For several years, this survey—perhaps the most widely quoted set of statistics in the industry—showed a steady drop in average estimated losses due to cybercrime. It seemed counterintuitive to some experts, accustomed to seeing the worst of the crime that’s out there.

Last year the tide turned and respondents reported a significant upswing. Given the changes in the nature and severity of network-borne threats, this seemed only natural.

This year the average losses are back down again. And that’s puzzling, honestly. There seems little question that several sweeping changes in the overall state of IT practices—coupled with equally broad changes in the habits of the criminal world—are making significant, hard-hitting attacks easier and more lucrative for their perpetrators.

What these results suggest, though, is that on most days at most organizations, the attacks are less imaginative than what’s currently theoretically possible.

Which, for the moment, is good news.

Download CSI Computer Crime & Security 2008

PDF format, 1MB, 31Pages.

The latest results from the longest-running project of its kind
By Robert Richardson, CSI Director

For the 13th year, CSI has asked its community how they were affected by network and computer crime in the prior year and what steps they’ve taken to secure their organizations. Over 500 security professionals responded. Their answers are inside…

Key Findings
This year’s survey results are based on the responses of 522 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. This is the 13th year of the survey.

The most expensive computer security incidents were those involving financial fraud…
…with an average reported cost of close to $500,000 (for those who experienced financial fraud). The second-most expensive, on average, was dealing with “bot” computers within the organization’s network, reported to cost an average of nearly $350,000 per respondent. The overall average annual loss reported was just under $300,000.

Virus incidents occurred most frequently…
…occurring at almost half (49 percent) of the respondents’ organizations. Insider abuse of networks was second-most frequently occurring, at 44 percent, followed by theft of laptops and other mobile devices (42 percent).

Almost one in ten organizations reported they’d had a Domain Name System incident…
…up 2 percent from last year, and noteworthy, given the current focus on vulnerabilities in DNS.

Twenty-seven percent of those responding to a question regarding “targeted attacks”…
…said they had detected at least one such attack, where “targeted attack” was defined as a malware attack aimed exclusively at the respondent’s organization or at organizations within a small subset of the general business population.

The vast majority of respondents said their organizations either had (68 percent)…
…or were developing (18 percent) a formal information security policy. Only 1 percent said they had no security policy.

Comments (0)

Name

Email

Comment

smaller | bigger

Add Comment