SAN FRANCISCO About half, or 54 percent, of the business, government and institutional organizations questioned in an annual computer security survey had formal data retention and destruction policies. Another 41 percent said they were developing such policies or working with informal guidelines.
Those were among the findings of the San Francisco-based Computer Security Institute's "13th Annual Computer Crime and Security Survey," which this year drew responses from 522 information systems protection practitioners for some, if not all, questions. They surfaced as some of the companies caught up in recent publicized data breaches are beginning to discover the true cost — in terms of litigation, card issuer fines and loss of reputation — of past data management practices that left them vulnerable to hackers.
In this year's survey, 43 percent of 517 respondents answered affirmatively when asked if their group had suffered a computer security problem, compared to 46 percent of 487 respondents in 2007. At the same time, 13 percent of this year's respondents said they didn't know if their systems had been breached, compared to 10 percent a year earlier.
Also turned up this year: Among the dwindling number of respondents willing to share such information, the average financial loss tied to information systems breaches, incidents of vandalism and theft decreased from $345,000 among 198 respondents in 2007 to $289,000, reported by 144 people this year.
The survey by CSI, whose 2008 respondent mix included a small number of retailer representatives, tends to attract participation from larger government, educational and financial services entities.
According to respondents who shared such information, the most costly kind of computer crime was financial fraud, with an average reported cost of $463,100, followed by the expenses entailed in dealing with remotely programmed "bot" computers within a network, which averaged $345,600. On average, handling the loss of proprietary information or customer or employee confidential data ranged from $241,000 to $268,000, they indicated.
Computer viruses were the most common problem, occurring at 49 percent of the respondents' organizations; insider abuse of networks was the second most frequently cited crime, reported by 44 percent. Robert Richardson, CSI director and author of the report on survey findings, noted that third on the list, cited by 42 percent of respondents, was theft of laptop computers and other mobile devices.
Richardson concluded in his report that a distinction should be made between "developing threats and actual successful attacks." He said he believes that there is "cause for great concern regarding the sorts of attacks that become possible as we move to a more service oriented Web," and added, "but these are not threats that have seen widespread use — not yet, at least not among those responding to this survey."
The CSI survey covers a wide range of topics, including the percentage of respondents taking out cyber crime insurance policies; the prevalence of use of a large assortment of computer security hardware and software; and computer security expenditures, as a percentage of information technology budgets. The 2008 survey's 29 pages of findings are available for free at CSI's website, www.gocsi.com.