$1M in Damages? Impact of Security Breaches Gets Worse

There are fewer security breaches, but they’re getting worse.

That’s the message of a new report from CompTIA , an IT industry association. To respond to the heightened risk, companies are spending more money on security technology. Security rose to 20% of IT budgets in 2006, compared to 15% in 2005 and 12% in 2004, CompTIA says.

The data comes from 1,070 organizations surveyed in February. Organizations represent a range of sizes—from 100 to 10,000 employees—and industries including healthcare, financial services and information technology. Enterprise networks are more complex, the survey found, because most employees now use corporate and Web-based e-mail, instant messaging, peer-to-peer networking and wireless devices. These technologies open companies to many more security risks.

Spyware and employees’ ignorance of security topped the list of concerns, although viruses and worms are also a problem. Viruses were responsible for twice as many attacks in 2006 as in 2005. Worries over handheld devices, voice over IP, and wireless networking have also increased. Only a third of organizations reported a breach in the last 12 months, compared to 58% in 2004. But losses measured in employee productivity, downed servers, legal fees and other costs were more severe. The average cost of a breach per company is now $369,388, CompTIA said, and 32 companies—3% of those surveyed—reported single breaches that had cost them at least $1 million.

Nearly all companies have firewalls and anti-virus software now, but they are adding intrusion detection devices, physical access controls and multifactor authentication Companies have also increased spending on training. Almost half of all companies now make some training for IT staff mandatory, although training for other employees is less common. Less than a third of companies, for example, train people who work remotely. But nearly all who did said they had fewer problems.