According to CA and The Strategic Council, survey data compiled between January and May 2006 reveals that security breaches of business are rising. Some 642 large North American organizations with cumulative revenues of approximately $1.4 billion were surveyed. The results showed that more than 84 percent of North American enterprises have suffered breaches, and breaches rose by 17 percent over the past three years.
These results illustrate an increase in the number of security breaches. However, the increase in breaches is due as much to more diligent incident reporting as to a rise in raw number of breaches. Recently, a number of states followed California’s lead in passing legislation that mandated companies disclose when personal data has been lost or stolen. Additionally, Congress is considering HR3997, which requires “any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data notify each individual who is a citizen or resident of the United States.” In the past, many companies likely would have covered up a security breach out fear of public embarrassment, damaged reputations, and/or loss of consumer confidence.
Although companies are now reporting these breaches more often because they are often legally mandated to do so, security breaches are also more frequent and targeted because the economic incentive to commit cyber crime remains stronger than ever. “The criminals responsible are obviously making money from their code, otherwise they would give up the game,” said Graham Cluley, senior technology consultant at software security vendor Sophos. Additionally, according to Craig Morford, the first assistant US Attorney for the Northern District of Ohio, cyber criminals are becoming more organized, stronger and focused. “We’re seeing the growth of a large number of criminal entities targeting US organizations for cyber-crimes, and it’s sort of like the atmosphere around organized crime here in the US in the 1950s as it seems that we’re only just scratching the surface of this type of activity,” he said.
The available data supports the claim that cyber crime is both more frequent and more targeted. According to Sophos, over 80 percent of the new threats identified during the first six months of 2006 have been Trojans. Trojans are usually targeted at particular groups of organizations and people to increase the likelihood of infection and subsequent theft of valuable information. Another security vendor, MessageLabs, also observed an increase in the number of targeted Trojan attacks. Specifically, MessageLabs found at least one Trojan attack per day in mid-2006, compared with one or two per week during the same period in 2005.
As a result, companies must consider implementing information security policies designed to protect sensitive data. According to Gartner, protecting sensitive data is considerably less expensive than the cost incurred by a security breach. “A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” said analyst Avivah Litan. Therefore, it appears that given the impending regulatory environment of required security breach reporting combined with the rise in targeted attacks, companies are faced with the choice of paying a little now or much more later.