Report: A Misplaced Sense of Security?

Despite feeling safer now than a year ago, 20 percent of businesses in a network security
survey of 300 IT staffers in companies with more than $30 million in annual
revenues admitted to unauthorized breaches into their company networks.

The survey, conducted by security hardware vendor Britestream Networks and Q&A
Research, reported that 76 percent of the companies surveyed feel safer
than they were last year.

Of the 76 percent who feel safer, 38 percent credit a more effective implementation of
security policies, while 23 percent say additional security investments make their
networks safer.

This seeming paradox underlies the biggest concern among security experts — the fact
that malicious hackers, called crackers , are getting more sophisticated
when it comes to network intrusions. The end goal is to obtain customer information, such as credit
card numbers, Social Security numbers and the like, as well as intellectual property
the company owns.

Mike Salas, Britestream vice president of marketing, said the value on personal
information has been increasing lately, making unauthorized intrusions more tempting
and common.

“The tools they are using are becoming more and more sophisticated, so what we’re seeing
here is something of an arms race where, more often than not, the good side wins a great
majority of the battles but the bad side is still winning its fair share of the battles,” he said.

Some of the other key findings:

• Viruses top the list of IT concerns, at 88 percent.
• Network attacks, though unsuccessful, have increased, according to 62 percent of those
  surveyed. Of the 62 percent, almost half believe the number of attempts has been increasing.
• 67 percent of companies would spend more to secure their networks if they had the funding.

Getting more money to combat network intrusions is increasingly difficult. Despite
the fact that 70 percent of respondents felt their CEOs took security seriously, the average
percentage spent on security improvements was 18 percent. It’s only expected to increase 2
percent next year. The biggest incentive for security investments comes from those public
companies that are governed by regulations (67 percent).

The toughest problem for IT administrators, as Salas sees it from discussions with potential
and existing customers, is showing C-level executives how much of an effect a network
intrusion or DDoS attack would have on the bottom line.

“You need to make a business case for greater expenditure,” he said. “At the end of the day,
what you need is specific data to quantify the costs, risks, the return on investments (ROI);
how do you measure how much caching costs? How do you measure how much an intrusion costs?
What a lot of people surveyed mentioned is that there is real data that’s missing out there.”

What the report doesn’t cover is the financial loss incurred by 20 percent of companies
who reported a network intrusion. The annual “Computer Crime and Security Survey,”
published by the Computer Security Institute (CSI) and the FBI and released in June, actually shows financial
losses have decreased since the previous year, though security remains a tangible threat.

In the survey, 494 companies said they lost $141.5 million because of computer crimes, down from
530 respondents who reported $201.8 million the previous year. DDoS attacks have replaced theft
of intellectual property as the main security threat. Organizations are also successfully using
metrics to evaluate their security decisions: 55 percent use ROI; 28 percent use internal rate of
return (IRR); and 25 percent use net present value.

“Although the CSI/FBI survey clearly shows that cybercrime continues to be a significant threat to
American organizations, our survey respondents appear to be getting real results from their focus on
information security,” the report’s statement read. “Their average dollar losses per year have
dropped in each survey for four straight years.”