When Security Helps Stem Business LossesWhen Security Helps Stem Business Losses

Losses attributed to security breaches in the United States are trending down. Losses from intellectual-property theft plummeted from $170.8 million in 2001 to $70.2 million in 2002, according to the eighth annual Computer Security Institute's CSI/ FBI Computer Crime and Security Survey. The estimated damage for nearly all security breaches studied, with the exception of denial-of-service attacks, fell precipitously.

Have security experts finally figured out how to block hackers? Costs from IT theft have fallen not because theft of such data necessarily has decreased, says Eric Ogren, a senior analyst at the Yankee Group. Rather, he says, companies are getting better at devising more realistic valuations of their data and have toned down the estimated value of much of their intellectual property.

Another reason for the drop in losses: better sharing of security knowledge, better exchange of best practices, and better tools to combat or investigate security breaches. "The business world has gotten better at security intelligence," Ogren says. "That's one thing that will drive costs down as it's easier to identify the problem and the antidote."

Even the cost increases associated with denial-of-service attacks can be seen as good news since they indicate that companies are becoming increasingly interconnected, and the value of the networks created and the worth of the data flowing through them is increasing, too. The bad news: As the Internet and corporate networks mature, the pain associated with attacks that strike at the availability of these systems will be severe. Employee-productivity losses as Slammerlike worms choke network access will become more acute as companies increasingly rely on telecommuters and as technologies such as voice over IP take root.

Clearly, more work needs to be done, especially in combating denial-of-service attacks. How does your company plan to support remote access to its operations while ensuring that company networks stay secure? Let us know at the address below.

George V. Hulme
Senior Editor
[email protected]

Defensive Actions

What security technologies does your company use?

Antivirus software, firewalls, and access controls are the strategies chosen most often. Yet businesses also are looking to intrusion-detection software, file encryption, and digital IDs to provide security. Biometrics also are gaining a foothold at companies surveyed by CSI. Eleven percent surveyed say their organizations have invested in biometrics technologies.

External Strikes

How many external security incidents has your company experienced?

Nearly a third of surveyed security professionals report not knowing the number of times their company has fallen victim to an external security attack. Robert Richardson, editorial director for CSI, believes this might be an honest assessment of their situation. Security attacks at these companies might have created little damage or cost little money, so respondents aren't actively looking for security problems or monitoring for them.

Internal Attacks

How many internal security incidents has your company experienced?

Viruses and worms are intended to disrupt and even harm data stores. But these weren't necessarily the biggest information-security threats facing corporate America last year. Insiders who lack proper permissions pose a much bigger risk, respondents said. Companies seeking to protect their proprietary information and their workers' productivity need to do more than be on the lookout for external security threats. Whether deliberate or not, employees at two-thirds of surveyed sites have been linked to security breaches. One-third of those surveyed simply didn't know of internal breaches.

Employee Hits

Does your company suspect a disgruntled employee of a security attack on your company?

The fact that companies suspect disgruntled employees of security attacks doesn't mean that businesses are hiring bad people or have poor hiring practices. "Companies have to assume that security attacks happen from within their firewalls," says CSI's Richardson. "It can't be stopped. It just has to be kept under control." The good news: The number of security attacks attributed to disgruntled employees remained relatively unchanged over the past three years. This despite salary freezes, layoff threats, and higher workloads for many workers.