The NCSS documents the nature, prevalence and impact of cybercrimes against businesses in the United States. Survey respondents represented 7,818 businesses out of the 7.3 million businesses identified nationwide in 2005. Of businesses reporting the number of incidents, 43 percent detected 10 or more cyber attacks, theft or other security incidents during the year. Computer viruses were about 7 percent of the incidents and cyber thefts were less than 1 percent. Other computer security incidents (92 percent) - primarily spyware, adware, phishing, and spoofing - were the most common.
The effects of these crimes were measured in terms of monetary loss and system downtime. Ninety percent of the businesses providing information sustained monetary loss. Cyber thefts accounted for more than half of the loss and cyber attacks for about a third. Approximately 68 percent of victims of cyber theft sustained monetary loss of $10,000 or more. By comparison, 34 percent of victims of cyber attacks lost $10,000 or more.
System downtime affected 89 percent of businesses that provided downtime information. Sixty percent of system downtime was caused by computer viruses, 8 percent by denial of service, vandalism or sabotage, and 32 percent by other computer security incidents. System downtime lasted longer than 24 hours for about a third of victimized businesses.
Among survey respondents, businesses with the highest prevalence of cybercrime in 2005 included telecommunication businesses (82 percent of such businesses), computer system design businesses (79 percent) and manufacturers of durable goods (75 percent).
Nearly 75 percent of businesses victimized by cyber theft said that insiders - such as employees, contractors or vendors working for the
business - were responsible for the crime. More than 70 percent of businesses victimized by cyber attacks or other computer security incidents said the suspected offenders were outsiders (hackers, competitors, and other non-employees).
Overall, 15 percent of victimized businesses said they reported cybercrimes to law enforcement authorities. Six percent of businesses detecting cyber attacks reported the incidents to authorities, compared to more than 50 percent of businesses detecting cyber thefts.