According to the study, "Network attacks: Analysis of Department of Justice Prosecutions 1999-2006," 84 percent of attacks could have been prevented if organizations identified the PC the hacker was using as well as user IDs and passwords.
The study was conducted by Trusted Strategies and commissioned by Phoenix Technologies, a Milpitas, Calif., firm.
Although the average cost of an attack was set at more than $3 million and individual attacks cost as much as $10 million, firms suffered the most financial damage, more than $1.5 million per occurrence, when attackers used IDs and passwords.
The higher up the corporate pecking order that hackers aimed, the more money they made, said the study, which reported the highest losses when hackers obtain privileged user or administrator accounts.
Dirck Schou, a researcher with Phoenix Technologies, said he was surprised at the amount of financial resources stolen.
"I would say the only thing that surprised us was the level of unauthorized computer access and how much damage was really being done by the use of unsanctioned computers," he said. "I'm just surprised at the numbers, not what's going on."
Hackers are most often using their home PCs as the staging ground for attacks, according to the study, with 78 percent of computer crimes being conducted from home.
Correspondingly, corporate outsiders make up the bulk of attackers, accounting for 79 percent of crimes where log-on accounts were penetrated. More than half (57 percent) of attackers were not personally connected to their victims.
Robert Rodriguez, principal of Rodriguez and Associates and a retired assistant special agent in charge for the U.S. Secret Service's Northern District of California, said today that he does not expect insider threats to grow at the same rate as those from the outside.
"I think the proliferation and the sophistication of outside attacks are going to continue to mount," he said. "I think with the insider threats, I don't think it'll grow as much or as fast, because executives are being diligent in their education in teaching their employees about security risks."Click here to email online editor Frank Washkuch Jr.