Only 8.7% of respondents to the CSI survey of 351 US security practitioners experienced a computer-based financial fraud incident, the lowest percentage since the 2005 survey.
CSI Director Robert Richardson attributed the drop in financial fraud to better security controls. “Security pundits are reluctant to say so out loud, but the truth is that some of the things security folks do actually work”, he told Infosecurity.
There was a slight rise in the number of respondents reporting malware infections, 67% saying that they had experienced a malware infection, compared with 64% in 2009.
This year, the respondents were reluctant to share information about losses from computer crime. As a result, the 2010 report does not include specific dollar figures concerning average losses per respondent.
Richardson said that some of the reluctance to share dollar figures was “due to fear” that the information would result in negative publicity for the organization. “Just as much a factor, though, is that organizations often don’t really have a good handle on what a given incident costs them. How organizations should account for cyber losses is still a completely open question”, he added.
More than half of the respondents said their organizations surveyed were not using cloud computing. Richardson said that, while security concerns might be part of the reason why more organizations are not using cloud computing, “there’s a lot more hype around cloud than actual deployment.”
The CSI director said that he expects that “there will be cloud computing just about everywhere, but we’re probably several years away from that. Meanwhile, there are lots of smaller-scale deployments aimed at getting a feel for what will and won’t work.”
Richardson warned that a “tremendous amount of computer crime occurs because the basic homework hasn’t been done.”
“But beyond things like getting everyone to use decent passwords, organizations that get a good handle on managing their log files have a better-than-average chance of detecting security incidents before disasters occur. There’s almost always an early warning that an attack is underway in an organization’s various network log files, but it almost always goes unseen until after the disaster when the forensics experts are trying to figure out what happened”, he noted.