IT Must Be More Vigilant About Security, Survey Shows

By Bruce Schneier
InternetWeek
April 16, 2001

Despite huge investments by corporations in computer security infrastructure, an overwhelming majority of companies are finding that their networks are still being compromised. And there's no reason to believe this will change anytime soon.

About 64 percent of companies' systems have been victims of some form of unauthorized access, according to a recent survey by the Computer Security Institute (CSI). While 25 percent said they had no breaches and 11 percent said they didn't know, I'd bet the actual number of companies that have been compromised is much higher.

The results tell an alarming story. The number of incidents was all over the map. While the amount of insider vs. outsider incidents was roughly equal, 70 percent of respondents said Internet connections were a frequent point of attack, a figure that has steadily risen over the past six years.

The types of attack range from telecom fraud to laptop theft to sabotage. Some 40 percent said hackers were able to penetrate their systems, and 36 percent were victims of denial-of-service attacks.

Perhaps most alarming is that 26 percent reported theft of proprietary information, and 12 percent were victims of financial fraud. Moreover, about a fifth reported sabotage, and more than half of those had their Web sites hacked 10 or more times.

Although 90 percent of the Web site hacks were just vandalism, 13 percent resulted in theft of transaction information.

What's troubling is that victims of these attacks all believe they had protected themselves adequately-95 percent have firewalls, 61 percent intrusion detection systems, 90 percent access controls of some sort and 42 percent digital IDs.

The CSI data is noteworthy because it is the best data we have on security crime.

While some of the figures are alarming, they are not statistically rigorous for several reasons. For one, those responding are typically more knowledgeable than the average system administrator, and the companies they work for are more aware of the threats. Also, the data is based on respondents' best recollections. And the data does not capture the hacks that go unnoticed.

Nevertheless, the CSI data is an important barometer and validates that the industry has a long way to go to make data secure and ensure that consumer data is protected.

To underscore how much these intrusions are costing companies, only 196 respondents would quantify their losses. Those alone totaled $378 million. Those are staggering losses for one year. Suffice to say, that is just the tip of the iceberg.

But is this a failure of security technology because of IT management complacency? Too many people think that if they buy a firewall or an intrusion detection system their IT infrastructures are magically secure. Too few organizations can afford to hire the expertise they need to deploy proper security. And even of those who do, almost nobody bothers to monitor the security on their networks.

Unfortunately, I don't see this trend reversing anytime soon. The Internet is simply too complex to secure. This doesn't mean we should live in peril. There are no technological solutions to murder, yet most of us spend our lives in relative safety. The difference is that in the real world we rely on processes for security, not on products.

We're starting to see some security processes in the digital world, too. For example, criminal arrests and convictions last year did more for security than any new product.

Hopefully, law enforcement agencies won't back off. The bottom line is that network security is always going to require vigilance. The implementation of products or services alone simply will not cut it.

earlier essay: Body of Secrets by James Bamford (Review)
later essay: Foreword
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..