The Public Eye with Eric Chabrow

Actions Taken After a Security Incident

Actions Taken After a Security Incident

More than two-thirds of IT security professionals surveyed say they patched vulnerable software following a security incident, up from 46 percent a year earlier.

The data come from the Computer Security Institute's 14th annual Computer Crime and Security Survey of 440 executives, managers and administrators familiar with their organizations' IT security operations.

Next on the list of things to do after a security incident: Patch or remediate other vulnerable hardware or infrastructure, 53.3 percent, up a hair from 2008. That was followed by providing additional security awareness training to end users, at 46.1 percent.

Other interesting factoids from the survey:

  • Security incidents cost respondents, on average, $234,244 in 2009, down 19 percent from 2008. Still, both years were higher than reported 2005 and 2006 losses.
  • One-third of respondents' organizations were fraudulently represented as the sender of a phishing message.
  • Most respondents felt their investment in end-user security awareness training was inadequate, but most rated their investments in other components of their security programs as adequate.
  • Respondents expressed satisfaction, but weren't overjoyed with security technology. Use of nearly all types of security technologies increased; the largest increases were in anti-spyware software and encryption of stored data.
  • Respondents generally agreed that regulatory compliance efforts have had a positive effect on their organization's security programs.

Among respondents, 13 percent came from federal, state and local agencies, as well as military and law enforcement. Fifteen percent hailed from financial services and 7.7 percent from health services.

Despite the small percentage of health services industry respondents, 57.1 percent of all those surveyed said their organization had to comply with the Health Insurance Portability and Accountability Act. Indeed, more respondents said that HIPAA applied to their organization than any other law or industry regulation.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.