The Computer Security Institute (CSI) pre-released selected findings from its 2009 Computer Crime and Security Survey. The survey, now in its 14th year, found that average losses due to security incidents are down again this year (from $289,000 per respondent to $234,244 per respondent), though they are still above 2006 figures.
Respondents reported big jumps in incidence of:
- password sniffing (17.3 percent, over 9 percent last year)
- Web site defacement (13.5 percent over 6 percent last year)
- financial fraud (19.5 percent, over 12 percent last year)
- denials of service (29.2 percent, over 21 percent last year)
- malware infection (64.3 percent over 50 percent last year).
A full one-third of respondents’ organizations were fraudulently represented as the sender of a phishing message.
Twenty-five percent of respondents felt that over 60 percent of their financial losses were due to non-malicious actions by insiders.
When asked what actions were taken following a security incident, 22 percent of respondents stated that they notified individuals whose personal information was breached and 17 percent stated that they provided new security services to users or customers (i.e. credit monitoring, issuing new credentials).
Most respondents felt their investment in end-user security awareness training was inadequate, but most felt their investments in other components of their security program were adequate.
Respondents are satisfied, but not overjoyed with security technology. Use of almost all security technologies increased; the largest increases were in anti-spyware software and encryption of data at rest (in storage).
When asked what security solutions ranked highest on their wishlists, many respondents named tools that would improve their visibility—better log management, security information and event management, security data visualization, security dashboards and the like.
Respondents generally said that regulatory compliance efforts have had a positive effect on their organization’s security programs.
This year’s survey results are based on the responses of 443 information security and information technology professionals in United States corporations, government agencies, financial institutions, educational institutions, medical institutions and other organizations. Their responses cover the security incidents they experienced and security measures they practiced from the period of July 2008 to June 2009.