Survey Finds Technology Security Breaches Remain Big Problem

Dan Keeney — Mon, 11 Dec 2006 16:00:00 GMT

How pervasive are computer security breaches? If law firms are anything like the rest of corporate America, the problem is a significant drain on time and resources. Three-quarters of respondents to a new survey of security executives in industry and government agencies said that they had at least one security incident in the past 12 months. That’s a lot.

The third annual “E-Crime Watch Survey,” released recently by the CERT Coordination Center at Carnegie Mellon University, U.S. Secret Service, CSO Magazine and underwritten by Microsoft, states the obvious: companies continue to struggle with electronic crimes. However, the survey also revealed that progress is being made.

More than 430 security executives in industry and government agencies responded to the survey covered the period July 2005 through June 2006, and it asked about a range of security problems, including: theft of intellectual property and proprietary information; denial of service attacks; worms and other malicious code; phishing; spam; Web site defacement; spyware; and theft of consumer records.

Respondents indicated that operational losses such as system downtime and lost productivity, are the most common consequence of computer security crime. What does all this cost? The survey found the median cost of a security breach increased to $45,000. The mean cost reached $740,000. Both figures were up nearly 50 percent in the past year.

Despite all the attention over the past year to mistakes by employees that led to security breaches (such as taking laptops with confidential information off-site), the survey found that outsiders caused about twice as many incidents as insiders. Even so, few companies appear to be working with law enforcement or going to court to stop the problems. Only 28 percent of firms said they had contacted law enforcement or gone to court in the wake of a breach. What were the primary reasons for not pursuing the case? Respondents said it was the lack of evidence about who committed the crime and the minor financial impact.

On the flip side, there is some promising news in the survey findings.

Nearly 70 percent of respondents said they feel their organization is better prepared this year to prevent cyber crime than it was last year.
The mean and median numbers of incidents per company fell in the latest survey period from the two previous years. This suggests that companies are having greater success at stopping widespread outbreaks of security breaches. Now that’s progress.
There was broad agreement about what security measures work. The top five responses were stateful firewalls (87%), electronic access control systems (86%), password complexity (80%), network-based antivirus (74%) and encryption (74%).

So what does this mean for law firms? On the one hand, the profile of those surveyed isn’t representative of most law firms. The median company reported having about 3,800 employees and spending more than $400,000 on information technology (IT) security in the past year. However, vigilance is always a good idea.

Of particular interest is the finding that outsiders caused about twice as many incidents as insiders, which indicates that IT security operations still can be strengthened. The following are a few recommended best practices every law firm should consider:

If users are allowed to connect to the firm’s network by means of a virtual private network (VPN), the remote user should be required to install and maintain good antivirus software. Network traffic into the firm’s network by way of a VPN should be restricted to approved applications, which can prevent the network from being breached by an insecure home network.
Guests visiting the firm should not be allowed to connect their laptops to the firm's production network. A separate network should be used for these guests, which isolates their network activity from the firm's network.
Laptops should be equipped with firewalls and users should not use public networks, such as WiFi hotspots or hotel/motel networks, to connect to the firm network unless VPN or other encryption technology is used.
Laptop hard drives should be encrypted, so data cannot be read if the laptop is stolen.
Don’t neglect Blackberry devices, which also should be password protected. The data they contain is potentially as valuable as the data on a laptop.

Computer security breaches continue to be a pervasive problem for all businesses – putting unnecessary strains on manpower and budgets. However, by adopting work processes that keep security top-of-mind and by implanting the growing number of effective security tools, law firms can go a long way toward securing their data from e-criminals.

11-Dec-06 10:00 AM

Rafte - Articles

Survey Finds Technology Security Breaches Remain Big Problem