|
By Mark Henricks
The average cost to organizations of cyber attack declined
significantly last year, according to a survey, but survey sponsors said the
finding might be misleading. The 2011 CyberSecurity Watch Survey found that
annual monetary losses from cyber security events fell to $123,000 per
organization in 2011 from $395,000 when the survey was done in 2010. However, a
spokesman for the company that paid for the study said that could be due to
organizations reclassifying losses as related to privacy and fraud rather than
cyber security.
“Further, this metric alone could be misleading as reported
events, sophistication of attacks and external attribution have all increased
while the perceived effectiveness of technology-based defenses has decreased,”
added Ted DeZabala, national leader of security and privacy services at
Deloitte, which sponsored the poll of 600 business and government executives,
professionals and consultants.
In a finding that suggests DeZabala may be right about the
potential for the cost figures to be misleading, respondents reported significantly
more cybersecurity events than the year before. This time, 28 percent said they
experienced more cyber attacks in the 2011 study. Just 19 percent had no
attacks, compared to 40 percent who said they had no attacks in the 2010 study.
Outsiders were most likely to initiate attacks, with 58
percent of events being caused by people who lacked authorized access to
network systems and data. Twenty-one percent were caused by insiders including
employees and contractors with authorized access. Another 21 percent emanated
from unknown sources.
The insider attacks were considered more costly by 33
percent of respondents. That compares to 25 percent who felt the same way in
2010. That may be related to the fact that 22 percent of insider attacks used
root kits or hacker tools compared to 9 percent in 2010 that deployed the more
sophisticated cyber-weapons. In a finding identical to last year’s, 70 percent
of insider incidents were said to be handled internally without legal action.
Respondents said reputation damage, disruption of critical
systems and loss of confidential or proprietary information were sources of
costs related to insider incidents. Dawn Cappelli, technical manager of the
Insider Threat Center at the CERT program at Carnegie Mellon University, noted
that technical defenses against external attackers seeking data such as social
security numbers and credit card numbers have improved in recent years. “It is
a much more challenging problem to defend against insiders stealing classified
information or trade secrets to which they have authorized access or against
technically sophisticated users who want to disrupt operations,” Capelli said.
The percentage of respondents reporting incidents of
accidental exposure of private or sensitive information declined sharply, from
52 percent in 2010 to 31 percent this time. Sixty-five percent said they
increased cybersecurity training and use of internal monitoring tools like data
loss prevention.
The survey was a cooperative effort of CSO magazine, the
U.S. Secret Service, the Software Engineering Institute CERT Program at
Carnegie Mellon University and Deloitte. Respondents consisted of subscribers
to CSO and visitors to the publication’s website. It was conducted by email
during August 2010 and covers the period between August 2009 and July 2010.
Only registered users can write comments.
Please login or register. |
