Human error, not technology, is the most significant
cause of IT security breaches, according to a security survey
released by the Computing Technology Industry Association in the
US.
The survey, "Committing to Security: A CompTIA Analysis of IT
Security and the Workforce", suggested more training and
certification of IT workers would help the US protect itself
against cyber threats.
In more than 63% of security breaches identified by respondents,
human error was the major cause. Only 8% were purely technical
failures.
Brian McCarthy, CompTIA’s chief operating officer, called the
results "staggering". He noted that many survey respondents said
that most of their IT workers had no security training.
"It's not about the technology, but it's all about the people,"
McCarthy said at a press conference Tuesday. "Yes, technology plays
a critical role, but unless you have the right people behind the
wheel, and their knowledge levels are correct, you'll have some
real challenges."
CompTIA, a trade association offering technology certifications,
said the survey's results showed the need for more security
training and certification.
Among the results of the survey, conducted by NFO Prognostics,
of 638 respondents from the public and private sectors:
- 31% had experienced from one to three major security breaches,
causing real harm, in the last six months. Another 4% said they had
between four and nine major security breaches in the previous six
months, and another 3% said they had 10 or more major security
breaches in six months.
- 22% said none of their IT employees have received
security-related training; 69% have fewer than 25% of their IT
staff trained in security ; and only 11% said all of their IT
employees have security training.
- 96% would recommend security training for their IT staff.
- 73% would recommend more comprehensive security certifications
for their IT staff.
- 66% believe that staff training or certification have improved
their IT security, through increased awareness and risk
identification.
"Frankly, we’re surprised no one's picked up on this before,"
McCarthy said. "The connection between having more IT security
training and making our IT networks more secure seems so obvious,
yet it’s been largely overlooked. It’s just common sense."
Robert Kramer, vice president of global public policy for
CompTIA, noted that more than 90% of the organisations responding
said they use antivirus technologies and firewalls/proxy servers,
but only 19% required previous security experience for their IT
workers and 23% required security training.
"Although the problem is something that focuses on human error,
the solutions you would expect are not forthcoming," Kramer
added.
The survey also showed that 17% of organisations responding took
no measures to monitor their general security performance over
time. Sixty percent had some kind of security awareness programme
in place, and 53% employed security audits or penetration
testing.
Seventy-five per cent of respondents spent 10% or less of their
IT budgets on security, including 12% of respondents who spent
nothing, and 77% of the respondents said their organisations spent
less than 5% of their IT security budgets on training or
certification.
"There's an intent to measure improvements, but there are no
metrics attached to that intent," said Kramer, citing the need for
certification.
The survey of government, IT, finance and other industries was
conducted during the fourth quarter of 2002.