Organizations Seen Ignoring Main Culprit in Information Security Breaches

People are the problem, accounting for nearly 60 percent of security issues, new CompTIA research reveals

People are the problem, accounting for nearly 60 percent of security issues, new CompTIA research reveals

Oakbrook Terrace, IL — April 14, 2006 — Organizations are doing little to address the most serious threat to their information security and technology infrastructure, according to new research released today by the Computing Technology Industry Association (CompTIA).

Human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year, according to the fourth annual CompTIA study on information security and the workforce. That figure is significantly higher than one year ago, when 47 percent of security breaches were blamed on human error alone.

Yet despite the prominent role that human behavior plays in information security breaches, just 29 percent of the 574 organizations that participated in the survey said that security training is a requirement at their company. Only 36 percent of organizations offer end-user security awareness training.

"The primary cause of security breaches — human error — is not being adequately addressed," said Brian McCarthy, chief operating officer at CompTIA. "The person behind the PC continues to be the primary area where weaknesses are exposed."

Over the past several years a sophisticated security infrastructure has emerged that is better able to detect and prevent attacks. The CompTIA study found that antivirus software is nearly universal (96 percent penetration); and the vast majority of organizations utilize firewalls and proxy servers (91 percent). Disaster recovery plans, intrusion detection systems and written information security policies are also popular measures.

"As we get better from a technology standpoint, many organizations seem to believe that technology solutions alone are sufficient to turn back all attacks, and a level of complacency may be setting in," McCarthy said. "The fact remains that no technology on its own can be completely successful without an equally strong commitment to information security awareness and training throughout every level of the organization."

For its part, CompTIA offers its CompTIA Security+T certification, a foundation-level, vendor-neutral professional certification for network security practitioners with two years' experience and who have daily "hands-on" responsibility for information security. The certification was developed with the involvement of some 1,100 experts around the world with first-hand experience in IT security implementation.

Virus, Worm Attacks Still Prevalent

Virus and worm attacks were the most commonly mentioned security problem, as they have been through all four years of the CompTIA study on information security. A lack of user awareness, browser-based attacks and remote access were the next most frequently mentioned security problem areas.

About 40 percent of organizations participating in the survey said they had experienced at least one security attack in the past year. The most severe security breaches were reported by large organizations (7,000 or more employees) and educational institutions.

The financial impact of information security issues was vividly illustrated when survey respondents were asked to place a dollar value on the cost of their last security breach. The mean values were over $11,000 for the last security breach and just under $35,000 for breaches over the last year. Some organizations reported a financial impact above $50,000 for security breaches, showing that while a "garden variety" breach may be little more than an inconvenience, the potential for serious harm is always present.

CompTIA commissioned TNS Prognostics, a market research and consulting firm for the IT industry, to conduct the study to identify current IT security practices and highlight security challenges confronted by organizations of varying sizes and sectors. More information on the study is available at the CompTIA Web site.

Additional Articles of Interest

— As Motorola leverages information technology to build an extended cyber-enterprise encompassing its supply chain partners and customers, Chief Information Security Officer Bill Boni is helping the company address the risks inherent in sharing information outside the four walls. Read more in "Risky Business," in the June/July 2003 issue of iSource Business (now Supply & Demand Chain Executive).

— For more information on solutions for supply chain security, see "Building the Secure Supply Chain," the Net Best Thing article in the June/July 2003 issue of iSource Business (now Supply & Demand Chain Executive) magazine.