»
Source: UK Department of Trade and Industry
Information Security Breaches Survey
Top
10 Actions for the Board of Directors and Management
Make sure your business:
- Creates a security-aware culture by educating staff about
security risks and their responsibilities
- Has a clear up to date security policy to facilitate
communication with staff and business partners
- Has people responsible for security with the right knowledge
of good practice and the latest security threats—consider
supplementing their skills with external security experts
- Evaluates return on investment on IT security expenditure
- Builds security requirements into the design of IT systems
and outsourcing arrangements
- Keeps technical security defenses (e.g. anti-virus software)
up to date in the light of latest threats
- Has procedures to ensure compliance with data protection
and other relevant regulatory requirements
- Has contingency plans for dealing with a serious information
breach
- Understands the status of its insurance cover against
damage as a result of information security breaches
- Tests compliance with its security policy (e.g. security
audits, penetration testing of its web-site, etc).
Most important of all, do not wait
for a serious security incident to affect your business before
you take action.
|
»
Various Sources
Research on Vulnerability Management
Source: Ernsy
& Young Survey of 91 Fortune 500 Companies
------------------------------------
IT investment priorities,
by Industry
Consumer Packet Goods
1. Security
2. Database
3. Application to application integration
Automotive
1. Security
2. Database
3. Netork Management
Semi-complex Manufacturing
1. Security
2. Databases
3. Application to application Integration
Complex Manufacturing
1. Databases
2. Security
3. Application to application Integration
Source: AMR Research
------------------------------------
Average Hourly losses in the
event of Data center Outage, by Industry
$1,107,274 Retail
$1,202,444 Insurance
$1,344,461 Information Tech
$1,495,134 Financial Institutions
$1,610,654 Manufacturing
$2,066,245 Telecommunications
$2,817,846 Energy
Source: META
Group
------------------------------------
Top IT Initiatives, HealthCare Industry
72% Clinical Automation
26% HIPAA
23% eBusiness
21% ROI when building security into the design
stage
15% ROI when building security in after implementation
Source; @Stake
|
|
» Source: InformationWeek
Global Information Security Survey
Companies that
experienced a security attack attributed to misused valid
user account or access permission in the last 12 months.
43% Pharmaceutical
29% Health Care
21% Retail
17% Banking
17% Manufacturing
11% Insurance
------------------------------------
Loss of network availability resulting from security incident
last year, buy industry
50% Insurance
37% Banking
34% Healthcare
34% Manufacturing
29% Pharmaceutical
------------------------------------
What were the primary methods of attack
or portals uses when your company’s systems were compromised?
40% Exploited known operating system vulnerability
25% Exploited known application
20% Misused valid user account or permissions
20% Unintended mis-configuration or human error.
18% Exploited poor access control
17% Waged Denial of Service
15% Exploited unknown operating system vulnerability
10% Guessed Passwords
------------------------------------
How did Security Attacks Affect your Company?
48% Business applications unavailable, including
email
47% Network Unavailable
18% Information confidentiality compromised
14% Internal records lost or damaged
|
»
Source: Carnegie Mellon Software Engineering
Institute; CERT Coordination Center
1988
6
1989
132
1990
252
1991 406
1992
773
1993 1,334
1994 2,340
1995 2,412
1996 2,573
1997 2,134
1998 3,734
1999
9,859
2000 21,756
2001 52,558
Q1 and
Q2 2002 43, 136
(projects
to 86,272 ! )
Publically released computer security vulnerabilities more
than doubled in the last year, with 1,090 separate holes reported
in 2000, and 2,437 reported in 2001. |
»
Source: CSI/FBI Computer Crime and Security
Survey
“Although 89% of respondents have firewalls
and 60% have IDS, 40% report system penetration from the outside”
“Although 90% of respondents use anti-virus
software, 85% of them were hit by viruses, worms, etc”
“As in previous years, the most serious
financial losses occurred through theft of proprietary information”
“Forty percent of respondents detected
system penetration from the outside”
“38% suffered unauthorized access or
misuse on their Web sites within the last 12 months. 21% said
that they didn’t know if there had been unauthorized
access or misuse.”
“74% report that Internet is
increasingly used as point of attack”
|
»
Source: SANS Institute
- The 7 Top Management Errors that Lead to Computer Security
Vulnerabilities
- Assign untrained people to maintain security and provide
neither the training nor the time to make it possible to
do the job.
- Fail to understand the relationship of information security
to the business problem -- they understand physical security
but do not see the consequences of poor information security.
- Fail to deal with the operational aspects of security:
make a few fixes and then not allow the follow through necessary
to ensure the problems stay fixed.
- Rely primarily on a firewall.
- Fail to realize how much money their information and
organizational reputations are worth.
- Authorize reactive, short-term fixes so problems re-emerge
rapidly.
- Pretend the problem will go away if they ignore it.
As determined by the 1,850 computer
security experts and managers meeting at the SANS99 and Federal
Computer Security Conferences held in Baltimore May 7-14,
1999 |
|
