Computer crime tab costs US business dear

Dealing with viruses, spyware, PC theft and other computer-related crimes costs US businesses a staggering $67.2bn per year, according to the FBI.

The FBI calculated the price tag by extrapolating results from a survey of 2,066 organisations. The survey, released on Thursday, found that 1,324 respondents, or 64 per cent, suffered a financial loss from computer security incidents over a 12-month period.

The average cost per company was more than $24,000, with the total cost reaching $32m for those surveyed.

Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organisations from 64 per cent to a more conservative 20 per cent.

According to the 2005 FBI Computer Crime Survey: "This would be 2.8 million US organisations experiencing at least one computer security incident. With each of these 2.8 million organisations incurring a $24,000 average loss, this would total $67.2bn per year."

By comparison, telecommunication fraud losses are about only $1bn per year, according to the US Secret Service. Also, the overall cost to US citizens of identity fraud reached $52.6bn in 2004, according to Javelin Strategy & Research.

Other surveys have attempted to put a dollar amount on cyber security damages in the past but the FBI believes its estimate is the most accurate because of the large number of respondents, said Bruce Verduyn, the special agent who managed the survey project.

Verduyn said: "The data set is three or four times larger than in past surveys. It is obviously a staggering number but that is the reality of what we see."

Responding to worms, viruses and Trojan horses was most costly, followed by computer theft, financial fraud and network intrusion, according to the survey. Respondents spent nearly $12m to deal with virus-type incidents, $3.2m on theft, $2.8m on financial fraud and $2.7m on network intrusions.

These figures do not include much of the staff, technology, time and software employed to prevent security incidents, Verduyn said. Also, losses to individuals who are victims of computer crime or victims in other countries are not included, he said.

The FBI's next fiscal year, for which budgets must be reviewed and approved, begins 1 October. Protecting the US against high-technology crimes is third on the agency's list of priorities.

Survey respondents use a variety of security products for protection. Antivirus software is almost universally used, with 98.2 per cent of respondents stating they use it. Firewalls follow in second place, with 90.7 per cent, and anti-spyware and anti-spam are each used by about three-quarters of respondents, according to the survey.

The results mean that close to one in 10 organisations does not have a hardware or software firewall. Or perhaps they don't know they have one - the Windows Firewall in Windows XP, for example. Verduyn explained: "Some are very small businesses that should have that technology but they don't."

Biometrics and smart cards - both relatively new security technologies - were used only by four per cent and seven per cent of survey respondents, respectively. Intrusion prevention or detection systems were used by 23 per cent and VPNs, or virtual private networks, by 46 per cent.

Organisations were attacked despite use of security products, with nine out of 10 respondents saying they experienced a security incident. In fact, the most common attacks aligned with the most commonly used defences. Computer viruses, worms or Trojan horses plagued 84 per cent of respondents, 80 per cent reported spyware trouble, and 32.9 per cent said attackers were probing their systems using network port scans.

Not all threats came from outside the organisation. More than 44 per cent of the survey respondents reported intrusions from within the company. Verduyn said: "Companies may be unaware of the internal potential for computer security incidents." He recommends applying policies and procedures to thwart attacks from the inside.

The FBI surveyed companies in Iowa, Nebraska, New York and Texas. Companies more than three years old, with more than five employees and with more than $1m in revenue were asked to participate. Survey participants were asked to provide their responses by the end of July 2005, with their answers covering the previous 12-month period.

Joris Evers writes for CNET News.com