Virus Attacks Named Leading Culprit of Financial Loss by U.S. Companies in 2006 CSI/FBI Computer Crime and Security Survey

New CSI Survey Available Online Showcases Security Breach Figures



Jul 13, 2006, 01:00 ET from CMP Technology

    SAN FRANCISCO, July 13 /PRNewswire-FirstCall/ -- The Computer Security
 Institute (CSI) with the participation of the San Francisco Federal Bureau
 of Investigation's (FBI) Computer Intrusion Squad today released its 2006
 report citing that virus attacks are the leading cause of financial losses.
 The top four categories -- virus attacks, unauthorized access to networks,
 lost/stolen laptops or mobile hardware and theft of proprietary information
 or intellectual property -- according to the 2006 Computer Crime and
 Security Survey, account for more than 74 percent of financial loss.
     However, negative publicity from reporting intrusions to law
 enforcement is still a major concern for most organizations. Even in an
 anonymous survey, only half of the 616 U.S. companies surveyed were willing
 to share overall cost figures from financial losses resulting in security
 breaches. The average loss reported by this group was $167,713, which
 represents a decrease of nearly 18 percent from last year's average loss of
 $203,606.
     Additional key findings include:
 
     *  Companies resist reporting computer crimes.  The percentage of
        organizations reporting computer intrusions to law enforcement has
        reversed its multi-year decline, standing at 25 percent as compared
        with 20 percent in the previous two years.
 
     *  Government mandates and compliance issues continue to be a hot topic
        within the IT department.  The impact of the Sarbanes-Oxley Act on
        information security remains substantial.  In fact, in open-ended
        comments, respondents noted that regulatory compliance related to
        information security is among the most critical security issues they
        face.
 
     *  Security outsourcing is not as prevalent within U.S. companies.
        Despite talk of increasing outsourcing, the survey results related to
        outsourcing are similar to those reported for the last two years and
        indicate very little outsourcing of information security activities.
        Sixty-three percent of the respondents indicated that their
        organizations do not outsource any computer security functions.  Among
        those organizations that do outsource some computer security
        activities, the percentage of security activities outsourced is rather
        low.
 
     *  IT groups want to educate and train internally to mitigate security
        risks.  Once again, the vast majority of the organizations view
        security awareness training as important.  In fact, there is a
        substantial increase in the respondents' perception of the importance
        of security awareness training.  On average, respondents from most
        sectors do not believe their organization invests enough in this area.
     "This year's survey -- coupled with results from recent years --
 suggests that the news within the enterprise security perimeter is good.
 Respondents tell us that they are keeping their cybercrime losses lower,"
 said Chris Keating, CSI director. "At the same time, our economic reliance
 on computers and technology is growing and criminal threats are growing
 more sophisticated, so we shouldn't overestimate our strengths. As
 highlighted in the survey, the security professional's role is imperative
 within U.S. companies -- they are asked each and every day to address the
 constantly evolving threat."
     The main objectives of this report are to focus on key trends in the
 information security arena and to identify changes in the landscape as they
 become visible so that business can act accordingly. "Virus attacks,
 cybercrime and identity theft all effect consumer confidence, slowing the
 acceptance of e-commerce," said Robert Richardson, CSI editorial director.
 "We want to ensure that today's security professionals receive the latest
 tools and resources to positively impact and promote awareness within their
 industries."
     The complete 2006 CSI/FBI Computer Crime and Security Survey is
 available for download on the CSI Web site at GoCSI.com.
     About CSI/FBI Annual Survey
     Computer Security Institute (CSI) is the world's premier membership
 association and education provider serving the information security
 community. For 33 years CSI has helped thousands of security professionals
 protect their organizations' valuable information assets through
 conferences, seminars, publications and membership benefits. CSI offers the
 survey results as a public service.
     The team at CSI collaborates with an academic team from the Robert H.
 Smith School of Business at the University of Maryland. The three-person
 team, led by Lawrence A. Gordon, Ernst & Young Alumni Professor of
 Managerial Accounting and Information Assurance, specializes in research on
 the economics of information security.
     The participation of the FBI's San Francisco Computer Intrusion Squad
 office has been invaluable. Over the years, the squad has provided input
 into the development of the survey and acted as our partners in the effort
 to encourage response. CSI has no contractual or financial relationship
 with the FBI. The survey is simply an outreach and education effort on the
 part of both organizations. CSI funds the project and is solely responsible
 for the results.
     About CSI
     Computer Security Institute (CSI) is the world's leading membership
 organization specifically dedicated to serving and training the
 information, computer and network security professional. Since 1974, CSI
 has been providing education and aggressively advocating the critical
 importance of protecting information assets.
     CSI sponsors two conference and exhibitions each year; CSI NetSec in
 June and the CSI Annual Computer Security Conference and Exhibition in
 November. A full schedule of training classes is offered on encryption,
 intrusion management, Internet, firewalls, awareness, Windows and more.
     CSI membership benefits include the ALERT newsletter, quarterly
 Journal, discounts on CSI conferences and training, and SecurCompass, an
 automated, standards-based security program assessment tool. For more
 information about CSI, email csi@cmp.com or telephone 415.947.6320.
     Press Contacts:
      Jennifer Cincu                        Robert Richardson
      Articulate Communications Inc.        Computer Security Institute
      212.255.0080, ext. 33                 610.604.4604
      jcincu@articulatepr.com               rrichardson@cmp.com
 
