The third annual CompTIA Study on IT Security and the Workforce found that nearly 40 percent of organizations experienced a major IT security breach - defined as one that causes real harm, results in the loss of confidential information or interrupts business - within the last six months. The number of serious IT security breaches remained consistent between 2002 and 2004.
Human error, either alone or in combination with a technical malfunction, was blamed for four out of every five IT security breaches (79.3 percent), the study found. That figure is not statistically different from last year.(1)
"Security assurance continues to depend on human actions and knowledge as much, if not more so, than it does on technological advances," said Brian McCarthy, chief operating officer, CompTIA. "Organizations are relying on the Internet more than ever before, making the storage and housing of personal account information and proprietary data even more vulnerable to identity theft and data corruption. This is especially true for large organizations with multiple points of vulnerability and thousands of employees."
Yet even with the heightened awareness of the threat IT security breaches can have on business operations and financial performance, the CompTIA study found that organizations may not be taking all the steps necessary to protect themselves.
Organizations are coming up short in their preparedness in the following area:
- More than half the organizations surveyed (53 percent) do not have written IT security policies. This figure is unchanged from last year.
- One-half of the organizations have no plans to implement security awareness training for their employees outside the IT department, nor have they considered it.
- About two-thirds of organizations (63 percent) have no plans to hire IT security personnel in the next year.
Yet overwhelmingly (89 percent), organizations believe that major security breaches have been reduced as a result of IT security training and certification. The positive effect of training and certification is most often described in terms of improved potential risk identification, increased awareness, improved security measures and an ability to respond more rapidly to problems.
The lack of written IT security policies present at more than half the responding organizations fosters gaps in security knowledge, especially among end-users. Even at organizations with written security policies in place, enforcement of security policies continues to be a problem.
"To be truly effective in preventing and combating security threats, organizations need to take further steps by spreading security awareness and knowledge from a select group of IT staff to larger portions of their employee base," McCarthy said.
Spending on computer security and security training as a percentage of the IT budget remained constant over the past year. Almost one-half of organizations appropriate 5 percent of their IT budget to computer security, while 15 percent of organizations earmark between 20-50 percent. About one in ten organizations designate no IT budget to computer security.
CompTIA commissioned TNS Prognostics, a provider of market research and consulting for the IT industry, to conduct the study to identify current IT security practices and highlight security challenges confronted by organizations of varying sizes and sectors. Four hundred and eighty-nine professionals from government, IT, financial and education sectors were surveyed.
CM
