Poor IT security has its roots in overburdened employees, according to a study by consultancy Netsec.
The main problem is that security is a part-time job loaded on network or system administrators, says Netsec founder Jerry Harold.
"These people are already fully tasked in keeping their networks up and running, and they rarely have the time to manage security effectively - which can be a full-time job," he says.
Existing staff get lumbered with security partly because of a second issue: a shortage of skilled security specialists. Network administrators in particular, are in short supply, the study says, and network security skills are a specialism within that group, so they are in even shorter supply.
As a result, even if a company can find the right specialists, they will be very expensive, says Harold.
This leads to the traditional IT staffing problem of how to keep people. "Once a company builds an effective security team, they're always susceptible to being lured away," he says. "In some cases, companies may never fully recover from the departure of key security staff."
Finding the right people can be difficult because employers lack awareness of good security processes, says the Netsec report.
"Implementing effective in-house network security is not as simple as hiring a hacker. It requires a number of distinct skills that are almost never found in a single person. These include testing, risk management, policy development, research, and in-depth knowledge of operating systems, applications, network protocols and integration."
After these five staff-related issues comes na‹ve use of security products and techniques.
"Building security-critical devices on top of proprietary, insecure operating systems will always create an opportunity for hackers," Netsec says. "With few exceptions, operating systems are designed to provide general functionality and ease of use."
This leads to Netsec's next issue: "Most companies build their networks and then try to apply security. This inevitably leads to costly trade-offs. It's far more cost-effective in the long run to include security in the development budget, so that security and functionality can be integrated from the start."
Harold says another problem is that companies tend to make security a priority only when they have an incident or when a new virus emerges.
"Security must be proactive to be effective and not simply based on reacting to the latest vulnerability," he says.
There is too much reliance on products. Harold says: "Most companies address network security from a product-centric perspective that involves installing a firewall out of a box and then walking away. Effective security requires effective management and is a systemic issue that involves people, information, technology, policy, design processes, organisational structure and life-cycle management."
Underlying these issues is a final problem: "Budgets for network security are usually owned and managed by the people who are responsible for functionality. In times of limited budgets, functionality always wins at the cost of security. If the security officer reports to the person in charge of IT, it's easy for security to be ignored or given low priority."
Top 10 reasons for poor security
- Security is a part-time and even ad hoc job
- Security skills shortages
- Expertise is expensive
- Staff retention
- Problems of defining the required skills
- Naive use of products
- Security is an afterthought
- Approaches to security are reactive rather than proactive
- Focus on products rather than management of all factors
- Budget ownership