Closing the Security Disconnect

The landscape of information security continues to be dynamic. New threats emerge daily in the forms of viruses, worms, phishing, pharming, social engineering, and identity theft.

These threats extend to emerging technologies as well. VoIP telephony networks and municipal Wi-Fi deployments create the potential for increased vulnerabilities and new avenues of attack.

But, a sophisticated security infrastructure has emerged over the past several years to deal with these problems. Security software, ever more capable and pervasive, is able to detect attacks that may have gone unnoticed for long periods in the past. Firewalls, proxy-server protection, intrusion-detection systems, and other solutions have similarly advanced in their ability to stem attacks.

Because of these advances, many seem to believe that fully-automated security solutions have reached a point where they are able to turn back nearly all attacks. Yet, IT managers that believe this are lulling themselves into a sense of complacency that, unless countered, will leave them vulnerable to the twisted innovations hackers are so rightfully notorious for.

Nobody’s Perfect

The fact remains that no software solution or automated response can match the security offered by training and mass awareness of security issues in the workplace. Yet new research from the Computing Technology Industry Association (CompTIA) finds that many organizations have failed to recognize the role the human element plays in securing data, networks and technology infrastructure.

Clearly a disconnect remains between talking the security talk and walking the security walk.

For the past four years CompTIA has undertaken a major study on information security threats and responses. One of the constants found through all four years of the study is that the majority of security breaches are caused by some kind of internal human error.

In this year’s report, set to be released to members the week of March 20, 59% of the 574 organizations surveyed indicated their last security breach was due to human error. This is significantly higher than a year ago, when less than half of the security breaches were blamed on human error alone.

Failure of staff to follow internal security policies and procedures was the most frequently mentioned cause for these human error occurrences.

Perhaps more concerning is security breaches are not happening in small or isolated numbers. Just over one-third of responding organizations (35%) reported one or more attacks over the last six months; while about 40% indicated there was at least one attack in the past year. The severity levels for these attacks were essentially equal to those returned in the prior year’s study.

As it has been the case through all four years of the study, the most commonly mentioned problems are virus and worm attacks. A lack of user awareness and browser-based attacks tied as the second-most prominently mentioned security problem areas. While browser-based attacks may be receding as a top-tier threat, the lack of user awareness issue has been prominent since the inception of this study.

These findings on the most prevalent threats are largely consistent with respondents assigning the preponderance of blame for security issues to human error. But there is a clear disconnect in the kind of responses that organizations are marshalling to combat these threats.

Antivirus software is nearly universal (95% penetration), and the vast majority of survey respondents have a firewall/proxy server set up (90%) as well. Disaster recovery plans, intrusion detection systems, and written information security policies are also popular measures.

Practice, practice, practice …

Training, however, is not as popular. Just 29% of those surveyed indicated that information security training is a requirement at their company.

End-user security awareness training, as distinct from specialized security training and certification, is obviously an important part of the security continuum, but it still has not been implemented by a majority of organizations. Just 36% of those surveyed indicated that their organization has this kind of training in place. And while 29% indicate their organization will implement it at some point in the future, fully 35% said they have no plans to do so.

When organizations that do not have plans to implement this kind of training were asked why, the most frequent responses were it is not a priority; or there is no top management support for this kind of initiative.

Despite this, there is a widespread recognition (84% of respondents) that end-user security awareness training has resulted in a reduced number of major security breaches since implementation.

Still, there are limitations. The small amounts of time and money invested in this kind of training apparently telegraphs to end users that it is often not an organizational priority. Greater awareness levels of the real benefits of this training, and risks associated with not having it, are needed at the higher end of the corporate hierarchy to overcome this.

Organizational spending on information security solutions, whether products or training, has remained fairly consistent over the four years of this study. Though there is still a substantial portion of those who indicate their organization spends nothing on computer security (10%), spending levels are at five percent of the total technology budget at just under 40% of organizations.

Clearly there is recognition of the importance of information security for organizations across all sectors of the economy, especially in large organizations that have multiple points of vulnerability and thousands of employees. But, even when written security policies are put in place, enforcement continues to be a problem for organizations in every sector.

Thus, security assurance continues to depend on human actions and knowledge as much, if not more so, than it does on technological advances.

Brian McCarthy is the chief operating officer for CompTIA, a trade association representing the business interests of the global IT industry.