75% of Enterprises Have Suffered Cyber Attacks, Costing $2M+ On Average

coomaria writes "OK, even allowing for the fact this comes from a newly published study (PDF) from a security company, that's still one heck of a statistic. The fact that it's Symantec, and so has access to perhaps more enterprises than most, makes it a double-heck with knobs on. Or how about this one for size: 'every enterprise, yes, 100 percent, experienced cyber losses in 2009.'"

I'm shocked

[Dunbal]

This is like the MPAA/RIAA claiming that "piracy" is costing their respective industries "billions" of dollars. Seriously - if you can't spot the conflict of interest you need to turn in your critical thinking hat.

This is just marketing to increase sales of their "security" products. In fact if you go to the actual PDF linked to in the article it looks suspiciously like a sales brochure, presenting the "problem" and at the end showing how Symantec is the "solution".

Re:I'm shocked

[Lumpy]

They claimed it hard enough that analog HD is dead at the end of this year.

Because they scream louder than everyone else they get all the attention.

This screaming about how EVERYONE has suffered losses will be used to force through more draconian laws.... because nobody in the tech field is screaming back.

Re:I'm shocked

[suomynonAyletamitlU]

This is just marketing to increase sales of their "security" products.

The reason conflict of interest is a problem is because we don't know whether it is "just" marketing or not.

It's clearly marketing; whether it's true or not is a completely independent matter. Unless you have data which shows something to the contrary, don't dismiss it out of hand, just like you (clearly) don't accept it on their word.

Re:I'm shocked

[Dunbal]

Unless you have data which shows something to the contrary, don't dismiss it out of hand, just like you (clearly) don't accept it on their word.

      On the contrary, we live in an age where moral decadence is rampant even among professionals. Where well known drug companies create sock puppet "peer reviewed" magazines, with the sole purpose of "publishing" favorable studies for their drugs. Where "climate experts" leave out any inconvenient truth that contradicts the trend they are trying to "prove". Where "expert witnesses" in court turn out to be frauds and lie under oath.

      No, today is a time when you must especially dismiss reports like this out of hand. And there are several reasons:

      I doubt the CEO of any company would proudly announce how much money his company "lost" due to "cyber-attack" (yes look at us we're vulnerable/we're idiots!). It's none of Symantec's business.

      Their categories are meaningless. Please explain the difference between Cyber-attacks, "Traditional criminal activities" and (of course it had to be there) "terrorism"? These are all separate categories according to their survey. Apparently 10% of all companies surveyed have been the victims of "terrorism". This does not correlate well with, say, the evening news.

      They claim that on average companies are losing $2 million per year EACH. Yet the majority of companies (71%) are experiencing "no cyber attacks" or "just a few cyber attacks". Clearly these tiny attacks must be devastating.

      Another section claims that 29% of respondents claim "significant" or "slight" increase in "attacks" in the past year. What they leave out is that this means 71% of respondents think there is "no increase" or some sort of "decrease". Oops.

      Frankly, if you don't know how to think, you get swindled by lies like this. Symantec is out to sell "security" and in order to do that, they are willing to make you think that they are the only ones who can prevent your business from being ruined ($2 million dollars/year/large enterprise, or at least that's how they want it to sound) and that you are surrounded by enemies.

Re:I'm shocked

[Tim+C]

nobody in the tech field is screaming back

Why would they? As long as it doesn't cost them anything, it's not their fight. (Licensing costs, etc are passed directly on to the consumer)

In fact otherwise working kit being obsoleted is good for the industry, as it helps drive sales of the new kit.

Full Text

[Archon-X]

'Article' is at best 3 paragraphs, poorly written, with advert popups.
For those who are interested, original text below.

Wow. That's quite a statistic, but there it is in front of me jumping off the pages of the latest global State of Enterprise Security study from Symantec. The two lines shining so brightly and grabbing my attention read "75 percent of organizations experienced cyber attacks in the past 12 months" and "these attacks cost enterprise businesses an average of $2 million per year". I'll say it again, wow!

