The Fifth Annual Global State of Information Security
Five years ago, when CIO and PricewaterhouseCoopers collaborated on the first "Global State of Information Security" survey, very few people knew how bad the problem was. Now everyone knows. They just don't know how to fix it.
Likely Sources of Incidents
Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years.
| Who attacked us? | |||
|---|---|---|---|
| 2006 | 2007 | 2007 Security Executives Only | |
| Employee/former employee | 51% | 69% | 84% |
| Hacker | 54% | 41% | 40% |
Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than they used to be? Probably not. Most security experts will tell you that the insider threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we've hired an untrustworthy person.
This spike in assigning the blame for breaches and attacks to employees is probably more like the dip in companies that report zero incidents—a reflection of awareness, of managers' ability to recognize what was always there but what they couldn't previously determine.
"What's happening is we're doing a better job with logging and understanding situations," says Ron Woerner, former information security manager at ConAgra Foods, now security engineering consultant at TD Ameritrade. "For a while, I think, ignorance was bliss. Now, with all the technology in place, we're learning that we all have the same problems."
Here's how building a security infrastructure can lead to more employees named as culprits in security incidents: A CISO is hired. He has the tools to investigate internal network anomalies and the authority to ask business unit leaders to provide him with information for an investigation. His deployment of user-monitoring tools helps him identify insider threats. Then he centralizes security information management software that automatically detects anomalous network behavior. Then maybe he adds a periodic risk assessment process (another trend on the rise, according to the survey), and suddenly his office is finding previously unknown vulnerabilities being exploited. Perhaps he adds an anonymous e-mail/hotline function for whistle-blowers. With all of this and more in place, a company has increased its odds of detecting security incidents.
But here's an odd paradox: Despite the massive buildup of people, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn't know how many incidents they've suffered, up from 29 percent last year.
The rate of "Don't know" for the type of incident and the primary method used to attack also spiked.
What You Don't Know...Could Fill Volumes
I Dunno
Increasingly, those involved in information security reply "Don't know" when asked about the number and nature of security incidents.
| 2006 | 2007 | 2007 CSO/CISO | |
|---|---|---|---|
| Number of incidents | 29% | 40% | 29% |
| Type of attack | 26% | 45% | 32% |
| Primary method used | 26% | 33% | 20% |
It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn't have a clue as to what was going on in their own enterprises. But when close to a third of CSOs and CISOs, who presumably should have the most insight into security incidents, said they don't know how many incidents they've suffered or how these incidents occurred, that's even worse.
$firstKeyword
Receive the latest security news as it breaks.
