that organizations have learned a tremendous amount about security in the last five years and are making serious headway in understanding and combating threat," said Bob Bragdon, publisher of CSO Magazine. "At the same time, we saw signs in this study that organizations think they have things handled, which is concerning given the recent rise in targeted, financially motivated attacks."
A key indication of the study was that while 57% of participants said they are increasingly concerned about the potential effects of e-crime, and 49% of them reported experiencing an e-crime in 2006 vs. 38% the prior year, other responses suggested they are not prioritizing security as much as they have in previous years. For example, 69% of respondents said they are more prepared to deal with those threats than they have been in the past, yet these same organizations said they've trimmed spending on IT security by 5% and corporate security by 15%.
"You should never let down your guard when it comes to cybersecurity," said Jeff Jones, director of Trustworthy Computing for Microsoft. "Crime is a fact of life in the digital world just as it is in the physical world; even with the best security posture, you must still steadily guard against potential threat."
The Source of Crimes: Insiders, Outsiders and the Unknown
Part of guarding against threat is understanding its source, and so the survey posed several questions to compare cybercrimes by insiders and outsiders.
When asked who caused more damage (in terms of cost or operations), results were fairly close (insiders 34%, outsiders 37%, unknown 29%). But by their actions, participants indicated they may not be giving as much attention to insider threats as would seem justified. For example, background checks dropped from use in 73% of the organizations last year to only 57% this year, account/ password management policies dropped from 91% of the organizations last year to 84% this year, employee monitoring from 59% to 42%, and employee security awareness training from 68% last year to 38% this year.
"It is important that organizations are proactive in their approach to mitigating insider threats," says Dawn Cappelli, Senior Member of the Technical Staff at CERT. "Defense-in-depth isn't just about putting adequate technology in place, it's also about paying attention to your people and implementing policies and procedures to reduce the likelihood of an insider attack. Our research has shown that those very policies and practices that respondents are cutting back on are critical in mitigating insider threats"
The potential for damage from an insider
http://www.snmsw.com/Blog/View/?4301
