On May 29, 2003, the Computer Security Institute (CSI) and the FBI published the results of their most recent Computer Crime and Security Survey, now in its eighth year.
Some of the trends are encouraging, while others raise questions about the state of e-security and the progress made over the last several years.
One of the most encouraging statistics is the decrease in reported total annual losses due to some form of unauthorized computer use. The losses reported in the 2003 survey were $201.8 million - down 56 percent from last year's $455 million. However, in the survey analysis, the CSI and FBI state: "Despite the lower number for aggregate financial losses among survey respondents, the most important conclusion one must draw from the survey remains that the risk of cyberattacks continues to be high."
Even companies that employ a variety of security measures can be the victims of cybercrime. Fifty-six percent of respondents reported unauthorized computer use - a number that is in line with surveys from recent years. But why has the number stayed the same? If security technology is getting better every day, and if more companies are employing the improved technology, why aren't these incidents decreasing dramatically?
Why do cyberincidents continue?
There are several answers to that question:
- Hacker methods constantly evolve and get more sophisticated.
- New vulnerabilities are discovered almost daily, opening the door for cybercriminals to attack.
- Most companies aren't staffed at levels necessary to keep up with all the patches required to secure their networks. (Even huge enterprises like Microsoft can't keep up.)
- Infrastructures of large companies are extremely complex, providing greater opportunity for misconfiguration - the more doorways that exist, the more places for a hacker to attempt a break-in.
- Insider abuse of network access remains one of the hardest problems to solve - 80 percent of this year's respondents reported incidents caused from inside the company.
- There is a shortage of trained, qualified experts to manage the company's security.
The CSI/FBI survey showed that many companies are taking extraordinary measures to prevent malicious damage to their intellectual property. Of the respondents, 11 percent use biometric security, 83 percent use encrypted logins, 72 percent use digital IDs or certificates, and 87 percent said they used file encryption. But even with these sophisticated technologies in place, incidents happen and damage is done.
Most alarming to the security professional is the number of people who don't know what's going on in their networks. According to the survey, "Fifteen percent of respondents say they don't know whether there was any unauthorized use of their computer systems last year." For some, competing priorities and the lack of a good visibility mechanism keep them in the dark where their information security is concerned.
So, where does one turn for help? Many are looking to outsourced security companies to provide 24x7 expertise and support to keep their companies secure. These managed security solutions providers (MSSPs) cover the entire scope of security, including planning (assessing needs, writing security policy), implementation (installing firewalls, intrusion detection systems and other devices) and management (monitoring and managing the installed security devices).
The trend toward MSSPs seems like a natural progression for several reasons:
- Tough economic times have made corporate budgets extremely tight; hiring a full-time staff of security experts is cost-prohibitive for most.
- The amount of log data from the new security devices is immense, and in order for it to be useful, it must be analyzed. Who has the time?
- Increasing regulations in different industries. (For example, the U.S.'s HIPAA in healthcare, Gramm-Leach-Bliley Act in financial services, and other local and national regulations.)
- Security is not the companies' core business; focusing on security takes employees and managers away from mission-critical tasks.
- Round-the-clock protection is absolutely necessary.
By definition, MSSPs address each of these challenges - some through advanced technology, but all through a staff of trained security experts who watch over their customers' networks day and night.
The CSI/FBI survey data proves that security is not a passing trend. Increasing attacks and the threat of serious damage to a company's bottom line and reputation are very real. Fortunately, not all the news is bad. While hackers continue to get more creative and sophisticated, so do the good guys. More and more wise leaders are turning to MSSPs to help them stay a step ahead in the race for network security.
John Wilson is vice president and general manager, Ubizen North America (www.ubizen.com). The CSI/FBI survey is available for free download from the Computer Security Institute's web site (www.gocsi.com).