Companies working to harden their security have found that the efforts have resulted in fewer incidents of unauthorized computer use and a decline in damages from security incidents, a computer security group said in a report released Thursday.
The Computer Security Institute's survey of security professionals at nearly 500 companies found that damages related to cyberattacks declined, reaching about $290,000 per company versus $400,000 per company a year ago. The report, conducted in cooperation with the FBI, also said respondents thought denial-of-service attacks outpaced intellectual property theft as the most costly type of information threat. Such a shift may indicate that companies are shoring up internal-network defenses, said Robert Richardson, editorial director for CSI and an author of the report.
"If you get more effective in protecting what is inside your networks, then (attackers) have to resort to other things," he said. "One thing you can resort to is denial-of-service attacks."
Unlike thefts, which require an attacker to break into a system, DoS attacks typically involve an online miscreant sending a flood of data to a Web site to prevent others from accessing the site. This is the first time DoS attacks have topped the list of threats.
The survey, which measures responses mainly from information technology managers who work for companies that are CSI members, is considered an indicator of general trends but not a reliable measure of specific detail, said Richardson.
"You have to be careful in general of results of this kind," he said. "It highlights a lot of interesting things, but it also raises questions that can't be answered by the data."
Most companies kept security functions inside the company, with only 12 percent of those surveyed indicating they outsourced more than 20 percent of security procedures.
Larger companies typically benefited from economies of scale and paid less per employee for security, the survey found.
Companies with annual sales of more than $1 billion typically paid a little more than $100 per worker on security, while companies with revenue of less than $10 million spent an average of $500 per worker.
The survey also indicated that more companies are interested in computer security because of new government regulations. The financial, utility and telecommunications sectors believe that the Sarbanes-Oxley Act, which requires a company's executives to be accountable for their financial statements, has resulted in management focusing on information security, Richardson said.
This is the first year that the survey asked companies about the effect of the law.