Virus Attacks Named Leading Culprit of Financial Loss by U.S. Companies in 2006 CSI/FBI Computer Crime and Security Survey

New CSI Survey Available Online Showcases Security Breach Figures

Jul 13, 2006

The Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad today released its 2006 report citing that virus attacks are the leading cause of financial losses. The top four categories -- virus attacks, unauthorized access to networks, lost/stolen laptops or mobile hardware and theft of proprietary information or intellectual property -- according to the 2006 Computer Crime and Security Survey, account for more than 74 percent of financial loss.

However, negative publicity from reporting intrusions to law enforcement is still a major concern for most organizations. Even in an anonymous survey, only half of the 616 U.S. companies surveyed were willing to share overall cost figures from financial losses resulting in security breaches. The average loss reported by this group was $167,713, which represents a decrease of nearly 18 percent from last year's average loss of $203,606.

  Additional key findings include:

  *  Companies resist reporting computer crimes.  The percentage of
     organizations reporting computer intrusions to law enforcement has
     reversed its multi-year decline, standing at 25 percent as compared
     with 20 percent in the previous two years.

  *  Government mandates and compliance issues continue to be a hot topic
     within the IT department.  The impact of the Sarbanes-Oxley Act on
     information security remains substantial.  In fact, in open-ended
     comments, respondents noted that regulatory compliance related to
     information security is among the most critical security issues they

  *  Security outsourcing is not as prevalent within U.S. companies.
     Despite talk of increasing outsourcing, the survey results related to
     outsourcing are similar to those reported for the last two years and
     indicate very little outsourcing of information security activities.
     Sixty-three percent of the respondents indicated that their
     organizations do not outsource any computer security functions.  Among
     those organizations that do outsource some computer security
     activities, the percentage of security activities outsourced is rather

  *  IT groups want to educate and train internally to mitigate security
     risks.  Once again, the vast majority of the organizations view
     security awareness training as important.  In fact, there is a
     substantial increase in the respondents' perception of the importance
     of security awareness training.  On average, respondents from most
     sectors do not believe their organization invests enough in this area.

"This year's survey -- coupled with results from recent years -- suggests that the news within the enterprise security perimeter is good. Respondents tell us that they are keeping their cybercrime losses lower," said Chris Keating, CSI director. "At the same time, our economic reliance on computers and technology is growing and criminal threats are growing more sophisticated, so we shouldn't overestimate our strengths. As highlighted in the survey, the security professional's role is imperative within U.S. companies -- they are asked each and every day to address the constantly evolving threat."

The main objectives of this report are to focus on key trends in the information security arena and to identify changes in the landscape as they become visible so that business can act accordingly. "Virus attacks, cybercrime and identity theft all effect consumer confidence, slowing the acceptance of e-commerce," said Robert Richardson, CSI editorial director. "We want to ensure that today's security professionals receive the latest tools and resources to positively impact and promote awareness within their industries."

The complete 2006 CSI/FBI Computer Crime and Security Survey is available for download on the CSI Web site at

About CSI/FBI Annual Survey

Computer Security Institute (CSI) is the world's premier membership association and education provider serving the information security community. For 33 years CSI has helped thousands of security professionals protect their organizations' valuable information assets through conferences, seminars, publications and membership benefits. CSI offers the survey results as a public service.

The team at CSI collaborates with an academic team from the Robert H. Smith School of Business at the University of Maryland. The three-person team, led by Lawrence A. Gordon, Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance, specializes in research on the economics of information security.

The participation of the FBI's San Francisco Computer Intrusion Squad office has been invaluable. Over the years, the squad has provided input into the development of the survey and acted as our partners in the effort to encourage response. CSI has no contractual or financial relationship with the FBI. The survey is simply an outreach and education effort on the part of both organizations. CSI funds the project and is solely responsible for the results.

About CSI

Computer Security Institute (CSI) is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional. Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information assets.

CSI sponsors two conference and exhibitions each year; CSI NetSec in June and the CSI Annual Computer Security Conference and Exhibition in November. A full schedule of training classes is offered on encryption, intrusion management, Internet, firewalls, awareness, Windows and more.

CSI membership benefits include the ALERT newsletter, quarterly Journal, discounts on CSI conferences and training, and SecurCompass, an automated, standards-based security program assessment tool. For more information about CSI, email or telephone 415.947.6320.

  Press Contacts:
   Jennifer Cincu                        Robert Richardson
   Articulate Communications Inc.        Computer Security Institute
   212.255.0080, ext. 33                 610.604.4604     

SOURCE: CMP Technology

CONTACT: Jennifer Cincu of Articulate Communications Inc.,
+1-212-255-0080, ext. 33,; or Robert Richardson of
Computer Security Institute, +1-610-604-4604,

Web site:

Company News On-Call: