Information security solutions are getting more and more sophisticated, even as attackers continue to send out the same old viruses and worms. So why are breaches of enterprises’ IT systems still such a problem? The answer is simple: human error. According to CompTIA’s fourth-annual IT Security in the Workforce survey, almost 60 percent of successful attacks on respondents’ organizations during the past year could be attributed to gaffes by end users.
This is actually nothing new, said Brian McCarthy, CompTIA’s chief operating officer. While security techniques have appreciably improved over the past few years, end user awareness of cyber threats has hardly budged. “There’s been no progress,” he said. “There’s been progress over the past three years in addressing technology-related topics like authentication. In 2003, user-authentication practices were a security issue for roughly 45 percent of the constituency we surveyed. By 2005, it had become 25 percent. But lack of user awareness over those three years was 62.5 percent in 2003, and it’s 58 percent in 2005.
“Security as an issue has been around now for about three-plus years—really, post Sept. 11th,” he added. “As we’ve gotten better at it, there’s really been a tendency not to focus on it holistically as much anymore. Now we’re being asked to focus on CRM solutions, ERP solutions or something that creates greater efficiency for the company. As IT departments are being challenged to do more with less, one thing that’s not happening is the IT security issue moving from the IT department to the overall corporate culture.”
That’s precisely the problem, McCarthy explained. Information security is no longer just an IT matter. Really, IT security pros have done everything they’ve been asked to do and then some. The issue is now one of educating end users on security principles so they don’t make these mistakes in the first place. This should be included in employee orientation programs, which rests squarely on the shoulders of the human resources department.
“How often is IT security discussed as part of the orientation process? Fairly rarely, as a general rule,” he said. “As we think about mobility—IT departments supporting more mobile employees—the probability of vulnerability to IT security breaches increases. The reliance upon the individual doing the right thing is greater, yet our data is showing us that consistently over the past three years, the primary cause of the last security breach (respondents) had is human error. When we ask if they’re doing any training and/or certification—separating those two issues out, the majority of respondents say they are not.”
About 58 percent of survey participants don’t require security training for all employees—interestingly, this is roughly the same number that reported an end-user-related breach. Additionally, 85 percent of them do not demand that their IT pros hold security certifications of any kind, and only 29 percent require any IT security training at all for new IT hires. These training and development initiatives need a champion within organizations, and no one is better equipped to address this than CIOs. “We talk about how the CIO has gotten a seat at the C-level executive table, so to speak,” McCarthy explained. “They’re more integrated in discussions about being a part of business solutions, not just IT solutions, because IT is becoming much more pervasive in organizations.”
McCarthy compared end users’ lack of awareness to a driver who doesn’t know anything about cars before getting behind the wheel. “Think about the automotive industry and the leaps and bounds it’s made vis-à-vis providing a safer vehicle through ABS braking, airbags, active suspension, steering. Everything has become much more safety conscious. But if you still have the same idiot behind the wheel who hasn’t been trained to properly drive a car, it’s all for naught. As we continue to look at technology solutions, they’re an integral part of IT strategy, but if you don’t have somebody who’s trained minimally on what and what not to avoid, you’re going to have problems.”
For more information, see http://www.comptia.org.