Chief Security Officers Fight e-Crime

FRAMINGHAM, MA – DECEMBER 18, 2002 – A new poll of nearly 800 chief security officers (CSOs) and senior security executives conducted by IDG's CSO magazine reveals CSOs are sharing information with law enforcement officials in an attempt to fight cyber-crime. Almost half (45%) already supply customer, employee or business partner data to government or law enforcement agencies. Furthermore, about a quarter of the respondents say they will provide data on customers (24%), business partners (23%) and employees (37%) without a court order. When faced with an investigation relating to national security, 41% are willing to share information without a court order. Less than half (43%) say they will only release information under court order or subpoena.


"As cyber crime activity and concerns continue to mount, CSOs are becoming more willing to part with information they normally would hold close to the vest," says Lew McCreary, Editor in Chief of CSO magazine. "An increase in information sharing between corporate America and law enforcement could help the nation secure its critical infrastructure, but it also raises concerns about privacy. If standards loosen on what businesses do with customer information, how will customers protect themselves from mistakes and possible abuses? Lawsuits are sure to arise in this area."

In addition to sharing data with law enforcement, more than half of CSOs monitor e-crimes (52%) and report cyber crimes (56%). Interestingly, CSOs are mixed on their reasons for reporting crimes. Thirty-nine percent (39%) would report cyber crimes to deter criminals from committing cybercrimes in the future, while 21% aim to prosecute individuals. Only 6% would report cyber crimes because of faith in law enforcement's ability to track and crack crime.

The second CSO Magazine Security SensorTM also captures the top cyber security concerns among CSOs for their business and the nation at large. Forty-five percent (45%) of CSOs report the number one cyber security concern for their organization is disruption or denial of service (such as by virus, internal or external threat), followed by employee misuse of technology resources (28%) and privacy (21%). For the nation, 37% of CSOs cite economic consequences as the #1 cyber security concern, followed closely by national security (36%) and privacy (24%).

Consistent with August findings of the first CSO Magazine Security Sensor(TM), respondents continue to worry about cyberattacks by Al Qaeda and infractions by current employees:

Fifty-one percent (51%) anticipate a major cyber attack by a terrorist organization (i.e., Al Qaeda) will happen within the next 3 months to one year, up slightly from 49% in August.

Fifty-six percent (56%) say current employees pose the greatest threat to their company's technology infrastructure (up slightly from 53% in August), followed by external persons not employed by their organization (30%), and former employees (8%).

Fifty-three percent (53%) believe electronic attacks (such as viruses) pose the biggest concern to their company, down slightly from 59% in the August poll.

Other key CSO Magazine Security Sensor(TM) findings:

CSOs say security employees (80%) and IT employees (62%) are most compliant when it comes to following security compliance measures. Lagging significantly behind security and IT personnel are management (37%), outside contractors, partners and vendors (30%) and all other employees (21%).

"Ironically, managers are notoriously the worst offenders of security procedures," says McCreary. "These findings underscore the need for greater compliance and example-setting in the executive suite. And we also wonder about that non-compliant 20% within the security function itself. Never mind that they lead the pack. If one-fifth of security professionals violate policies, that undercuts security's credibility with the rest of the enterprise."

In other workplace news, one quarter (26%) of respondents say they'd hire a professional hacker for threat assessments or competitive snooping.

Complete Findings:

1. Under which of the following circumstances would you or your organization provide customer, employee, or partner data to government or law enforcement agencies without a court order (i.e., without a search warrant or a subpoena): (Check all that apply.)

– 24% Criminal investigation of a customer

– 37% Criminal investigation of an employee

– 23% Criminal investigation of a partner organization

– 41% Investigation relating to national security

– 9% Personal request from a trusted law enforcement individual

– 43% Only under court order (i.e., with a search warrant or a subpoena)

– 19% Unsure

2. Have your or your organization supplied customer, employee, or business partner data to government or law enforcement agencies?

– 45% Yes

– 33% No

– 23% Unsure

3. Regarding cyber crime, does your company: (Check all that apply.)

– 78% Monitor attempts

– 52% Monitor crimes

– 56% Report crimes

– 22% Have insurance covering losses caused by cyber crime

– 9% None of these

– 8% Unsure about all of these

4. What is the #1 reason why you report cyber crimes?

– 39% To deter others from committing future cybercrimes

– 21% Prosecution of individuals

– 8% Retrieval of stolen property or data

– 6% Not answered

– 6% Faith in law enforcement's ability to track and crack crime

– 12% Other

– 8% Unsure

5. Does your organization quantify the financial cost of cyber crimes?

– 13% Yes

– 73% No

– 15% Unsure