Virus attacks, unauthorized access to computer systems and other forms of cybercrime account for up to 75 percent of the financial losses at U.S. companies. These losses can also result in a yearly hit in the hundreds of thousands of dollars for each firm.
Don’t ask these companies about it, though, because most prefer to be mum about any mishaps, according to a study by the Computer Security Institute (CSI), a trade group serving the information security industry.
Most companies prefer to sweep computer crime under the rug rather than going public, noted CSI director Chris Keating. The good news is that this curtain of silence is slowly lifting, with 25 percent of U.S. companies reporting computer crime today as compared with 20 percent over the previous two years.
The average amount of money lost by each company due to computer-related crime is $167,713, which is down about 18 percent from last year, according to the study. This is still a significant chunk of change, but it also signals that companies are doing a better job at policing their systems and are putting more effort into security measures and education.
Companies shouldn’t get too cocky about the survey’s results, though, especially as they become more reliant on computers and criminals more technically-savvy, Keating added.
San Francisco FBI’s Computer Intrusion Squad assisted with the CSI survey, which included nearly 600 companies, many with at least 1,500 employees. Only half of these companies were willing to share information about cybercrime hits to their financial bottom line, however, even though their identities were protected in the survey.
Other leading types of computer crime noted in the results included lost and stolen laptops or mobile hardware and theft of proprietary information or intellectual property.
One caveat to budding cyber-criminals: Companies are beefing up security education and training efforts and plan to invest in more programs in the future. They also prefer to keep their security measures close to the vest; sixty-six percent of the companies taking part in the survey are avoiding outsourced protective techniques.
More than 80 percent of the companies surveyed also perform regular security audits in order to spot weaknesses or potential attacks.
Also, despite hiring legends, most of these companies said they would not hire a talented and reformed hacker as an in-house security specialist.
Some industries are obvious nitpickers about computer security, especially those involved in healthcare that must comply with data retention regulations under the Sarbanes-Oxley Act and other government legislation, said CSI. Companies surveyed noted that regulatory compliance related to information security is one of the most critical security issues they face.
Roughly 7 percent of the companies taking part in CSI’s eleventh yearly survey are involved in the medical and healthcare fields.
The complete 2006 CSI/FBI Computer Crime and Security Survey is available at CSI’s Web site at www.gocsi.com.