The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.

For the past five years, this survey—perhaps the most widely quoted set of statistics in the industry—has shown a drop in average estimated losses due to cybercrime. This year, however, the tide has turned and respondents have reported a significant upswing.

Because this is the longest-running survey in the information security field, it’s possible to see that losses climbed steadily before the loss numbers began to fall in 2002. The losses at their peak were still dramatically higher than they are this year. The drop from that peak came as a surprise to many and indeed no small amount of reflection has been invested in sorting out just how it could be that security practitioners thought they were losing less and less money.

A drop in losses was welcome evidence that the efforts put into cyber security were showing some return on investment. At the same time, there was reason to believe that the downward trend couldn’t continue indefinitely. A number of developments within the criminal world persuaded many knowledgeable observers that it was inevitable that the gains made would be given up with the arrival of newer, more insidious threats.

Though it’s wrong to project a trend from a single year’s results, and particularly from an informal survey such as this one, there is nevertheless a strong suggestion in this year’s results that mounting threats are beginning to materialize as mounting losses.

This year’s survey results are based on the responses of 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.

This is the 12th year of the survey. In previous years, the survey was titled the CSI/FBI survey, but although our colleagues within the Bureau have continued to provide insight and opinion regarding the survey, the “FBI” nomenclature has been discontinued and the survey is now entirely administered by CSI. ...

by Robert Richardson
Director, Computer Security Institute

Download CSI Computer Crime and Security Survey 2007

1.9MB, PDF format, 30Pages.

KEY FINDINGS

Some of the key findings from the participants in this year’s survey are summarized below:

❏ The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year. Not since the 2004 report have average losses been this high.

❏ Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “targeted attack,” defined as a malware attack aimed exclusively at their organization or at organizations within a small subset of the general population.

❏ Financial fraud overtook virus attacks as the source of the greatest financial losses. Virus losses, which had been the leading cause of loss for seven straight years, fell to second place. If separate categories concerned with the loss of customer and proprietary data are lumped together, however, then that combined category would be the second-worst cause of financial loss. Another significant cause of loss was system penetration by outsiders.

❏ Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.

❏ When asked generally whether they’d suffered a security incident, 46 percent of respondents said yes, down from 53 percent last year and 56 percent the year before.

❏ The percentage of organizations reporting computer intrusions to law enforcement continued upward after reversing a multi-year decline over the past two years, standing now at 29 percent as compared to 25 percent in last year’s report.

Visit CSI Computer Crime and Security Survey's Webpage

CSI: PRACTICAL INSIGHTS FROM THE BEST MINDS IN SECURITY

The perimeter "vanished" several years ago, but endpoint controls are only now shaping up. Your colleagues are trying several approaches, and you need to know how they're faring.

Networks are incorporating a new "identity layer" that will redefine security. You need a rational plan for adapting your access control systems.

Web 2.0 sounds pretty exciting—if you're a hacker. Otherwise, you need to connect with your software developers, and soon.

You can't do business without compliance to several legislative requirements at once. You need real-world mappings of one acronym to another, guidelines to measure your organization against the right benchmarks, and access to the sure hands that have led several Fortune 500 companies over the hurdles.

CSI delivers a relentlessly business-focused view of enterprise information security. As security professionals grapple with these challenges, CSI is there to provide depth and insight, energy and inspiration from each of these intersecting points.

CSI publications and special reports delve deeper into the news with interpretive analysis to help security professionals decide for themselves what's real, what's hype and what's right for their organization.

With an ongoing series of regional events culminating in an annual conference each autumn, CSI provides the inside track to top educators and innovative vendors in a thought-provoking, stimulating environment.

Comments (0)

Name

Email

Comment

smaller | bigger

Add Comment