This report indicates that the average annualized cost of cyber crime appears to vary by industry segment, where defense, energy and financial services companies experience higher costs than organizations in retail, services and education. Nonetheless, all verticals are being adversely impacted and on an increasing frequency.

Over the last 5 years, an increasing amount of business disaster declarations are not the result of Acts of God. Rather, they are the result of companies' intentional embrace (passive or not) of risk they obviously should not have accepted. Insurance companies are noticing. They are increasingly seeking further proof of due care and due diligence prior to issuing policies and before paying claims. The government is taking notice too!

There is some active discussion that the Federal government may soon further weigh in on private sector risk management, especially as it relates to IT. The premise here is that IT is now widely considered as part of the mission critical infrastructure of the modern interconnected economy and voluntary adherence by non-governmental entities to generally accepted risk management practices is woefully insufficient. Actively being discussed as potential new "due care" MINIMUM standard for all business (of certain size/revenue volumes) are more rigorous security frameworks, like PCI-DSS.

So, the next time your company makes budgetary considerations, perhaps you ought to at least encourage your IT departments to think about ear marking some additional funds for -- at a minimum, a thorough enterprise-wide security assessment. For relatively little expense, existing personnel can be trained and even certified on how to do thorough assessments. There is a caveat however. Frequently, existing, internal staff is somewhat jaded and less objective than unbiased, independent third parties.

Ideally, a company should do regular internal assessments with a mind to collect and analyze the results within the organization. The next step then is to retain a qualified outside entity to do another assessment of similar scope to ensure an accurate picture. The outside entity can also offer independent expertise on prioritization for risk management and IT security investment. This way, your organization will know more accurately where you are and how you need to invest to ensure that your company does not imprudently risk making the wrong kinds of headlines and/or potentially adding to the nation's vulnerabilities.