 

SOURCE CMP Technology
    SAN FRANCISCO, July 13 /PRNewswire-FirstCall/ -- The Computer Security
 Institute (CSI) with the participation of the San Francisco Federal Bureau
 of Investigation's (FBI) Computer Intrusion Squad today released its 2006
 report citing that virus attacks are the leading cause of financial losses.
 The top four categories -- virus attacks, unauthorized access to networks,
 lost/stolen laptops or mobile hardware and theft of proprietary information
 or intellectual property -- according to the 2006 Computer Crime and
 Security Survey, account for more than 74 percent of financial loss.
     However, negative publicity from reporting intrusions to law
 enforcement is still a major concern for most organizations. Even in an
 anonymous survey, only half of the 616 U.S. companies surveyed were willing
 to share overall cost figures from financial losses resulting in security
 breaches. The average loss reported by this group was $167,713, which
 represents a decrease of nearly 18 percent from last year's average loss of
 $203,606.
     Additional key findings include:
 
     *  Companies resist reporting computer crimes.  The percentage of
        organizations reporting computer intrusions to law enforcement has
        reversed its multi-year decline, standing at 25 percent as compared
        with 20 percent in the previous two years.
 
     *  Government mandates and compliance issues continue to be a hot topic
        within the IT department.  The impact of the Sarbanes-Oxley Act on
        information security remains substantial.  In fact, in open-ended
        comments, respondents noted that regulatory compliance related to
        information security is among the most critical security issues they
        face.
 
     *  Security outsourcing is not as prevalent within U.S. companies.
        Despite talk of increasing outsourcing, the survey results related to
        outsourcing are similar to those reported for the last two years and
        indicate very little outsourcing of information security activities.
        Sixty-three percent of the respondents indicated that their
        organizations do not outsource any computer security functions.  Among
        those organizations that do outsource some computer security
        activities, the percentage of security activities outsourced is rather
        low.
 
     *  IT groups want to educate and train internally to mitigate security
        risks.  Once again, the vast majority of the organizations view
        security awareness training as important.  In fact, there is a
        substantial increase in the respondents' perception of the importance
        of security awareness training.  On average, respondents from most
        sectors do not believe their organization invests enough in this area.
     "This year's survey -- coupled with results from recent years --
 suggests that the news within the enterprise security perimeter is good.
 Respondents tell us that they are keeping their cybercrime losses lower,"
 said Chris Keating, CSI director. "At the same time, our economic reliance
 on computers and technology is growing and criminal threats are growing
 more sophisticated, so we shouldn't overestimate our strengths. As
 highlighted in the survey, the security professional's role is imperative
 within U.S. companies -- they are asked each and every day to address the
 constantly evolving threat."
     The main objectives of this report are to focus on key trends in the
 information security arena and to identify changes in the landscape as they
 become visible so that business can act accordingly. "Virus attacks,
 cybercrime and identity theft all effect consumer confidence, slowing the
 acceptance of e-commerce," said Robert Richardson, CSI editorial director.
 "We want to ensure that today's security professionals receive the latest
 tools and resources to positively impact and promote awareness within their
 industries."
     The complete 2006 CSI/FBI Computer Crime and Security Survey is
 available for download on the CSI Web site at GoCSI.com.
     About CSI/FBI Annual Survey
     Computer Security Institute (CSI) is the world's premier membership
 association and education provider serving the information security
 community. For 33 years CSI has helped thousands of security professionals
 protect their organizations' valuable information assets through
 conferences, seminars, publications and membership benefits. CSI offers the
 survey results as a public service.
     The team at CSI collaborates with an academic team from the Robert H.
 Smith School of Business at the University of Maryland. The three-person
 team, led by Lawrence A. Gordon, Ernst & Young Alumni Professor of
 Managerial Accounting and Information Assurance, specializes in research on
 the economics of information security.
     The participation of the FBI's San Francisco Computer Intrusion Squad
 office has been invaluable. Over the years, the squad has provided input
 into the development of the survey and acted as our partners in the effort
 to encourage response. CSI has no contractual or financial relationship
 with the FBI. The survey is simply an outreach and education effort on the
 part of both organizations. CSI funds the project and is solely responsible
 for the results.
     About CSI
     Computer Security Institute (CSI) is the world's leading membership
 organization specifically dedicated to serving and training the
 information, computer and network security professional. Since 1974, CSI
 has been providing education and aggressively advocating the critical
 importance of protecting information assets.
     CSI sponsors two conference and exhibitions each year; CSI NetSec in
 June and the CSI Annual Computer Security Conference and Exhibition in
 November. A full schedule of training classes is offered on encryption,
 intrusion management, Internet, firewalls, awareness, Windows and more.
     CSI membership benefits include the ALERT newsletter, quarterly
 Journal, discounts on CSI conferences and training, and SecurCompass, an
 automated, standards-based security program assessment tool. For more
 information about CSI, email csi@cmp.com or telephone 415.947.6320.
     Press Contacts:
      Jennifer Cincu                        Robert Richardson
      Articulate Communications Inc.        Computer Security Institute
      212.255.0080, ext. 33                 610.604.4604
      jcincu@articulatepr.com               rrichardson@cmp.com
 
 SOURCE CMP Technology

RELATED LINKS

http://techweb.cmp.com/corporate/current