Ill-gotten web gains falling further

While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cyber crime continue to drop, according to a new survey.

For the fourth straight year running, the financial losses incurred by businesses due to incidents such as hacked PCs have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey's findings in a presentation at the CSI NetSec conference in Arizona on Wednesday.

Respondents in the 2005 survey reported an average of $204,000 in cyber crime losses, Richardson said. This year, that's down to $168,000, about an 18 per cent drop, he added. Compared with 2004, the average loss is down 68 per cent.

Richardson asked: "How do you go about reconciling the sense of things getting worse with the respondents who are saying they are losing less money?" The 2006 survey, a final version of which is slated to be released next month, could provide some answers.

Most important, perhaps, the 615 US CSI members who responded to this year's survey reported fewer security incidents. Viruses, laptop theft and insider abuse of net access are still the most reported threats but all have decreased compared with last year.

Richardson said: "The danger of insiders may be somewhat overstated, according to the survey group." About a third of respondents said they had no losses at all due to insider threats, another 29 per cent said less than one-fifth of overall losses came from insider threats.

Consistent use of security technology may also contribute to the improvements, with essentially all of the respondents stating that they use firewall and antivirus software, not much of a change from last year. This year, eight out of 10 said they also use spyware protection, a category not listed a year ago.

Richardson added: "Overall, you have a picture that is pretty good in many ways. We're seeing fewer of some of the attacks that have been such a plague for us in many years, and respondents are using less and less money."

That "less money" may be good for companies but not for security vendors. It refers to the percentage of IT budgets spent on security. In the 2006 survey, nearly half of the respondents said less than two per cent of the budget is spent on security. Last year that percentage was 35 per cent.

When it comes to cyber crime losses, consumers might be bearing the brunt of them, and they are not covered by the survey, Richardson suggested. "Consumers are the low-hanging fruit," he said. Costs related to identity theft, for example, fall largely back onto the consumer, he added, even if it did start with a data breach at an enterprise.

Joris Evers writes for CNET News.com