Cyber-stats can alert you to potential security holes in your firm. Piles of statistics are surfacing regarding cyber crime and the losses accumulating from poor security. Some research and the statistics it generates is based on assumption and opinion, hopefully in the form of interactive models. Other studies are based on interviews and analysis. Still others apply a range of surveys from simplistic to sophisticated. Along with percent signs that dot the reports are two vital and recurring terms: validity and reliability. Validity deals with measuring what is to be measured; the latter is associated with repeated measures yielding similar results. So in this case we must ask; are the e-security studies measuring what they should be, and are the respondents appropriate subjects to provide accurate information? Often, you will find that statistics present widely disparate results; more questions arise than answers given. That's OK. In the e-security arena, the process of reviewing statistics and studying results is more productive than the exact incident or dollar levels that may be evident. By reviewing new and updated studies as they're reported, cross-validated impressions of current and new trends become evident.
Know the trendsSo many computer crime incidents are surfacing in the media that trends are difficult to nail down. However, the 2000 Computer Security Institute/FBI Computer Crime and Security Survey points out several trends worth noting. Among them are: -- cyber attacks continue from within and outside of corporate walls. A wide range of attacks have been discovered. -- financial losses are increasing -- information security technologies by themselves are insufficient defenses. There should be no doubt to security executives and their CEOs that these trends will intensify, mandating substantial investment in security protection. Released in spring 2000, the CSI/FBI study, now in its fifth year, is based on the responses of 643 corporate and government security practitioners. The sample reasonably represents of most industry sectors and company sizes, measured by number of employees and gross income. The study shows notable increases in the use of intrusion detection security technologies compared to last year (50% in the 2000 study vs. 42% in 1999). Fully 70% of respondents found unauthorized computer system use, a significant increase from 1999. Of respondents reporting detection of this kind, 11% listed financial fraud, 17% data or network sabotage, 20% proprietary information theft, 25% outside system penetration, 27% denial of service, 71% unauthorized insider access, 79% employee Internet access abuse, and 85% viruses. Employees and insiders still remain a major threat. With 93% of respondents reporting use of Web sites (and 43% of those e-commerce related), 32% did not know if there had been unauthorized access or misuse--a somewhat surprising and unfortunate admission. Those that did identify attacks reported a 29% increase in outside attacks from the previous year. The top two likely sources of attack were disgruntled employees and independent hackers, respectively. While the preponderance of respondents (85%) reported patching holes when intrusions were discovered, fully 44% did not report intrusions, and only 25% reported unauthorized intrusions to law enforcement. Estimating financial losses from attack or misuse remains a daunting task. Suffice it to say the top two financial loss categories are proprietary information theft and financial fraud. Unless security resources are focused into these categories, expect far greater losses in the future. Underneath all this data lurks an ever-increasing shortage of educated, skilled, and experienced e-security personnel. This shortage worsens weekly due to rapidly changing skillsets, increasingly complex and detailed knowledge requirements, and repeated losses from successful attack ultimately threatening business failure. Considering the reluctance to report perpetrations to law enforcement and low confidence in that avenue of resolution, investigative agencies also suffer from similar skill shortages.
Find the exceptional
|More sophisticated security research coming up! IS security education and the research that supports it is now becoming a recognized priority in the United States and increasingly in Europe. In fact, the National Security Agency has now designated 14 universities as Centers of Academic Excellence in Information Assurance Education (see http://www.nsa.gov/releases/COAE_2000.htm). Plan on communicating with these institutions to assure actionable study results for more effective protection worldwide. Your organization also can actively participate in these studies as respondents, focus group contributors, or pilot testers. From these sources you can expect more security research that offers validity and reliability. With quality research should come more anonymity and confidentiality, fewer public visibility concerns, and more accurate views of world security trends and specific techniques-all without vendor hype.|
A snapshot reveals muchA snapshot survey conducted by Applied Marketing Research Inc., of Shawnee Mission, Kan., also emphasizes important personal e-security behaviors. Interviews completed during the last week of June 2000 in New York City surveyed 300 people attending a computer conference regarding their protected computing practices. While 87% of consumers and almost 95% of technology professionals reported using anti-virus software to protect their computers from viruses, only 37% of consumers and 69% of tech professionals update their anti-virus software at least monthly. Only 19% of consumers and almost 49% of those in the technology profession have installed a personal firewall on their computers. In many ways, these results emphasize that, although many tech professionals and consumers feel they are protected from intrusion and attack, their efforts are woefully inadequate to protect them from current threats.