Security breach damages on the decline

Companies working to harden their security have found their efforts have resulted in fewer incidents of unauthorised computer use and a decline in damages from security incidents, according to a new security report.

The US Computer Security Institute's (CSI) survey of security professionals at nearly 500 companies found that damages related to cyberattacks declined, reaching about $290,000 per company versus $400,000 per company a year ago.

The report, conducted in cooperation with the FBI, also said respondents thought denial-of-service attacks outpaced intellectual property theft as the most costly type of information threat. Such a shift may indicate that companies are shoring up internal-network defences, said Robert Richardson, editorial director for CSI and an author of the report.

He said: "If you get more effective in protecting what is inside your networks, then [attackers] have to resort to other things. One thing you can resort to is denial-of-service attacks."

Unlike thefts, which require an attacker to break into a system, DoS attacks typically involve an online miscreant sending a flood of data to a website to prevent others from accessing the site. This is the first time DoS attacks have topped the list of threats.

The survey, which measures responses mainly from IT managers who work for companies that are CSI members, is considered an indicator of general trends but not a reliable measure of specific detail, said Richardson.

"You have to be careful in general of results of this kind," he said. "It highlights a lot of interesting things, but it also raises questions that can't be answered by the data."

Most companies kept security functions inside the company, with only 12 per cent of those surveyed indicating they outsourced more than 20 per cent of security procedures.

Larger companies typically benefited from economies of scale and paid less per employee for security, the survey found.

Companies with annual sales of more than $1bn typically paid a little more than $100 per worker on security, while companies with revenue of less than $10m spent an average of $500 per worker.

The survey also indicated that more companies are interested in computer security because of new government regulations. The financial, utility and telecommunications sectors believe the Sarbanes-Oxley Act, which requires a company's executives to be accountable for their financial statements, has resulted in management focusing on information security, Richardson said. This is the first year that the survey asked companies about the effect of the law.

Robert Lemos writes for CNET News.com