The Computer Crime and Security Survey contends that viruses continue to be the leading source of financial losses among businesses, followed by schemes related to unauthorized network access, stolen laptops and theft of proprietary information.
Those four categories accounted for 74 percent of all the money lost by the companies, government agencies and other private institutions involved in the study.
In its 11th year, the report was based on interviews with over 600 IT professionals and was overseen by San Francisco-based CSI (the Computer Security Institute) and the FBIs Computer Intrusion Squad.
Among the companies surveyed for the study, financial losses related to virus outbreaks totaled roughly $15.7 million over the last year, with attacks launched via network break-ins accounting for approximately $10.6 million. Money lost because of the theft of laptop computers or other wireless hardware totaled $6.5 million among respondents, while intellectual property theft totaled just over $6 million.
Attacks on corporate Web sites were another common problem, with 59 percent of those interviewed saying their companies had been victimized online in more than 10 different incidents, with denial-of-service threats driving another $3 million in losses.
While still unauthorized network access continued to represent one of the top sources of financial loss related to IT crime, the CSI/FBI report found a slight decrease in the percentage of respondents reporting that they have experienced it over the last 12 months. Only 52 percent of companies said they had had network break-ins, while 53 percent reported similar incidents in 2005 and 56 percent in 2004. The number of companies who told the researchers that they had experienced no unauthorized network access increased to 38 percent, its highest rate in the history of the study.
Despite the continued problems with viruses and other threats, the survey found that the average amount of financial loss per respondent to the study moved downward. The number dipped from an average of $204,000 in 2005 to $168,000 in 2006, an 18 percent reduction. Increased investing in IT security technology was credited by the report as the primary reason for the drop.
Among the leading security technologies employed by respondents were firewalls (98 percent), anti-virus applications (97 percent), anti-spyware software (79 percent), server-based access control tools (70 percent) and intrusion detection systems (69 percent).
Another trend among businesses that the report suggests is helping reduce IT security losses is more comprehensive training of employees on company policies meant to limit risk of potential attacks or data breaches. Some 77 percent of those interviewed said they required training on overall security policies, while 76 percent employed network security training and 72 percent conducted security management classes.
Despite companies having expressed an increased interest in security outsourcing in previous years, the study found that few had adopted more such services over the last year, with 61 percent of respondents indicating that their organizations do not outsource any IT security functions.
Among the organizations that do outsource some computer security activities, the percentage of security activities parceled out to service providers remains very low, or less than 15 percent of all operations.
On a subject of particular interest to the FBI, the study found that the percentage of organizations reporting computer intrusions to law enforcement has reversed a multiyear decline, with more companies being ready to share information about their incidents. Some 25 percent of respondents said they have begun working with law enforcement, compared with 20 percent in the previous two years.
The negative publicity potentially garnered by reporting intrusions to law enforcement officials remains the leading concern for most organizations not already doing so, the study said.