Man still the weakest link
Human error was responsible for nearly 60 percent of information security breaches last year, a new study has found.
According to the fourth annual CompTIA (Computing Technology Industry Association) study on information security and the workforce, released Tuesday, this figure is significantly higher than the number in 2004, when 47 percent of security breaches were blamed on human error alone
Despite the prominent role that human behavior plays in information security breaches, just 29 percent of the 574 organizations worldwide that participated in the survey said security training is a must for employees. Only 36 percent of organizations offer security awareness training, the study found.
"The primary cause of security breaches--human error--is not being adequately addressed," Brian McCarthy, chief operating officer of CompTIA, said in a statement. "The person behind the PC continues to be the primary area where weaknesses are exposed."
CompTIA also noted that in the last several years, organizations have equipped themselves with sophisticated security infrastructure that better detect and prevent attacks.
The study found that 96 percent of respondents use antivirus software while 91 percent have firewalls and proxy servers, in addition to disaster recovery plans, intrusion detection systems and information security policies.
McCarthy said: "As we get better from a technology standpoint, many organizations seem to believe that technology solutions alone are sufficient to turn back all attacks, and a level of complacency may be setting in."
"The fact remains that no technology on its own can be completely successful, without an equally strong commitment to information security awareness and training throughout every level of the organization," he said.
Pesky viruses, worms
The CompTia security study, over the four years it has run, also indicates that virus and worm attacks are a common security concern among respondents. The lack of user awareness, browser-based attacks and remote access, were the next most frequently mentioned security problems.
About 40 percent of organizations that participated in the latest survey said they had experienced at least one security attack in the past year. The most severe security breaches were reported by large organizations, with 7,000 or more employees, and educational institutions.
According to estimates from respondents, the average loss--among survey participants--as a result of the most recent security breach was over US$11,000 and just under US$35,000 for all breaches over the last year. Some organizations also reported a financial loss of above US$50,000 as a result of security breaches.