Human Error Is Greatest Security Risk

Human error, not technology, is the most significant cause of IT security breaches, according to a security survey released by the Computing Technology Industry Association.

The survey, "Committing to Security: A CompTIA Analysis of IT Security and the Workforce," suggests more training and certification of IT workers will help the United States protect itself against cyberthreats. In more than 63 percent of security breaches identified by the survey's respondents, human error was the major cause. Respondents blamed only 8 percent of security breaches on purely technical failures.

Brian McCarthy, CompTIA's chief operating officer, called the results "staggering" in a press release statement. He noted that a majority of survey respondents said that most of their IT workers didn't have security training.

Right People Essential

"It's not about the technology, but it's all about the people," McCarthy said at a press conference Tuesday. "Yes, technology plays a critical role, but unless you have the right people behind the wheel, and their knowledge levels are correct, you'll have some real challenges."

CompTIA, a trade association that offers technology certifications, said the survey's results showed the need for more security training and certification.

Among the results of the survey, conducted by NFO Prognostics, of 638 respondents from the public and private sectors:

• Thirty-one percent had experienced from one to three major security breaches, causing real harm, in the last six months. Another 4 percent of respondents said they had between four and nine major security breaches in the previous six months, and another 3 percent said they had ten or more major security breaches in six months.
  
  
• Twenty-two percent said none of their IT employees has received security-related training; 69 percent have less than 25 percent of their IT staffs trained in security; and only 11 percent said all of their IT employees have security training.
  
  
• Ninety-six percent would recommend security training for their IT staff.
  
  
• Seventy-three percent would recommend more comprehensive security certifications for their IT staff.
  
  
• Sixty-six percent believe that staff training or certification has improved their IT security, through increased awareness and proactive risk identification.
  
  

"Frankly, we're surprised no one's picked up on this before," McCarthy said in the press release. "The connection between having more IT security training and making our IT networks more secure seems so obvious, yet it's been largely overlooked. It's just common sense."

Too Little Experience

More than 90 percent of the organizations responding said they use antivirus technologies and firewalls/proxy servers, according to Robert Kramer, vice president of global public policy for CompTIA. However, only 19 percent required previous security experience for their IT workers, and 23 percent required security training.

"Although the problem is something that focuses on human error, the solutions you would expect are not forthcoming," Kramer added.

The survey--conducted in the fourth quarter of 2002--also showed that 17 percent of organizations responding took no measures to monitor their general security performance over time. Sixty percent had some kind of security awareness program in place, and 53 percent employed security audits or penetration testing.

Seventy-five percent of respondents spent 10 percent or less of their IT budgets on security, including 12 percent of respondents who spent nothing. Seventy-seven percent of the respondents said their organizations spent less than 5 percent of their IT security budgets on training or certification.