Dashboard: Bucking the Hype, IT Security Losses Decline

Given a general security climate in which vulnerability is climbing and reports of computer crime get more alarming, we have to wonder how it can be that respondents to security surveys keep reporting lower numbers.

The Computer Security Institute released its eleventh annual CSI/FBI Computer Crime and Security Survey in July and respondents said they'd lost less money due to security-related incidents than in the previous year. The average loss per responding company was down nearly 18 percent to $167,713, versus $203,606 in the 2005 survey.

Virus attacks continue to be the biggest source of financial losses, followed by unauthorized access, laptop and mobile hardware theft, and theft of proprietary information (see chart). These top-four categories account for more than 74 percent of all security-related financial losses, according to the study. The 616 U.S.-based CSI member companies responding to this year's survey leaned toward larger organizations, with 51 percent having more than 1,500 employees and 57 percent reporting more than $100 million in revenue.

This is the fifth straight year that average losses have fallen, and the drops have been nothing short of startling in recent years. Given a general security climate in which vulnerability is climbing and reports of computer crime get more and more alarming, one has to wonder how it can be that respondents keep reporting lower and lower numbers.

Gartner, in fact, sent its clients a "First Take" analysis of the survey that focuses on the average loss number and took the position "that security administrators should view the findings of all such surveys with extreme skepticism."

Three weeks later, though, Gartner told attendees of the Gartner IT Security Summit in Sydney, Australia, that companies with mature IT security practices could safely reduce their security budgets to between 3 percent and 4 percent of their overall IT budgets. That advice dovetails with the 53 percent of survey respondents who said their security budgets were 5 percent or less of the overall IT budget.

Just what are those security budgets buying? Consistent with last year's study, firewall technologies and antivirus software topped the list, with 98 percent and 97 percent of respondents, respectively, investing in these options. Anti-spyware software, which was added as a category in this year's study, took the No. 3 spot, used by 79 percent of respondents. Although biometrics ranked 17th in the survey, used by 20 percent of respondents, the one-third increased in reported use over last year's survey is notable.

Asked about crime committed by insiders versus outsiders, the former came out looking less threatening, as nearly one third (32 percent) of respondents said they believe insiders account for none of their organization's cyber losses.

The CSI/BFI Computer Crime and Security Survey can be freely downloaded from the Computer Security Institute's Web site at --Robert Richardson

Federal Paperwork Reduction

Despite the Federal Government Paperwork Reduction Act, Americans spent an additional 441 million hours filling out Federal paperwork in 2005, up 5.5 percent over the previous year to reach 8.4 billion hours, according to the Office of Management and Budget. Ironically, 116 million hours were lost to the Can-Spam Act, which was intended to increase productivity.
Video Analytics for Airports

Big Brother may be watching you at the airport. In a $30 million pilot program run by the Department of Homeland Security, analytics are being tested to scrutinize streaming video from selected airport surveillance cameras. The software is intended to detect suspicious activity and alert security personnel. Some observers object to the potential for civil liberties violations.
E-Mail Growth

Despite assertions that it's being displaced by text messaging, e-mail messaging is thriving, according to a study by the Radicati Group. As a result, the e-mail archiving market is expected to grow from $800 million in 2006 to nearly $7.8 billion in 2010. The installed base of wireless e-mail access device users is expected to grow from 14 million in 2006 to 228 million in 2010.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing