CSI : Computer Crime and Security Survey 2011

Every year the Computer Security Institute furnishes the Computer Crime & Security Survey.The purpose of this survey is to gain insight into the challenges survey respondents face throughout the year.This year there were over 350 respondents from the most common verticals, (Financial, Government, Education, Medical, and Hospitality).While we have only outlined what we feel are the relevant findings from this survey that apply to Hospitality, we encourage all of our clients to read the entire survey as it contains a wealth of beneficial information.

This year, for the first time, the Data Breach Investigations Report (DBIR) also incorporates a case database obtained from the U.S. Secret Service, which is listed as a co-sponsor of the report. Perhaps the most salient feature of the demographics here is that the entire sample comes from organizations that have suffered major data breaches. Given that banks are where the money is, it’s not surprising to learn that the case load heavily tilts toward financial institutions, with 33 percent of cases, followed by 23 percent in the hospitality industry. That over half of the cases come from just two industries, though, may well seem problematic if one is trying to get a sense of the general level and nature of threat to enterprise network.

Last year, 43.2 percent of respondents stated that at least some of their losses were attributable to malicious insiders, but non-malicious insiders were clearly the bigger problem, with 16.1 percent of respondents estimating that nearly all their losses were due to non-malicious actors. More broadly, non-malicious insiders were clearly responsible for more loss than malicious ones, but even more to the point, there was clearly a great deal of loss that was not due to insiders at all.

This year’s data is consistent with last year’s. In keeping with the notion that more than half of losses are not due to malicious insiders, the percentage of respondents reporting no losses due to malicious insiders edged up to 59.1 percent. 87.1 percent of respondents said that 20 percent or less of their losses should be attributed to malicious insiders. 66.1 percent of respondents said that 20 percent or less of their losses were attributed to non-malicious insiders.

64% of respondents feel that compliance requirements have improved their Security Program.  Also, 45% deployed new technology because of compliance and 32% responded that over security budget increased.

*Please note, all findings have been taken from 2011 CSI Computer Crime & Security Survey