Large US organisations are losing an average of 2.2 per cent of their annual revenue, or more than $30m, to security attacks, research published today has revealed.

Analyst firm Infonetics Research found in a study on network downtime caused by security attacks that small and medium-sized organisations lose about half a per cent of annual revenue to security attacks, which can run into the hundreds of thousands of dollars.

Infonetics' Costs of Network Security Attacks: North America 2007 report shows that more than half of downtime costs are due to service degradation for small, medium and large organisations.

The report added that much of this is "hidden downtime" since degradations often go unreported.

"We suspect that if small and medium organisations had the right tools, staff and processes in place to more accurately track their downtime, the percentage of total revenue it represented would be significantly higher than our study indicates, although still not as high as among large organisations," said Jeff Wilson, principal analyst at Infonetics.

"There are targeted security solutions available for organisations of every size and, once they see just how much money they are losing due to security attack downtime, they would be more interested in making special investments to stop it."

The research found that medium-sized organisations are most vexed by client malware, while large organisations are plagued more by denial of service attacks and server malware.

Small organisations are affected fairly evenly by all three sources of attack.

Small and medium-sized organisations have "major problems" with spyware, which represents a staggering 40 per cent of all security downtime costs with these companies.

The research was based on interviews with senior IT professionals at 240 small (20 to 100 employees), medium (101 to 1,000 employees), and large (over 1,000) companies in North America.