Once again, it’s a good news and bad news story for information security in Canada and the U.S.
The bad news is virus attacks are the leading cause of financial loss for business, accounting for 74 per cent of cybercrime losses.
The good news is that the average loss amount has dropped to $167,713 from last year’s average of $203,606 .
That’s one of the main findings of the 2006 11th annual CSI/FBI Computer Crime and Security Survey, based on feedback received from 616 U.S.-based information security professionals.
Most companies have automated anti-virus technology in place to detect and repel known “signatures”, or sequences of bytes that identify a virus, says Robert Richardson, editorial director at the Computer Security Institute (CSI) in San Francisco.
And while Canadian companiesalso tend to have such fundamental information security technology in place, they lag their U.S. counterparts in implementation of more advanced technology such as intrusion detection systems (IDS), encryption, and multi-factor authentication, says James Quin, a senior research analyst at the Info-Tech Research Group based in London, Ont.
The fact that average losses are dropping is an encouraging sign that the measures information security professionals are taking to prevent or contain threats are actually working to some degree, says Richardson.
But information professionals have difficulty keeping up with an increasingly mobile workforce to ensure their anti-virus software is up-to-date. So although there have not been any major outbreaks in the past year on the same scale as the Love Bug or MyDoom of yesteryear, viruses continue to be a major headache.
“This isn’t sexy stuff. The old viruses that are out there are well understood, but there are many improperly protected systems,” says Richardson.
But he points out there is always an ongoing stream of new malware being created that makes security professionals, who are paid to be paranoid, even more so.
One example of malware that might be called “sexy” is a new extortion virus, once thought to be only theoretically possible, but which has recently materialized. Called ransomware, the virus encrypts all the files on an end-user’s PC, then sends a message demanding payment to a Web site in questionable places such as Bellorussia to decrypt them.
While this type of virus is very rare and not particularly sophisticated, it is an example of the kinds of storms that are on the horizon in the future, says Richardson. “There are some very ugly looking threats out there that haven’t been realized,” he says. Targeted threats, for example, are far more worrisome.
“What will be much harder to deal with is if someone with real chops writes malware that only targets the specific names of C-level officers of a major corporation,” he says, adding that this type of attack is unlikely to show up in the usual metrics used to detect outbreaks of malware on corporate networks. “Odds are good these guys will get in, clean house and leave before anyone even knows what’s happened. We see clear signs that more of these targeted attacks are happening.”
Another survey finding is that the percentage of organizations reporting computer intrusions to law enforcement has reversed its multi-year decline, standing at 25 per cent compared with 20 per cent in the previous two years.
Richardson attributes this increase to the salutary effects of the California Security Breach Information Act (SB-1386) enacted in 2003 that compels companies to notify customers who may be affected by a data security breach. About half of the states in the U.S. have followed California’s lead in enacting or considering similar legislation. “There’s more of a climate where companies feel like they had better get in front of these issues and report them,” he says.
While this may be good news for American customers, the news is not so good for Canadian customers. Quin points out that even fewer breaches are reported to authorities in Canada, and companies only do so when an incident is picked up by the media. But he adds this is likely only a temporary reprieve for Canadian companies. “Canadian business is so intimately tied to U.S. business that once it is prevalent there, our companies will have to follow suit if they want to participate in the U.S. market,” says Quin.
In open-ended comments, survey respondents noted that regulatory compliance related to information security is one of the most critical security issues they face. But experts disagreed on whether compliance with the Sarbanes-Oxley (SOX) bill, and Canada’s equivalent, Bill 198, means a company’s overall information security is good.
Richardson says this is a dangerous fallacy. “Some organizations confuse being compliant with being secure. Complying with SOX is not the same as considering and mitigating security risks. They are adjacent but different concerns.”
Quin agrees, saying it is possible to comply with SOX without having good IT security in place. “I certainly wouldn’t recommend that, but a lot of the controls that need to be put in place aren’t necessarily around IT security per se but rather relate to processes and the way data is accessed.”
But Lawrence A. Gordon , an economics professor at the University of Maryland and a member of the academic team that reviewed the survey, disagrees with these positions.
Gordon says the need for better security is implied in SOX. “In my opinion, you can’t have a good financial system unless you have good security,” he says. Companies may get away with complying with the letter of the law without beefing up their security in the short term, but not the long, he says.
Gordon is conducting other research in this area and says he’s seeing evidence of more transparency. “The bottom line is, since the passage of SOX, we’ve seen an increase in the voluntary disclosures organizations are making about their information security activities to investors and the public.”