Computer Criminals Continue to Vex IT Groups

CIOs and IT security teams generally aren’t keeping up with technology attacks from around the world, which are growing in number and severity. Figuring out how to manage trouble directed at cloud computing and consumer technologies, in particular, vexes corporate IT groups, according to the 11th annual Global Information Security Survey magazines.

Overall, organizations are spending more on IT security, with an average budget of $4.3 million this year compared to $2.8 million last year. But computer criminals keep coming. The number of attacks the average organization detected in the past year increased 25 percent to 3,741, up from 2,989 last year, according to the survey of more than 9,600 C-level executives, vice presidents and directors worldwide.

The average loss per incident climbed, too–by 18 percent. And large-scale losses grew even faster: Incidents costing more than $10 million are up 51 percent from two years ago.

“The bad guys basically go where they want to go and do what they want to do, and they’re not being stopped,” says Eric Cowperthwaite, former CISO of Providence Health and Services.

Yet top executives are quite confident in their security efforts, the survey finds, with 84 percent of CEOs and 82 percent of CIOs saying their programs are effective. Even CISOs–usually a cautious bunch–are only slightly less sure, with 78 percent expressing confidence.

Another disturbing statistic: The percentage of respondents who don’t know if they’ve been breached has doubled in the past two years, from 9 percent to 18 percent. Brad Stroeh, vice president of network and security services at First Financial Bank, says there’s generally not enough focus on incident response. “And it’s surprising because there’s not an organization out there that isn’t at risk.”

Mobile and Cloud Criminals

The survey reveals that many companies, especially those with the most effective security infrastructure, are making sure a senior executive explains the importance of security to the rest of the organization. Yet even with more high-level support, security policies and tools for mobile devices haven’t kept pace with criminals targeting phones and tablets in search of high-value data on employees and customers.

Almost half of respondents use cloud computing, but just 18 percent include cloud provisions in their security policies. Steve Phillips, CIO at Avnet, a $25.5 billion technology distributor, won’t tolerate such risk. Rigorous vetting of a cloud provider’s security capabilities is crucial, he says.

Avnet conducts a background check of the vendor, evaluating any risky events in its history, and performs a thorough audit of the vendor’s security policies and procedures. Avnet also examines the vendor’s security efforts at many levels, including network, data, IT infrastructure and physical controls.

Phillips also makes certain that vendors’ contracts include specific clauses, such as one requiring the provider to relay information on any breaches and another giving Avnet an escape hatch if a breach is serious enough to warrant terminating the relationship, he says.

“You can’t outsource risk or reputation damage should something happen.”

Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.