What do cybercriminals love to see when they try to break into an organizations network? A recent survey reveals what vulnerabilities they look to exploit first.

The top security hole hackers look for: poorly configured networks.

That’s the conclusion of a recent survey conducted by Tufin Technologies at Def Con 18, the annual hackers’ convention held last month in Las Vegas.

According to the poll, 73% of data breaches are cause by bad network configurations, which 76% of the hackers in attendance said was the easiest security vulnerability to exploit.

What’s behind all those bad configurations? The main cause: IT staffer’s don’t know what to look for when monitoring and testing their networks, said 58% of the survey’s respondents. Also, many companies don’t have enough time or money for adequate security audits, according to 18% of hackers, and 11% said threats change too fast for many organizations to properly address them.

Another preferred method of gaining network access: having a user or IT staffer within the company as an ally, said 43% of the survey’s respondents.

That finding lines up with those of a recent Verizon survey, which recently published its own study on data breaches. The communications giant found that in 2009, 48% of data breaches involved insiders — that was up from 22% in 2008.

The First Annual Cost of Cyber Crime Study was recently released by security experts at the Ponemon Institute in a commission from security software provided ArcSight.

They interviewed some 45 major companies, and found out that on average, the companies lost some $4.8 million each year. The losses ranged from theft of intellectual property, malicious damage to computer systems and actual financial fraud on the company or its customers.

Most expensive of all are the resources for detection and recovery from attacks, which amount to 46% of all costs according to the survey. This does not account for the opportunity cost lost by assigning top IT minds to playing defense against hackers rather than adding to the resources available to the company.

Other findings:

• It takes 14 days on average to fix a cyber-attack
• Each individual attack has an average cost of over $17,99
• The companies surveyed reported on average 60 successful attacks per week, and
• The appointment of a dedicated expert to detect and fix breaches reduces the duration, severity and cost of such breaches.

Of course, this is all proportional — smaller companies are likely to have smaller losses. On the other hand, they are less likely to be monitoring the problem, and may well be losing money and time in ways they cannot even detect.

In fact, 85% of all stolen data is now being taken by organized crime. That’s the finding of the recently released 2010 Verizon Data Breach Investigations, a report that studied data breaches that took place over six years. The study analyzed 900 cases involving 900 million compromised records.

Other findings of the study:

• The three industries that are the biggest victims of data threat are finance, hospitality and retail
• 39% of the breaches were enabled by use of stolen logins
• 50% of breaches had some involvement from insiders
• 85% of the breaches were not considered very difficult
• Eastern Europe, East Asia and the U.S. were the sources of most of the external data breaches
• Around half of all breaches involved manipulations of user privileges
• 38% of attacks used malware
• 29% used social engineering (tricking users to give away crucial information)

The ITRC, a nonprofit group that traces data breaches and helps its victims, in its 2009 report “Data Breaches: The Insanity Continues” reveals hard-to-get stats on the current state of data breaches.

But as they admit, since there is no national standard for reporting such events, their data consists only of confirmed incidents –- there is little doubt that there are far more unreported breaches.

Among the findings:

1. Businesses account for 41% of the breaches.
2. The lowest rate of breaches is in medicine and financial sectors, due to stricter regulation.
3. Only in 2% of the breaches reported was any serious security measure (such as encryption) in place.
4. Hacking is the leading cause of data breaches for the first time in the survey, at 19%. Insider theft is next at 15%, together making up a higher total than human error.

The biggest worries according to the report: Very little encryption is in use in spite of the pervasiveness of the problem, and there are few enforceable laws that mandate the protection of data and the notification of those whose data has been violated.