Cyber Attacks Less Costly, More Common?

Tuesday, February 08, 2011

Bill Gerneglia


Article by Mark Henricks

The average cost to organizations of cyber attack declined significantly last year, according to a survey, but survey sponsors said the finding might be misleading.

The 2011 CyberSecurity Watch Survey found that annual monetary losses from cyber security events fell to $123,000 per organization in 2011 from $395,000 when the survey was done in 2010.

However, a spokesman for the company that paid for the study said that could be due to organizations reclassifying losses as related to privacy and fraud rather than cyber security.

“Further, this metric alone could be misleading as reported events, sophistication of attacks and external attribution have all increased while the perceived effectiveness of technology-based defenses has decreased,” added Ted DeZabala, national leader of security and privacy services at Deloitte, which sponsored the poll of 600 business and government executives, professionals and consultants.

In a finding that suggests DeZabala may be right about the potential for the cost figures to be misleading, respondents reported significantly more cybersecurity events than the year before.

This time, 28 percent said they experienced more cyber attacks in the 2011 study. Just 19 percent had no attacks, compared to 40 percent who said they had no attacks in the 2010 study.

Outsiders were most likely to initiate attacks, with 58 percent of events being caused by people who lacked authorized access to network systems and data. Twenty-one percent were caused by insiders including employees and contractors with authorized access. Another 21 percent emanated from unknown sources.

The insider attacks were considered more costly by 33 percent of respondents. That compares to 25 percent who felt the same way in 2010. That may be related to the fact that 22 percent of insider attacks used root kits or hacker tools compared to 9 percent in 2010 that deployed the more sophisticated cyber-weapons.

In a finding identical to last year’s, 70 percent of insider incidents were said to be handled internally without legal action.

Respondents said reputation damage, disruption of critical systems and loss of confidential or proprietary information were sources of costs related to insider incidents. Dawn Cappelli, technical manager of the Insider Threat Center at the CERT program at Carnegie Mellon University, noted that technical defenses against external attackers seeking data such as social security numbers and credit card numbers have improved in recent years.

“It is a much more challenging problem to defend against insiders stealing classified information or trade secrets to which they have authorized access or against technically sophisticated users who want to disrupt operations,” Capelli said.

The percentage of respondents reporting incidents of accidental exposure of private or sensitive information declined sharply, from 52 percent in 2010 to 31 percent this time. Sixty-five percent said they increased cybersecurity training and use of internal monitoring tools like data loss prevention.

The survey was a cooperative effort of CSO magazine, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte.

Respondents consisted of subscribers to CSO and visitors to the publication’s website. It was conducted by email during August 2010 and covers the period between August 2009 and July 2010.

Cross-posted from CIO Zone

Possibly Related Articles:
breaches Enterprise Security Research Cyber Security Attacks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.