Human Error at Center of Most IT Security Breaches
 |  | http://www.securitymanager.net/magazine/article_448_human_error_it_security.html |
CompTIA Survey Finds; Number of Reported Incidents Grows, but Impact Mitigated by Better Training, Certification
Human error continues to be the primary cause of information technology (IT) security breaches, but better training and preparation are enabling organizations to limit their impact on operations, according to the second annual survey on IT security and the workforce released today by CompTIA, the Computing Technology Industry Association.
Even with higher awareness of IT security threats; more emphasis on security practices and procedures; and more spending on preventive measures, 84 percent of organizations on nearly 900 organizations who participated in this year's survey blamed human error either wholly or in part for their last major security breach. Last year, human error was cited as the cause of 63 percent of security breaches.
"The findings underscore the fact that security and human capital, more so than security and technology, should be given the highest priority by all organizations," said John Venator, president and chief executive officer, CompTIA. "Human knowledge and action are critical to making networks and IT infrastructure secure. And while awareness of the threat posed by IT security breaches has increased dramatically, many organizations have been slow to make the appropriate investments in time and budget to properly address these threats."
Nearly six in ten organizations (58 percent) said they have experienced at least one major IT security breach - defined as one that caused real harm, resulted in the loss of confidential information or interrupted business operations - in the last six months. That's up significantly from a year ago when 38 percent of organizations reported at least one major IT security breach.
At the same time, the nearly 900 organizations that participated in this year's survey categorized the severity level of recent security breaches as "minimally severe," lower than a year ago.
Further, organizations said training and certification significantly improved their security. Organizations with one-quarter of more of their IT staff trained in security are less likely (46.3 percent) to have had a departmental security breach than those with less than one-quarter of their IT staff trained in security (66.0 percent).
Among those who have invested in staff security training, 80 percent feel that their security has improved. Seventy percent of those who have invested in certification feel the same way. The positive effects of training and certification are seen in improved potential risk identification, increased awareness, improved security measures, and an ability to respond more rapidly to problems.
Written IT Security Policies Still Lacking
Only a slight majority of organizations (51 percent) have a written IT policy in place. Just over half (56.5 percent) have a disaster recovery plan in place. IT security policies are more common in the financial services industry (62 percent), government (58 percent) and education (41 percent) sectors. IT organizations are the least likely industry sector to have a security policy in place - only 35 percent do, according to the survey.
Also, the larger the organization, the more common it is for an IT security policy to be in place. Organizations with 7,000 or more employees are most likely to have an IT security policy in place (75 percent). Only 34 percent of small organizations (up to 49 employees) have an IT security policy in place.
Those organizations with written policies are reviewing and updating them on a more frequent basis. Forty-four percent of organizations said they conduct reviews two or more times per year; and 38 percent update their policies two or more times per year. Last year the comparable numbers were 37 percent and 34 percent.
Published: 05/2004
Author: CompTIA
CompTIA is a global trade association representing the business interests of the information technology industry.
|