Maybe that is not so surprising when you consider that the report states that every enterprise, yes 100 percent, experienced cyber losses in 2009. The top three losses being intellectual property theft, customer credit card data theft and the theft of other personally identifiable customer data. These losses translated into a financial cost 92 percent of the time mainly in terms of productivity, revenue, and tanking customer trust.

Of course, as I have said before the math is always hard on the brain when you read these reports. That 75 percent figure is revealed immediately after we are informed that apparently 42 percent of organisation consider that security is the number one consideration for their business, beating off competition from such things as natural disaster and terrorism and traditional crime. In fact, it is a bigger concern than all three of those things combined. The disparity between the two could, of course, be partly down to another revelation in the report: enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues.

When it comes to understaffing, network security is the biggest problem for 44 percent of those responding, with endpoint security sharing the honours also on 44 percent. There there are the initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualisation, endpoint virtualisation, and software-as-a-service. And not forgetting compliance, with your typical enterprise having to explore no less than 19 separate IT standards or frameworks and employ around eight of them.

"Protecting information today is more challenging than ever" said Francis deSouza, senior vice president, Enterprise Security, Symantec Corp. "By putting in place a security blueprint that protects their infrastructure and information, enforces IT policies, and manages systems more efficiently, businesses can increase their competitive edge in today's information-driven world."

Re:Full Text

[zappepcs]

And you might have heard on the commercial, 1 out of 4 women can't read a pregnancy test, so they made it easier to read. I'm pretty tired of advertising and mock white papers making it out like we're all stupid. Using Symantec security products won't make your business decisions smarter. What it will do is ensure that your minimum spending on security products is done with Symantec. A real white paper on security would have shown all options, and compared them to each other so you can not only make a decision to use security products and why you would do so, but which one suits your needs best.

I think I'm at the point where if the ad, paper, or whatever describes me or other users or the demographic they are after as stupid, I will just shitcan it on principle.

Re:Full Text

[tomhudson]

And of course security is not something you can buy, any more than trust.

With that in mind, here's a stat that Symantec doesn't want you to know:

100% of the companies that depend on Symantec to make them secure are vulnerable.

symantec

[the_Bionic_lemming]

Just having and paying for symantec is a cyberloss, and that's before a cyber attack!

Re:symantec

[Coopjust]

I think Symantec should detect their own product as Trojan.Symantec.

Seriously, Symantec and McAfee applications are more ill behaved with system resources than most viruses.

Hardly

[RMH101]

Aw, c'mon. We've not spent nearly $2M on Symantec licences here, and I'd hardly call their sales pitch a cyber attack.

I'm here all week, try the veal

"a double-heck with knobs on"

[circletimessquare]

i'm not familiar with that metric. could you convert that into libraries of congress?

Re:"a double-heck with knobs on"

[wintercolby]

I'm afraid it can only be represented in negative LoC's as it's an extra spammy article, refrencing a sales brochure for Symantec. 10 brain cells were completely wasted in reviewing TFA, as well as 3 mouse clicks to close out the full screen ads.

Re:Original report...

[Anonymusing]

Oh, for crying out loud. The report PDF isn't even searchable: every page is a solid bitmap graphic.

Can anyone tell me what a "brand-related risk" might be for security professionals (see page 6). Do they mean corporate espionage? Or has the CTO threatened to use red-hot irons on the I.T. staff?

Re:Original report...

[Dunbal]

Can anyone tell me what a "brand-related risk" might be for security professionals

      Presumably that would be "not buying Symantec security products".

Advertising as journalism, on slashdot

[Jawn98685]

Sorry guys, but this crap is a complete waste of my time.

Define "cyber attack". And don't use average

Connect any web server to the internet and you'll see tons of connections from botnets trying randomly to exploit various old vulnerabilities. Technically, these are attacks, though you don't need to worry about them if you're patched up.

So is this saying anything more than 75% of enterprises have a web server?

And the average cost is a meaningless number, since averages are swayed by outliers. If you wanted a good statistic for this, you'd use the median. Alternatively, compute the average of (cost of attack / yearly revenue).

