Security Pays Off As Cybercrime Costs FallSecurity Pays Off As Cybercrime Costs Fall

The number of cybercrimes and hacker attacks, and the cost attributed to such intrusions, declined for the fourth straight year, according to data released this week by the Computer Security Institute. CSI attributed the drop-off to increased attention to security by businesses and government agencies.

"Our survey respondents appear to be getting real results from their focus on information security," Chris Keating, CSI's director, said in a statement.

In its ninth annual Computer Crime and Security Survey--which it conducts in conjunction with San Francisco's division of the FBI--the association noted that the downward trend, which started in 2001, resulted in the lowest percentage since 1999 of those polled who reported unauthorized use of their computer systems.

In the last 12 months, approximately 53% of the nearly 500 IT and security managers surveyed said that their organizations had experienced an attack.

The 2004 edition of the survey said dollar costs of security breaches also declined year to year, to an estimated $141 million, from $202 million in the 2003 survey. Although these numbers are a bit of apples and oranges due to the changing number of respondents, the average cost per company polled also fell--to $286,430 from $380,749.

For the first time, said the CSI poll, denial-of-service attacks took the top spot as the most expensive computer crime, accounting for about 18% of the total cost of security invasions. The former top dog--theft of intellectual property--fell second place at 8%.

The denial-of-service attack figures come as no surprise, because several major security outbreaks over the last 12 months have involved worms that targeted specific firms, such as the SCO Group and Microsoft, with such assaults. The MyDoom worm, for instance, hit both companies with DoS attacks earlier this year.

"Not all organizations maintain the same defenses as our members, and hackers won't become complacent anytime soon, so we still have our work cut out for us," added Keating. "The message here is that it makes sense to continue focusing on adherence to sound practices, deployment of sophisticated technologies, and adequate staffing and training."