Thursday, August 17, 2006

Highlights of the 2006 CSI/FBI Computer Crime and Security Survey

I felt like Steve Martin in "The Jerk" this morning, as I was jumping up and down in glee when the new 2006 CSI/FBI Computer Crime Survey arrived on my desk. It's not as easy to yell as "The Phonebook is here! The Phonebook is here!", but you get the point. Each year the Computer Security Institute and the San Francisco FBI Computer Intrusion Squad conduct this exciting survey. Going on 11 years, it provides interesting insights into the present state of security and also the current trends we are seeing in our industry. In this post, I'll be covering the highlights and key findings of the survey.


Overall expenditures in IT are hard to understand from the survey, as company size is broken out by revenue. While smaller companies under $100 million in revenue experienced a 200 to 300 percent increase in security expenditures per employee, larger companies experienced a decline in overall spending.

Companies under 10 million in annual sales are spending a whopping $1664 per employee annually on security and security training, while companies over 1 billion are averaging only $218 per employee. It seems like the evil dream of hurting Big Corporate America through cyber-crime is actually crippling the little guy.

Most respondents felt that not enough money was being budgeted for end-user security training. Companies with revenue over 1 billion spend less than $20 on end-user security awareness training. Economies of scale notwithstanding, this strikes me as exceptionally low. Isn’t the end user the greatest threat?

Frequency, Nature and Cost of Breaches

The leading causes of financial loss cited in the survey were:

1. Virus
2. Unauthorized Access
3. Laptop / PDA Theft
4. Theft of Proprietary Information

68% of those losses were from insider threats. This number is down slightly, but it is clear that the problem is not solved by building a more robust perimeter. One interesting statistic in the report is that unauthorized use is down this year, to 52%. Down to 52%! 52% of the companies surveyed reported unauthorized use of their computer systems! Doesn't this bother anyone? I guess it is an improvement over the 70% finding in 2000.

While most attack types have been declining over the past 7 years of the survey, there were several attack types that were on the rise:

1. Financial Fraud
2. System Penetration
3. Sabotage
4. Misuse of Public Web Site
5. Web Site Defacement

All of these attack types were reported by less than 20% of the respondents, but the rise in these categories is something to watch carefully.

64% of all respondents had some sort of website incident, with 59% reporting more than 10 incidents per year. There is obviously something going on here. As organizations have become better at protecting the perimeter with Firewalls, IDS and IPS systems, the remaining Achilles heel is the organization’s public web site, which must remain somewhat open for business.

We began our Deep Web Application Scanning offering in early 2005, and have seen this portion of our business grow rapidly as people of malicious intent are down to the final frontier. Attacking the web server is easy, fairly unsophisticated, and simple to perform with off-the-shelf tools.

Risk Management

Only 29% of respondents deferred any risk by using external “cyber insurance”. You would expect with all that has happened in the last 5 years that organizations would be more willing to pay for insurance. I guess we need a few more tapes with 5 million credit card numbers to disappear.


Overall there was a slight decrease in IT security outsourcing. While not statically significant (63% to 61%), it is interesting given the current outsourcing trend. It appears that IT security is being considered in a different light than regular IT projects and is not riding the outsourcing wave.


While overall financial losses are down this year, it is still apparent that organizations are still not willing to spend on security technology that could really help them. I suspect that part of this is that many companies do not know exactly how much risk they are carrying because they have not performed a quantitative risk assessment. It is not enough to label your risk as High, Medium, Low. You need to put hard dollars on these items to understand the true impact. This also helps IT organizations in getting the funding they need. If I can reduce 2M in risk with a $50,000 patch management program, why wouldn’t I?

There is also still a definite lack of end user awareness training when it is assumed that the "user is the weakest link." Also, it is clear that the largest cause of financial loss is not the largest concern of most IT departments. Viruses only ranked 5th on the respondents list of concerns behind:

1. Data Protection (Classification, Identification, Encryption)
2. Web Application Security
3. Regulatory Compliance
4. Identity Theft

One thing I would like to see in the study covered in future years is more data on how these attacks are carried out. How many were due to poor access lists, poor administrative control, or social engineering? For instance, viruses are the leading cause of financial loss, we know that, but how are these viruses introduced into the network? Is it people clicking on e-mail links, surfing the web, or is it just poor patch management? Until you can answer those questions, it is hard to determine where an organization can realize the best reduction of risk at the least possible cost.

Technorati Tags:


Manuel Boissiere said...


Good blog , I've bookmarked it.

keep up the good work



Karn said...

Thanks Manuel! I really appreciate that.