And the financial toll is mounting, according to a survey by the Computer Security Institute with the participation of the FBI Computer Intrusion Squad.
Eighty-nine percent of respondents said their companies have firewalls, and 60 percent have intrusion detection systems. However, 40 percent also reported system penetration from the outside.
Ninety percent said they use anti-virus software, but 85 percent were hit by viruses and worms.
Among other findings:
* 90 percent had detected computer security breaches within the last 12 months.
* 80 percent acknowledged financial losses due to breaches.
* 74 percent cited Internet connections as a frequent point of attack.
* 78 percent detected employee abuse of Internet access privileges.
Malicious code attacks are the most common incidents reported. Financial losses due to viruses were estimated at $75,746 per organization. Computer Economics estimated the worldwide impact of just the Code Red virus was $2.62 billion.
Theft of proprietary information and financial fraud accounts for about two-thirds of the financial losses reported by respondents. The steady rise of security threats and occurrences are due to an increased awareness that information translates into market differentiation, competitive positioning and revenue.
In 2002, 20 percent of respondents acknowledged theft of proprietary information. While theft is an obvious issue, it's the financial losses that continue to soar.
Not all security breaches are criminal in nature. Nevertheless, they can be costly due to lost productivity. Employee abuse of Internet privileges -- downloading unauthorized software or inappropriate material, or misuse of e-mail systems -- cost businesses service and support dollars.
Many businesses are investing in Internet filtering and monitoring technologies and are seeing payoffs in increased productivity.
Key steps to mitigate the risk
* Get a third party audit of your systems.
Often businesses are so close to the key issues and developments that they lack the time and objectivity to step back and explore potential risks. Like auditors reviewing your accounting practices and procedures, having an independent review of your systems often provides valuable insight.
* Apply business processes and policies to proactively update infrastructure.
Businesses spend about a third of their time on hardware maintenance and repair, draining resources from critical services such as backup, security, and asset management. Whether internally or externally serviced, businesses need to ensure they are updating software and patches as a routine activity.
* Build scalable and standardized architectures.
In an economically challenged environment, businesses investing in additional technology need to ensure there is standardization. A multivendor environment adds approximately 25 percent additional cost in administration alone.
Plus, the time required to ensure patches and fixes are implemented across a mixed environment creates increased opportunity for unnecessary exposure.
As information technology becomes more strategic and integrated into the fabric of business, the speed and complexity with which it is implemented often results in a lack of security built into the system's architecture and process controls. Fraud, financial loss, viruses and Net abuse will only increase, and the financial impact will continue to grow dramatically unless security is taken seriously.
Don't underestimate personnel or unauthorized system users. It only takes one occurrence to cost your business thousands, if not millions, of dollars.
How sustainable would your business be following a $1 million exposure? Mark Wilson (email@example.com) is vice president of operations at PC On Call. PC On Call focuses on small and mid-sized businesses, first understanding your business goals and objectives, then aligning technology to reduce costs, increase productivity and provide competitive agility. Download a free security white paper from www.pconcall.com. Reach Wilson at (888) 726-6255, ext. 2124.