Average annual losses from security incidents have doubled according to the Computer Security Institute’s 12th Annual Computer Crime and Security Survey. Regardless of the accuracy of the individual figures collected – and these can be understated for a variety of reasons – it’s the trends that count. So this jump is highly significant, especially as previous CSI surveys have indicated a downward trend.
It’s also interesting to note that for the first time, financial fraud losses have overtaken the costs of virus attacks. In fact they are more than twice as high. The survey also indicates an increase for many organisations in the percentage of IT Budget spent on security, with a clear trend towards 3-5% of IT budget. Of course the relevance of this metric depends on what you actually mean by security. But again it’s the trend that counts and that trend is upwards.
However, despite all of the emphasis on the importance of the human factor in security, it’s sad to see that just under half of the organisations surveyed spent less than 1% of their IT Security budget on awareness training. Now whether this is because organisations don’t know how to address the problem or because they can’t find any products worth buying, it demonstrates a widespread inability to translate the current mantra into real world spending. And that might also be a major reason why the annual losses are increasing so fast.