Government Technology

    Digital Communities
    Industry Members

  • Click sponsor logos for whitepapers, case studies, and best practices.
  • McAfee

CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors



January 8, 2010 By

It's no secret that security pros worry about cyber-attacks that can happen anytime in a networked world, but apparently, they also worry about how much end-users know about good computer hygiene and their organizations' abilities to assess how secure they are - or aren't.

The Computer Security Institute (CSI), which holds conferences and educational events for IT workers, released the 14th edition of its annual CSI Computer Crime and Security Survey in December 2009, with an assessment of how respondents felt about their own cyber-security situations and what that assessment may mean for 2010. The institute partnered with General Dynamics Advanced Information Systems to glean insight from 443 U.S.-based respondents across the public and private sectors.

The institute asked respondents to rate how satisfied they were with their technologies on a scale of 1 to 5. All technologies fell within the 3.0 to 3.6 range, which isn't bad, but the tools that scored the lowest in that zone were the ones that are supposed to indicate how secure an organization is at any given moment.

"They weren't wildly happy with anything nor, on the other hand, were they wildly unhappy with anything, but it sort of indicates to me that there's an acceptance of the tools we have," said Robert Richardson, CSI's director.

But he also said the respondents don't feel like they have a comprehensive solution tool for monitoring. The tools mentioned in the survey overview included log management tools, data leak prevention, content monitoring and intrusion detection tools.

"I think, as an industry, we are struggling with measuring and monitoring what's going on," Richardson said. "If you ask me what people are going to be focusing on in 2010, I think one of the things is how to extract meaning from all of the log information or the auditing information that's sitting out there in the enterprise, government agency or wherever."

But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.

"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.

Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well.

The CSI figures included other cyber-security data as well about the occurrence of threats in 2009 compared to those in 2008:

  • 64.3 percent of respondents experienced malware infection, compared to 2008's 50 percent;
  • 29.2 percent experienced denial-of-service attacks, compared to 2008's 21 percent;
  • 17.3 percent experienced password sniffing, compared to 9 percent in 2008;
  • 13.5 percent experienced Web site defacement, compared to 2008's 6 percent; and
  • 7.6 percent experienced instant messaging abuse, down from 21 percent in 2008.

Richardson said governments should pay special attention to security because they're more visible as targets for cyber-attacks. Government agencies constituted more than 13 percent of survey participants, comprising people from federal, local, military and law enforcement jurisdictions.

CSI sent the survey questionnaire to 6,100 CSI members, those who've joined and those who've attended live events and webcasts. Richardson thought the results were telling, but he wondered about the experiences of those who didn't respond.

"There's an enormous amount of discomfort around what happens when you have a really serious incident. There are, relative to the number of organizations in the world or in the United States, few headline-making total disaster breaches, but if it happens to you, it can be devastating," he said, and doubted the pool of the 443 respondents was large enough to capture many serious victims.

"If the company is seriously damaged by that kind of incident, my suspicion is they don't answer the survey," Richardson said.

 


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Digital Cities & Counties Survey: Best Practices Quick Reference Guide
This Best Practices Quick Reference Guide is a compilation of examples from the 2013 Digital Cities and Counties Surveys showcasing the innovative ways local governments are using technological tools to respond to the needs of their communities. It is our hope that by calling attention to just a few examples from cities and counties of all sizes, we will encourage further collaboration and spark additional creativity in local government service delivery.
Wireless Reporting Takes Pain (& Wait) out of Voting
In Michigan and Minnesota counties, wireless voting via the AT&T network has brought speed, efficiency and accuracy to elections - another illustration of how mobility and machine-to-machine (M2M) technology help governments to bring superior services and communication to constituents.
Why Would a City Proclaim Their Data “Open by Default?”
The City of Palo Alto, California, a 2013 Center for Digital Government Digital City Survey winner, has officially proclaimed “open” to be the default setting for all city data. Are they courageous or crazy?
View All