Content

Security Devices Don’t Always Save Companies from Hackers

On May 29, 2003, the Computer Security Institute (CSI) and the FBI published the results of their most recent Computer Crime and Security Survey, now in its eighth year.

Some of the trends are encouraging, while others raise questions about the state of e-security and the progress made over the last several years.

One of the most encouraging statistics is the decrease in reported total annual losses due to some form of unauthorized computer use. The losses reported in the 2003 survey were $201.8 million - down 56 percent from last year's $455 million. However, in the survey analysis, the CSI and FBI state: "Despite the lower number for aggregate financial losses among survey respondents, the most important conclusion one must draw from the survey remains that the risk of cyberattacks continues to be high."

Even companies that employ a variety of security measures can be the victims of cybercrime. Fifty-six percent of respondents reported unauthorized computer use - a number that is in line with surveys from recent years. But why has the number stayed the same? If security technology is getting better every day, and if more companies are employing the improved technology, why aren't these incidents decreasing dramatically?

Why do cyberincidents continue?

There are several answers to that question:

  • Hacker methods constantly evolve and get more sophisticated.
  • New vulnerabilities are discovered almost daily, opening the door for cybercriminals to attack.
  • Most companies aren't staffed at levels necessary to keep up with all the patches required to secure their networks. (Even huge enterprises like Microsoft can't keep up.)
  • Infrastructures of large companies are extremely complex, providing greater opportunity for misconfiguration - the more doorways that exist, the more places for a hacker to attempt a break-in.
  • Insider abuse of network access remains one of the hardest problems to solve - 80 percent of this year's respondents reported incidents caused from inside the company.
  • There is a shortage of trained, qualified experts to manage the company's security.

The CSI/FBI survey showed that many companies are taking extraordinary measures to prevent malicious damage to their intellectual property. Of the respondents, 11 percent use biometric security, 83 percent use encrypted logins, 72 percent use digital IDs or certificates, and 87 percent said they used file encryption. But even with these sophisticated technologies in place, incidents happen and damage is done.

Most alarming to the security professional is the number of people who don't know what's going on in their networks. According to the survey, "Fifteen percent of respondents say they don't know whether there was any unauthorized use of their computer systems last year." For some, competing priorities and the lack of a good visibility mechanism keep them in the dark where their information security is concerned.

Fighting back

So, where does one turn for help? Many are looking to outsourced security companies to provide 24x7 expertise and support to keep their companies secure. These managed security solutions providers (MSSPs) cover the entire scope of security, including planning (assessing needs, writing security policy), implementation (installing firewalls, intrusion detection systems and other devices) and management (monitoring and managing the installed security devices).

The trend toward MSSPs seems like a natural progression for several reasons:

  • Tough economic times have made corporate budgets extremely tight; hiring a full-time staff of security experts is cost-prohibitive for most.
  • The amount of log data from the new security devices is immense, and in order for it to be useful, it must be analyzed. Who has the time?
  • Increasing regulations in different industries. (For example, the U.S.'s HIPAA in healthcare, Gramm-Leach-Bliley Act in financial services, and other local and national regulations.)
  • Security is not the companies' core business; focusing on security takes employees and managers away from mission-critical tasks.
  • Round-the-clock protection is absolutely necessary.

By definition, MSSPs address each of these challenges - some through advanced technology, but all through a staff of trained security experts who watch over their customers' networks day and night.

The CSI/FBI survey data proves that security is not a passing trend. Increasing attacks and the threat of serious damage to a company's bottom line and reputation are very real. Fortunately, not all the news is bad. While hackers continue to get more creative and sophisticated, so do the good guys. More and more wise leaders are turning to MSSPs to help them stay a step ahead in the race for network security.

John Wilson is vice president and general manager, Ubizen North America (www.ubizen.com). The CSI/FBI survey is available for free download from the Computer Security Institute's web site (www.gocsi.com).

John Wilson

John Wilson has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions. John continued his mission to rid the world of email fraud at Agari. As part of their threat intelligence team, John assisted Microsoft and the FS-ISAC with the B54 Citadel botnet takedown by providing data related to Citadel botnet infections and by acting as a declarant in the civil forfeiture action filed in US District Court.

John joined Fortra through the acquisition of Agari in June 2021. In his current role at Fortra, he continues to research email scams and conduct experiments in “active defense”. In early 2023, John again worked with Microsoft, this time on a takedown effort aimed at curbing the illegal use of Fortra’s Cobalt Strike adversary simulation solution.

John holds a B.S. in Computer Science and Engineering from MIT. He has spoken at a variety of security conferences including RSA, FS-ISAC, Aviation ISAC, NCFTA Disruption, and the Microsoft Digital Crimes Consortium.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds