Articles

CHIEF SECURITY OFFICERS FIGHT e-CRIME

CHIEF SECURITY OFFICERS FIGHT e-CRIME
CSO MAGAZINE POLL REVEALS TOP SECURITY CONCERNS FOR BUSINESSES AND NATION.

Framingham, MA—December 18, 2002—

.
A new poll of nearly 800 chief security officers (CSOs) and senior security executives conducted by IDG’s CSO magazine reveals CSOs are sharing information with law enforcement officials in an attempt to fight cyber-crime. Almost half (45%) already supply customer, employee or business partner data to government or law enforcement agencies.

Furthermore, about a quarter of the respondents say they will provide data on customers (24%), business partners (23%) and employees (37%) without a court order. When faced with an investigation relating to national security, 41% are willing to share information without a court order. Less than half (43%) say they will only release information under court order or subpoena.
.
“As cyber crime activity and concerns continue to mount, CSOs are becoming more willing to part with information they normally would hold close to the vest,” says Lew McCreary, Editor in Chief of CSO magazine. “An increase in information sharing between corporate America and law enforcement could help the nation secure its critical infrastructure, but it also raises concerns about privacy. If standards loosen on what businesses do with customer information, how will customers protect themselves from mistakes and possible abuses? Lawsuits are sure to arise in this area.”
.
In addition to sharing data with law enforcement, more than half of CSOs monitor e-crimes (52%) and report cyber crimes (56%). Interestingly, CSOs are mixed on their reasons for reporting crimes. Thirty-nine percent (39%) would report cyber crimes to deter criminals from committing cybercrimes in the future, while 21% aim to prosecute individuals. Only 6% would report cyber crimes because of faith in law enforcement’s ability to track and crack crime.
.
The second CSO Magazine Security SensorTM also captures the top cyber security concerns among CSOs for their business and the nation at large. Forty-five percent (45%) of CSOs report the number one cyber security concern for their organization is disruption or denial of service (such as by virus, internal or external threat), followed by employee misuse of technology resources (28%) and privacy (21%). For the nation, 37% of CSOs cite economic consequences as the #1 cyber security concern, followed closely by national security (36%) and privacy (24%).
.
Consistent with August findings of the first CSO Magazine Security SensorTM, respondents continue to worry about cyberattacks by Al Qaeda and infractions by current employees:
.
Fifty-one percent (51%) anticipate a major cyber attack by a terrorist organization (i.e., Al Qaeda) will happen within the next 3 months to one year, up slightly from 49% in August.
Fifty-six percent (56%) say current employees pose the greatest threat to their company’s technology infrastructure (up slightly from 53% in August), followed by external persons not employed by their organization (30%), and former employees (8%).
Fifty-three percent (53%) believe electronic attacks (such as viruses) pose the biggest concern to their company, down slightly from 59% in the August poll.
Other key CSO Magazine Security SensorTM findings:
.
CSOs say security employees (80%) and IT employees (62%) are most compliant when it comes to following security compliance measures. Lagging significantly behind security and IT personnel are management (37%), outside contractors, partners and vendors (30%) and all other employees (21%).
.
“Ironically, managers are notoriously the worst offenders of security procedures,” says McCreary. “These findings underscore the need for greater compliance and example-setting in the executive suite. And we also wonder about that non-compliant 20% within the security function itself. Never mind that they lead the pack. If one-fifth of security professionals violate policies, that undercuts security’s credibility with the rest of the enterprise.”
.
In other workplace news, one quarter (26%) of respondents say they’d hire a professional hacker for threat assessments or competitive snooping.
.
Complete Findings:
.
1.) Under which of the following circumstances would you or your organization provide customer, employee, or partner data to government or law enforcement agencies without a court order (i.e., without a search warrant or a subpoena): (Check all that apply.)
24% Criminal investigation of a customer
37% Criminal investigation of an employee
23% Criminal investigation of a partner organization
41% Investigation relating to national security
9% Personal request from a trusted law enforcement individual
43% Only under court order (i.e., with a search warrant or a subpoena)
19% Unsure
.
2.) Have your or your organization supplied customer, employee, or business partner data to government or law enforcement agencies?
45% Yes
33% No
23% Unsure
.
3.) Regarding cyber crime, does your company: (Check all that apply.)
78% Monitor attempts
52% Monitor crimes
56% Report crimes
22% Have insurance covering losses caused by cyber crime
9% None of these
8% Unsure about all of these
.
4.) What is the #1 reason why you report cyber crimes?
39% To deter others from committing future cybercrimes
21% Prosecution of individuals
8% Retrieval of stolen property or data
6% Not answered
6% Faith in law enforcement’s ability to track and crack crime
12% Other
8% Unsure
.
5.) Does your organization quantify the financial cost of cyber crimes?
13% Yes
73% No
15% Unsure
.
6.) What is the #1 cyber security concern for your organization?
45% Disruption or denial of service (such as by virus, internal or external threat)
28% Employee misuse of IT resources
21% Privacy
4% Other
2% Unsure
.
7.) What do you believe is the #1 cyber security concern for the nation? 37% Economic
36% National security
24% Privacy
1% Other
2% Unsure
.
8.) When do you anticipate a major cyber attack by a terrorist organization (e.g., Al Qaeda) will happen?
10% Within next three months
13% Within 3 to 6 months
28% Within 6 months to 1 year
11% More than 1 year
9% Never
28% Unsure
.
9.) Which of the following poses the greatest threat to your company’s technology infrastructure?
56% Current employees
8% Former employees
30% External persons not employed by your organization
6% Unsure
.
10.) In general, what kinds of attacks pose the biggest concern for your company?
12% Physical attacks (such as theft of property, etc.)
52% Electronic attacks (such as unauthorized access, virus, etc.)
3% Electronic attacks with physical consequences
33% Same level of concern for both physical and electronic attacks
1% Unsure
.
11.) How prepared is each of the following entities to respond to and recover from a cyber attack today as compared to September 11, 2001? (Please use a scale of 1 to 5 where 1 is the least prepared and 5 is the most prepared):
.
a) U.S. Federal Government:
3% 1 – Much less prepared
3% 2 – Slightly less prepared
21% 3 – Same level of preparedness
52% 4 – Slightly more prepared
17% 5 – Much more prepared
4% Unsure
.
b) U.S. State & Local Government:
4% 1 – Much less prepared
7% 2 – Slightly less prepared
38% 3 – Same level of preparedness
38% 4 – Slightly more prepared
6% 5 – Much more prepared
6% Unsure
.
c) U.S. businesses:
3% 1 – Much less prepared
5% 2 – Slightly less prepared
33% 3 – Same level of preparedness
45% 4 – Slightly more prepared
10% 5 – Much more prepared
5% Unsure
.
d) Your company:
2% 1 – Much less prepared
3% 2 – Slightly less prepared
27% 3 – Same level of preparedness
44% 4 – Slightly more prepared
22% 5 – Much more prepared
1% Unsure
.
12.) Please rate the level of compliance with your organization’s security policies for the following employee groups using a scale of 1 to 5 where 1 is “not at all compliant” and 5 is “extremely compliant”:
.
a) Management:
2% Not at all compliant
17% Not very compliant
43% Somewhat compliant
29% Very compliant
8% Extremely compliant
2% Unsure
.
b) Information Technology (IT) Staff:
1% Not at all compliant
9% Not very compliant
27% Somewhat compliant
43% Very compliant
19% Extremely compliant
2% Unsure
.
c) Security Staff:
0% Not at all compliant
3% Not very compliant
14% Somewhat compliant
39% Very compliant
41% Extremely compliant
2% Unsure
.
d) All other employees:
2% Not at all compliant
22% Not very compliant
54% Somewhat compliant
19% Very compliant
2% Extremely compliant
1% Unsure
.
e) Outside contractors, partners, vendors:
4% Not at all compliant
19% Not very compliant
41% Somewhat compliant
25% Very compliant
5% Extremely compliant
7% Unsure
.
13.) Would you hire a professional hacker (for threat assessments, competitive snooping, or any other reason)?
26% Yes
60% No
14% Unsure
.
14.) What are your organization’s top security management priorities for 2003? (Check all that apply.)
72% Training and educating employees about security policies and procedures
68% Assuring business continuity, business resiliency, and disaster recovery
65% Enforcing security policy
61% Assessing risks
60% Reducing risks
53% Aligning security strategy with business goals
48% Putting security policies in place
32% Fostering realistic executive expectations for security success
31% Securing the physical workplace/enhancing employee safety
27% Increasing security spending/budgets
23% Measuring return on security investment
5% Other
2% Unsure
.
15.) What benefits has your organization obtained from your security investments to date? (Check all that apply.)
75% Fewer security incidents/breaches
47% Reduced financial loss due to security incidents/breaches
29% Increased customer satisfaction
24% Better able to pursue new business opportunities
11% Lower insurance premiums on business policies
10% Increased revenue
9% Increased customer base
7% Increased market share
13% Other
9% Unsure
.
*Note: Percentages may not add-up to 100% due to rounding.
. .
Sample size: 797
Margin of error: +/- 3.5%
.
Methodology:
CSOmagazine emailed an invitation and link for the online survey to 8500 pre-qualified CSOsubscribers – individuals who match the qualification criteria of management title and security-related purchase involvement for their organizations. This survey launched on November 25, 2002 and closed two weeks later on December 9, 2002 with a response rate of 797 or 9%. Eighty percent (80%) of the respondents are in organizations with 500+ employees.

.
CSO magazine is published by CXO Media Inc. CXO Media serves CIOs, CEOs, CFOs, COOs and other corporate officers who use technology to thrive and prosper in this new era of business. In addition to publishing CSO , CXO Media produces CIO Magazine, www.cio.com, The CIO Insider, www.darwinmag.com and Executive Programs, a series of conferences that provide educational and networking opportunities for corporate and government leaders.CXO Media Inc. is a subsidiary of IDG, the world’s leading IT media, research and exposition company. IDG publishes more than 300 computer magazines and newspapers and 4,000 book titles and offers online users the largest network of technology-specific sites around the world through IDG.net (www.idg.net), which comprises more than 270 targeted websites in 70 countries. IDG is also a leading producer of 168 computer-related expositions worldwide and provides IT market analysis through 50 offices in 43 countries worldwide. Company information is available at www.idg.com.

CREDITS:
http://www.csoonline.com