News Stay informed about the latest enterprise technology news and product updates.

CSI Survey: Financial impact of some security breaches skyrockets

Highlights include a six-fold increase in costs related to unauthorized access.

The financial impact of the theft of proprietary information has more than doubled in the last year, according to the 10th annual CSI/FBI Computer Crime and Security Survey. Other noteworthy highlights include a 588% increase in costs associated with unauthorized access and an 80% increase in Web site incidents.

"Individual users are more exposed to computer crime than ever, due to the growth in identity theft schemes," Chris Keating, director of the Computer Security Institute [CSI], said in a statement. "With the press and the public paying more and more attention as identity theft becomes a vital societal issue, we can't help but note the shift in the survey results toward more financial damage due to theft of sensitive company data. This is an ominous, though not unexpected, development."

CSI and the FBI surveyed 700 U.S. computer security practitioners in corporations, government agencies, financial institutions, medical institutions and universities. Respondents reported financial losses resulting from security breaches decreased more than 60% from the previous year's $526,000 to an average loss of $204,000 per respondent. The total losses for 639 survey respondents came to just over $130 million, down from $141 million the previous year.

"As a veteran of the infosec wars, it's of interest to me that we've apparently won two of the major battles -- first, the battle over whether information security is necessary, and second, that everyone needs to have a nominal understanding of it," said Becky Bace, CEO of network security strategy consultancy Infidel Inc., and a venture consultant with Trident Capital.

While virus attacks remain the leading cause of financial loss [32% for a total of $42.8 million overall], skyrocketing unauthorized access soared to 588%, coming in second at $31.2 million and representing nearly a quarter of reported financial losses. It was followed by the loss of proprietary information which increased 211% over last year.

"It's about a six-fold increase, but as a loss, it isn't much in the general scheme of things," said Robert Richardson, editorial director of CSI and an author of the survey. "But those who suffered a loss from unauthorized access to information lost more on average than other respondents did on average."

Unauthorized access losses per respondent increased to $303,234 in 2005, up from $51,545 in 2004. Losses related to the theft of proprietary information increased from $168,529 in 2004 to $355,552 in 2005, according to the survey.

Calling it the "crime du jour," Richardson said these statistics were expected because of the increase in identity theft and other crimes that target end users and consumers.

A surprising finding of the survey was that 95% of respondents experienced more than 10 Web site incidents while only 2% experienced between one and five such incidents. These statistics were a complete reversal of those in the 2004 survey which found that only 5% had experienced more than 10 incidents and that 89% had experienced between one and five incidents. The term "incident" was not qualified further, but Richardson said Web site defacement, is responsible for the least amount of losses. Since Web site defacement is not very costly to an organization, firms act in an economically rational manner and do not spend much to prevent such attacks. "It's right that enterprises aren't losing sleep over such attacks," he said. "These are relatively quick to recover from."

However, some end users attach more significance to these Web attacks. "The increase in Web incidents last year is partially due to heightened awareness of the serious nature of these attacks," said Ken Pfeil,CSO of New York-based Capital IQ, a market data and research firm. "Protecting our clients' information is absolutely our top concern, and we realize that even the most sophisticated perimeter protection, firewalls and network security solutions will not always stop attackers from illegally accessing proprietary information contained in a Web application." Capital IQ uses NTOSpider from NT Objectives to protect itself with automated assessment and other tools.

Full results of the survey can be downloaded free from the CSI Web site.

This article originally appeared on, a sister site of

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.