Cyber attacks cost large enterprises an average of £1.4m a year, according to the Symantec 2010 State of Enterprise Security study.

Every one of more than 2,000 enterprises polled in 27 countries experienced losses related to cyber attacks in 2009.

These losses translated into monetary costs in 92% of cases and included the theft of intellectual property and customer credit card information.

It is unusual to get a 100% response and the mounting financial losses may help to push IT security up the board agenda, said Mike Jones, security specialist at Symantec.

But with continuing financial constraints, these significant costs are more likely to heap pressure on IT security professions to do more with less, he said.

"We are already seeing businesses reviewing their security tools to get the maximum protection at the lowest cost," said Jones.

This trend of consolidating security tools to get the most value out of investments by ensuring there are no overlaps as well as no gaps, is likely to continue, he said.

Increased awareness of the effects of cyber attacks is shown by the fact that 42% of enterprises polled rated cyber risk as their top concern.

Three-quarters of respondents said they had been targeted by a cyber attack in the past year, 36% said the attacks were somewhat or highly effective, and 29% said the volume of attacks had increased.

Consequently, enterprise IT departments are assigning 120 staff on average to security and compliance, with 84% rating better IT risk management as a top goal for 2010.

But enterprises report that understaffing is one of the biggest challenges to ensuring IT security.

New business initiatives using cloud-based services and virtualisation of servers and desktops are the second biggest challenge to achieving IT security, respondents said.

Most organisations ranked IT compliance as the third biggest challenge, with most enterprises using eight separate IT standards or frameworks and exploring up to 11 more.

Organisations must develop and enforce IT policies and automate their compliance processes as a key element to meeting current challenges, the Symantec report said.

The report also recommends that IT administrators take an information-centric approach to protect both information and interactions.

"It is important the more businesses start to view IT security not as a cost of doing business, but as a requirement for enabling new business opportunities," said Jones.