[ISN] Study: Human error causes most security breaches

From: InfoSec News (isnat_private)
Date: Tue Mar 18 2003 - 23:04:07 PST

  • Next message: InfoSec News: "Re: [ISN] LapLink says hackers left key clue"

    http://www.computerworld.com/securitytopics/security/story/0,10801,79485,00.html
    
    By Grant Gross
    IDG News Service
    MARCH 18, 2003
    
    Human error, not technology, is the most significant cause of IT
    security breaches, according to a security survey released by the
    Computing Technology Industry Association Inc. (CompTIA) today.
    
    The survey, "Committing to Security: A CompTIA Analysis of IT Security
    and the Workforce," suggests more training and certification of IT
    workers will help the U.S. protect itself against cyberthreats. In
    more than 63% of security breaches identified by the survey's
    respondents, human error was the major cause. Respondents blamed only
    8% of security breaches on purely technical failures.
    
    Brian McCarthy, CompTIA's CEO, called the results "staggering" in a
    statement. He said a majority of survey respondents said that most of
    their IT workers didn't have security training.
    
    "It's not about the technology, but it's all about the people,"  
    McCarthy said at a news conference. "Yes, technology plays a critical
    role, but unless you have the right people behind the wheel, and their
    knowledge levels are correct, you'll have some real challenges."
    
    CompTIA, an Oakbrook Terrace, Ill.-based trade association that offers
    technology certifications, said the survey's results show the need for
    more security training and certification. The results of the survey,
    which was conducted by NFO Prognostics, of 638 respondents from the
    public and private sectors, included the following:
    
    * 31% had experienced from one to three major security breaches,
      causing real harm, in the past six months. Another 4% of respondents
      said they had between four and nine major security breaches in the
      previous six months, and another 3% said they had 10 or more major
      security breaches in the past six months.
    
    * 22% said none of their IT employees have received security-related
      training, 69% have fewer than 25% of their IT staffs trained in
      security, and only 11% said all of their IT employees have security
      training.
    
    * 96% would recommend security training for their IT staff.
    
    * 73% would recommend more comprehensive security certifications for
      their IT staff.
    
    * 66% believe that staff training or certification has improved their
      IT security through increased awareness and proactive risk
      identification.
    
    "Frankly, we're surprised no one's picked up on this before," McCarthy
    said in the statement. "The connection between having more IT security
    training and making our IT networks more secure seems so obvious, yet
    it's been largely overlooked. It's just common sense."
    
    Robert Kramer, vice president of global public policy at CompTIA, said
    that more than 90% of the organizations responding said they use
    antivirus technologies and firewalls/proxy servers, but only 19%
    required previous security experience for their IT workers and 23%
    required security training. "Although the problem is something that
    focuses on human error, the solutions you would expect are not
    forthcoming," Kramer added.
    
    The survey also showed that 17% of organizations responding took no
    measures to monitor their general security performance over time.  
    Sixty percent had some kind of security awareness program in place,
    and 53% employed security audits or penetration testing.
    
    Seventy-five percent of respondents spent 10% or less of their IT
    budgets on security, including 12% of respondents who spent nothing,
    and 77% said their organizations spent less than 5% of their IT
    security budgets on training or certification.
    
    "There's an intent to measure improvements, but there are no metrics
    attached to that intent," said Kramer, citing the need for
    certification.
    
    Donald "Andy" Purdy, a senior adviser with the White House's
    cybersecurity staff, said the CompTIA study presents some
    opportunities for the U.S. to improve cybersecurity. "Certification
    and training of IT professionals is a critical linchpin in making our
    nation more secure," he said at the CompTIA news conference.
    
    The survey of government, IT, finance and other industries was
    conducted during the fourth quarter of 2002.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 01:27:26 PST