A sophisticated security infrastructure has developed over the past several years to deal with new threats to information security that seem to emerge on a daily basis. Security software, ever more capable and pervasive, can detect attacks that may have gone unnoticed for long periods in the past. Firewalls, proxy-server protection, intrusion-detection systems, and other solutions have similarly advanced in their ability to stem attacks.
Many people believe that fully automated security solutions can turn back nearly all attacks. But as we get better at identifying security threats and implementing countermeasures to stop them, we haven't done enough to address the main cause of this problem. In fact, reliance solely on technology to keep data and networks secure may be lulling organizations into a sense of complacency that, unless countered, will leave them vulnerable.
For the past four years, the Computing Technology Industry Association (CompTIA) has conducted a major study on information security threats and responses. A constant through all four years of the study is that most security breaches are caused by some kind of internal human error.
TO ERR IS HUMAN
This year's study found that 59% of the 574 organizations surveyed indicated that their last security breach was due to human error. This is significantly higher than a year ago, when less than half of the security breaches were blamed on human error alone.
The most frequently mentioned cause for these errors was failure of staff to follow internal security policies and procedures. Clearly, it is still the human behind the PC that requires behavior modification when it comes to safe computing practices.
But there is a disconnect in the responses that organizations are marshalling to combat the threats posed by their employees. Just 29% of organizations surveyed said that information security training is a requirement at their company. Yet among those who require security training for all employees, 84% said such training has resulted in a reduced number of major security breaches since implementation.
The organizations that do not have plans to implement this kind of training most frequently said that it isn't a departmental or business priority or that there is a lack of top management support. One way to heighten management awareness and interest in the information security discussion is to demonstrate the financial impact of security breaches.
Participants in the CompTIA study monetized the impact of the last security breach they faced as well as the impact of breaches over the last 12 months. The mean values were over $11,000 for the last security breach and just under $35,000 for breaches over the last year. Some respondents reported impacts above $50,000 for security breaches, showing that while a "garden variety" breach may be little more than an inconvenience, the potential for serious harm is always present.
TO MANAGE IS DIVINE
More and more, the worms, viruses, and social engineering schemes launched against organizations are targeting specific companies and specific user profiles with the goal of reaping financial gain. Management may become more receptive to security training for all users if the nature of the discussion were changed from one centered on technology to one centered on risk management. To get to the next level where information security becomes everyone's responsibility, it has to be taken out of the IT arena. It's time for us to look at information security not as an IT issue but as a business issue. Information security is no longer just the CIO's job. It must become the CEO's job, too. Information security awareness and action need to be institutionalized at the highest level of the organization. If security were seen as a corporate issue, we would see it as a higher priority. But today, there remains a clear disconnect between talking the security talk and walking the security walk.