By Aaron Tan, 12 April 2006 08:20
NEWS
Human error was responsible for nearly 60 per cent of information security breaches last year, a new study has found.
According to the fourth annual CompTIA (Computing Technology Industry Association) study on information security and the workforce, released on Tuesday, this figure is significantly higher than the number in 2004, when 47 per cent of security breaches were blamed on human error alone.
Despite the prominent role that human behaviour plays in information security breaches, just 29 per cent of the 574 organisations worldwide that participated in the survey said security training is a must for employees. Only 36 per cent of organisations offer security awareness training, the study found.
"The primary cause of security breaches - human error - is not being adequately addressed," Brian McCarthy, chief operating officer of CompTIA, said in a statement. "The person behind the PC continues to be the primary area where weaknesses are exposed."
CompTIA also noted that in the last several years, organisations have equipped themselves with sophisticated security infrastructure that better detect and prevent attacks.
The study found that 96 per cent of respondents use antivirus software while 91 per cent have firewalls and proxy servers, in addition to disaster recovery plans, intrusion detection systems and information security policies.
McCarthy said: "As we get better from a technology standpoint, many organisations seem to believe that technology solutions alone are sufficient to turn back all attacks, and a level of complacency may be setting in."
The CompTIA security study, over the four years it has run, also indicates that virus and worm attacks are a common security concern among respondents. The lack of user awareness, browser-based attacks and remote access, were the next most frequently mentioned security problems.
Aaron Tan writes for ZDNet Asia.
Comments
There are 5 comments. Join the discussion
1. anonymous
The fact that the human factor is now the cause in a higher percentage of security breaches is a positive sign that the industry has been successful with its technical advances. As Mr. McCarthy indicates, most organizations don't have an understanding of the importance of the human factor. I recently saw a report by Tim Autrey that described why it is critical to have the right process in place to combat human error in the workplace. You can retrieve the report from http://www.hufactor.com/library/reports/the_Hu_Factor.pdf
Though human error is now seen as a significant contributor to network security costs, I suspect that is actually a relatively small part of the entire financial burden induced by human error each year.
2. NoticeBored
... so why do organisations continue spending such vast amounts on security technologies and so little on security awareness, training and education? There seems to be an enormous blind spot to the commercial value of posters, presentations, briefings and intranet materials. What use is the latest whizz-bang firewall if the network administrators do not understand how to configure it correctly? Or if the users install wireless access points under their desks, and managers just leave 'all that technology stuff' to the geeks?
3. Simon Allen
"so why do organisations continue spending such vast amounts ..." Because it is easier!!
Recruiting high quality staff, training them well, keeping them motivated to look out for threats and so on takes more money and cannot be put on the balance sheet. You can more easily tell the Owner/Board about the new black box with it's flashing lights.
MORE importantly, the above mentioned human factors require VERY good management - something that most managers lack!
4. Simon
No surprise to me, my experience of small/medium business is that 'management' will label security as 'an IT issue' and so pass the buck to the (already overworked) IT dept. Any security measures the IT dept then try to apply are then seen as 'getting in the way' of things.
The other factor is that in many cases, things like this only come up at Audit time. The auditors don't ask "what security measures do you have and why ?", they seem to come in with their "one size fits all" list of security measures they expect to see - and management simply dictate that they be implemented so they can 'tick the boxes'.
5. anonymous
Security breaches must be a good thing as they create work for people who have to sort it all out. If everything ran smoothly, in some kind of brave new world that governments and corporations dream of, what would we IT security consultants get up to?
I remember back in the 80's watching Tomorrows World on the BBC and the predictions were all about endless leisure time.
The secret is, get rid of your technology and you'll be amazed at how much you get done, and the extra amount of leisure time you'd have.
I for one wouldn't be writing this drivel during what should be the start of the Easter Bank Holiday.