Editor’s Note: Part two in a four-part series
In part one of our blog series based on Symantec’s new research report, Managed Security in the Enterprise, I provided an overview of the challenges organizations are facing from cyber attacks. While we aren’t surprised that almost all U.S. respondents (88 percent) stated that their organizations have experienced cyber attacks over the past two years, the cyber loss they’ve experienced is staggering.
Incredibly, 97 percent of respondents reported real, tangible loss as a direct result of cyber attacks. When asked about the kind of cyber loss experienced, 46 percent of respondents in the United States claimed that they experienced downtime of their environment. Since there haven’t been any massive worms that have disrupted IT operations for the past several years, I interpret the high reported downtime as compromised systems requiring re-imaging, which temporarily disrupted productivity. As such, I would expect the implications of this “downtime” to be mild and only short term. However, 31 percent of respondents experienced theft of employee- or customer-related personally identifiable information (PII), and 20 percent experienced theft of customer credit card information from cyber attacks—both of which are statistics that I find alarming.
As Symantec noted in the Report on the Underground Economy released in November 2008, cyber criminals are using IRC channels and Web forums as meeting places to discuss cybercrime, and buy and sell fraudulent goods and services. Items sold include credit card data, bank account credentials, and email accounts. While it’s well known that there is an underground economy thriving on stolen information, the number of organizations reporting cyber loss is stunning. Complicating matters further, stolen PII and credit card information have long term implications on the reputation of an organization. When asked about the costs related to breaches, 12 percent noted lost customer trust or customer relationships, and 8 percent reported damaged brand reputation from cyber loss.
My read on all of this: the notion that investing in security can’t equate to controlling financial loss is dead. When it comes to protecting customer and employee PII, credit card information, and financial information, the stakes are too high to not adequately mitigate the risks. In the next part in this blog series, we’ll address how well organizations are handling the challenge.
Grant Geyer, VP Symantec Managed Services