Spam

[Alcimedes]

Sweet, the first article that was so bad I just tagged it as spam. I'd worry about the future but the filters on the /. editors have been crap for years, surprised there aren't more of these.

I'd be surprised if it's anything less than 100%

[jimicus]

I seriously doubt Symantec are only counting "concerted attacks from a single original with a specific target in mind". More likely they mean "opportunistic attacks".

So, to /., I say:

• Raise your hand if your company consists of more than a handful of people.
• Keep your hand up if your company has an internet connection.
• Keep your hand up if you roll out managed AV software to all desktops and monitor it religiously (including checking for PCs which haven't been seen in a while).
• Keep your hand up if every PC and every server has a full-blown firewall running locally which blocks all incoming traffic except for what you know for a fact you need.
• Keep your hand up if you filter spam (either yourself or through a third-party service).
• Keep your hand up if your filter successfully excluded 100% of all phishing and trojan-link-spreading emails over the last year.
• Keep your hand up if your web access is filtered on a default-deny basis (ie. staff can only access pre-approved sites).
• Keep your hand up if your web access is through a proxy which blocks the download of executables, ActiveX, Adobe PDFs, encrypted files (who knows what's in them?) and JavaScript.
• Keep your hand up if you update all your PCs (including laptops, even if offsite) within 24 hours of the discovery of any security flaws in client software.
• Keep your hand up if your switches only allow connections from pre-allowed MAC addresses.
• Keep your hand up if you have done all of the above and still your staff are happy with the service you provide and don't try and work around you at every opportunity.

Those of you who still have your hand up, well done. You've done just about all that is possible to secure your network short of giving everyone dumb terminals and your internal customers are delighted with everything you do.

Everyone else will see an attack from time to time. The whole point of a of security is you have several layers so any attack won't get far.

Which Enterprises are being counted?

[Colonel+Korn]

By my count (of Wikipedia), there are 2 Enterprises from the Continental Navy, 6 from the US Navy, 1 balloon, 1 space shuttle, 1 training ship, and 8 starships that are worth counting, for a total of 19 Enterprises. If 75% have suffered major cyber attacks and we round down, we have 14 cyber-victims.

Here's where it gets weird. Clearly the 8 starships are attackable in the computerized sense. That leaves us with 6 other hackable Enterprises. Most likely 1 is the space shuttle, 1 is the training vessel, and 1 is the contemporary air craft carrier. But that means 3 more Enterprises were cyber-violated out of a pool containing a balloon used during the Civil War and 5 US Navy ships decommissioned between 1823 and 1947.

This seems to be proof of a pre-modern technological underground. Or time travel.

Re:Which Enterprises are being counted?

[Ukab+the+Great]

The Federation needs more H1B visas so they can outsource security from Qu'onos. Plus, they can pay them less as long as they offer free Bloodwine as a perk.

Actually Only 25%

This article severely overestimates the impact of cybernetic attacks. According to my count, the borg only invaded 25% of starship enterprises, excluding those existing in alternate timelines/realities.

Re:Original report...

[codegen]

Brand related risk is risk to your reputation that damages your "Brand". They are talking about enterprise level IT. So you are working for some large company such as WalMart or Microsoft or IBM. Examples might be defacing the website, or stealing customer information. A more subtle attack may be to change the price in a database indicating a sale that doesn't really exist. Too many customers buy the product and you have to backtrack on the price and cancel orders. This would damage your reputation. Or many others... Of course, the implication is that Symantec Security products would prevent such events.

Re:I'd be surprised if it's anything less than 100

[postbigbang]

Were it that easy.

Sadly, you can get smashed by the zero-days, the rootkits from hell, the flash-drive-dummies, Mr or Ms I-Don't-Get-Paid-Enough, the supposed 100% spam killing filters, and so on.

Yes, we try. And your concept of filtration via layers works for many types of attacks and security failures. But nothing is foolproof because fools are so ingenioius.

This isn't to justify Symantec's latest PR attempt, just to remind you that while you look organized, something's sneaking up behind you.