A new report by the Computer Security Institute indicates that the biggest threat to corporate networks aren't computer viruses but insiders. ARS Technica writes:
CSI has been running this survey for over a decade and has seen average losses from security breaches drop every year from 2002 to 2006. Investments in security seemed to be paying off; in 2006, the average breach cost companies an estimated $168,000, way down from five years earlier. But in 2007, the numbers skyrocketed. Each breach this year costs an estimated $350,454 to repair.
Financial fraud and viruses caused most of the monetary losses, but both have fallen in frequency over the last few years. Only 12 percent of all respondents reported financial fraud at their institutions. Viruses, which used to plague 90 percent of all companies in 2001, now affect only 52 percent.
It's internal users who are now causing the greatest number of problems, though they may also cause minimal damage. Hiding porn on an office PC, using unlicensed software, and abusing e-mail all count as security incidents, though all pale in comparison to one successful phishing trip. These sorts of internal incidents can be pesky, though, and 59 percent of all respondents had to deal with them in the last year.