The average severity of security breaches has doubled, according to a new study, even though the number of actual reported break-ins is down.

The Computing Technology Industry Association (CompTIA) study, based on data collected from more than 1,000 IT professionals, revealed that 34 percent of organisations reported a major security breach in 2006, down from 38 percent in 2005 and 58 percent in 2004.

But respondents rated the average severity of breaches as 4.8 (with 10 being most severe), up from between 2.3 and 2.6 in previous years. That might not be surprising given the number of headline-grabbing breaches, such as the TJX breach in which tens of millions of credit and debit card numbers were stolen.

IT professionals reported increasing their spending on security technology, training and certifications. The amount of their IT budgets dedicated to security totalled 20 percent in 2006, an increase from 15 percent in 2005 and 12 percent in 2004. More than two-thirds (68 percent) of organisations allocate at least some portion of their IT budget to training or certification, an increase from 55 percent the year before. Security training or certification accounted for 12 percent of the total budget, compared with 8 percent in 2005. And 78 percent of those surveyed said management now considers information security a top priority.

“We are making real progress at reducing the number of breaches, but the threats are becoming more sophisticated,” says Brian McCarthy, COO of CompTIA.

More than half (55 percent) of IT professionals surveyed reported spyware as a top security concern, followed by lack of user awareness for 54 percent. Nearly half said virus and worms continue to pose a threat, while about 44 percent cited abuse by authorised users as a key security challenge.

Human error was reported as the cause of a security breach by 42 percent of organisations, compared with 59 percent in 2005. Other security challenges include browser-based attacks (41 percent), remote access (40 percent), wireless networking security (39 percent) and lack of enforcement of security policy (36 percent).

“Compared to last year, more than half of all organisations report that security threats associated with the use of handheld devices, spyware, voice over IP, wireless networking and remote/mobile access have increased significantly over the previous 12 months,” the report reads.

CompTIA says security policies and training can help prevent organisations from falling victim to attacks. Of those polled, 62 percent said their organisation has written IT security policies in place, compared with 47 percent two years ago. Of those who have written security policy, 81 percent said the policy is specific to information on how to secure remote and mobile employees.

The average cost of a security breach in 2006 was $369,388. CompTIA estimates the average costs savings of providing IT security training to staff could be $352,000. CompTIA also estimates IT organisations can save $656,000 by having IT employees with security certifications.