Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Sep 18, 2007

CSI's 12th Annual Computer Crime and Security Survey

One of many graphs in the survey report
The latest Computer Crime and Security Survey from America's CSI (Computer Security Institute - not the TV show) is a handy source of statistics to consider and perhaps spice up your security awareness materials. The survey is well respected, being vendor independent, having just under 500 responses and being consistently designed from year to year.

Key findings:
- Since last year, the estimated average loss has nearly doubled to $350k per organization per annum
- Nearly 1 in 5 respondents who suffered security incidents said they’d suffered a "targeted attack" i.e. a malware attack aimed exclusively at them or similar organizations
- Financial fraud caused the greatest financial losses
- Insider abuse was the most prevalent security problem
- Just under half of respondents said they had suffered security incidents, similar to but slightly less than the past 2 years
- 29% of organizations report security incidents to law enforcement

Being a security awareness specialist, the following caught my beady eye:
"Almost half—48 percent—spend less than 1 percent of their security dollars on awareness programs. While this may be the case simply because some forms of awareness training (such as putting reminders on corporate intranet sites) aren’t expensive, one is tempted to conclude that while the industry talks a good game about teaching users how to be good stewards of company network resources, they don’t yet put real dollars behind the proposition."


~Half spend less than 1% of their security budgets on awareness! Golly! Given that security budgets are around 10% of IT budgets, there must be a lot of managers out there that are so frugal on security awareness that they 'squeak when they walk'. Our very own security awareness products typically cost about the same as a single cup of coffee per employee per annum, barely enough to merit a budget line item. Cost is surely not the issue: many organizations evidently don't appreciate the potential business benefits of a well-run security awareness program. Perhaps they think employees will just 'be secure' without any guidance? Flying pigs optional. Security incidents averaging $350k p.a. are (at least partly) the inevitable result of such wishful thinking.