Attack Costs Down, Study Says

CSI, FBI find drop in intrusion reporting.

The amount of money U.S. businesses and other organizations lose to digital attacks has dropped more than 50 percent since last year, according to the latest survey from the Computer Security Institute and the FBI. And the percentage of organizations that detected unauthorized use of their systems fell to 56 percent, from 60 percent a year earlier.

The survey this year shows that companies are still failing to report most intrusions and attacks to law enforcement. Only 30 percent of the surveys respondents said they had contacted the authorities after an attack, a drop from 34 percent a year ago. Negative publicity and fear that competitors would use the information to their advantage were the top two reasons organizations cited for failing to talk to law enforcement after an attack.

Among the most frequently seen attacks, viruses, laptop misuse and unauthorized access by insiders continue to lead the way, according to the survey. Fully 82 percent of all respondents reported being hit by a virus, down from 85 percent last year. But the most surprising result of the survey is clearly the dramatic drop in the estimated financial costs of reported attacks.

The 530 organizations surveyed reported $201.8 million in losses this year; last year, 503 respondents lost $455.8 million.

The CSI/FBI Computer Crime and Security Survey, which is conducted annually, surveys security professionals at U.S. corporations, government agencies, universities and other organizations. This is the eighth year the survey has been conducted.

One of the most- often-cited statistics from the survey is the number of attacks coming from inside an organization versus those originating outside the network. Security vendors frequently use these numbers to support claims theyre making about the need for products.

This year, the trend toward more of the attacks coming from outside the network continued, with 78 percent of respondents saying the Internet is their most frequent point of attack. Only 30 percent cited internal systems as the top attack vector, down from 33 percent last year.

Another interesting finding of the survey is the sharp decrease in the number of organizations reporting unauthorized access or misuse of Web sites. The number fell to 25 percent, from 38 percent last year. And of the respondents that saw Web incidents, 69 percent reported five or fewer such incidents.

Most of the Web-related incidents were vandalisms (36 percent) and denial- of-service attacks (35 percent).