Survey: 89% of Security Incidents Went Unreported

Survey: 89% of Security Incidents Went Unreported

By: Kevin Lo
August 4, 2008
TechSoup, originally posted at http://blog.techsoup.org/node/451

As nonprofit organiszations often experience more turnover and have staff with more wide-ranging IT skills, security should be just as high as a concern as say a financial services institution or commercial retailer. According to a survey conducted by RSA Conference — an information security conference — 29% of the 300 or so security professionals surveyed stated that they experienced a customer or employee data leakage in 2007, but only 11% of those disclosed the incident — meaning 89% didn't bother reporting it!

While it is alarming to see such statistic among the most informed and experienced security professionals, its statistical significance is dubious considering the number of security professionals in the industry, and perhaps the number of security incidents that occur undiscovered. Considering the amount of bad publicity and potential legal ramifications of non-disclosure and more standardised security requirements such as the PCI Data Security Standard, one would imagine that increased mainstream reporting and more timely security patches can address some of these concerns. Other interesting findings from the survey include:

• When asked about what they believe their top security threats will be in the next 12 months, survey respondents cited "data leakage," "email-borne malware," and "Web-borne malware" respectively.
• When asked about what their biggest security challenges will be in the next 12 months, survey respondents cited "lost/stolen devices," "non-malicious employee error," and "employee education" as their top three.

If it's any cause for comfort, for-profit companies seem to experience the same challenges as other sectors. More often than not, security is not a problem that can be solved with just more funds because being informed and proactive is as important to maintaining a secure computing and operating environment.