Study: Human error causes most security breaches

Sign up to receive Security Resource Alerts

March 18, 2003 (IDG News Service) -- Human error, not technology, is the most significant cause of IT security breaches, according to a security survey released by the Computing Technology Industry Association Inc. (CompTIA) today.
The survey, "Committing to Security: A CompTIA Analysis of IT Security and the Workforce," suggests more training and certification of IT workers will help the U.S. protect itself against cyberthreats. In more than 63% of security breaches identified by the survey's respondents, human error was the major cause. Respondents blamed only 8% of security breaches on purely technical failures.
Brian McCarthy, CompTIA's CEO, called the results "staggering" in a statement. He said a majority of survey respondents said that most of their IT workers didn't have security training.
"It's not about the technology, but it's all about the people," McCarthy said at a news conference. "Yes, technology plays a critical role, but unless you have the right people behind the wheel, and their knowledge levels are correct, you'll have some real challenges."
CompTIA, an Oakbrook Terrace, Ill.-based trade association that offers technology certifications, said the survey's results show the need for more security training and certification. The results of the survey, which was conducted by NFO Prognostics, of 638 respondents from the public and private sectors, included the following:

• 31% had experienced from one to three major security breaches, causing real harm, in the past six months. Another 4% of respondents said they had between four and nine major security breaches in the previous six months, and another 3% said they had 10 or more major security breaches in the past six months.


• 22% said none of their IT employees have received security-related training, 69% have fewer than 25% of their IT staffs trained in security, and only 11% said all of their IT employees have security training.


• 96% would recommend security training for their IT staff.


• 73% would recommend more comprehensive security certifications for their IT staff.


• 66% believe that staff training or certification has improved their IT security through increased awareness and proactive risk identification.

"Frankly, we're surprised no one's picked up on this before," McCarthy said in the statement. "The connection between having more IT security training and making our IT networks more secure seems so obvious, yet it's been largely overlooked. It's just common sense."
Robert Kramer, vice president of global public policy at CompTIA, said that more than 90% of the organizations responding said they use antivirus technologies and firewalls/proxy servers, but only 19% required previous security experience for their IT workers and 23% required security training. "Although the problem is something that focuses on human error, the solutions you would expect are not forthcoming," Kramer added.
The survey also showed that 17% of organizations responding took no measures to monitor their general security performance over time. Sixty percent had some kind of security awareness program in place, and 53% employed security audits or penetration testing.
Seventy-five percent of respondents spent 10% or less of their IT budgets on security, including 12% of respondents who spent nothing, and 77% said their organizations spent less than 5% of their IT security budgets on training or certification.
"There's an intent to measure improvements, but there are no metrics attached to that intent," said Kramer, citing the need for certification.
Donald "Andy" Purdy, a senior adviser with the White House's cybersecurity staff, said the CompTIA study presents some opportunities for the U.S. to improve cybersecurity. "Certification and training of IT professionals is a critical linchpin in making our nation more secure," he said at the CompTIA news conference.
The survey of government, IT, finance and other industries was conducted during the fourth quarter of 2002.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Employees at Computerworld's Best Places to Work in IT have managed to tame the IT career beast by rejecting the..." Read more... "Today's US college business professors, hopefully, aren't all like the one who is teaching a Florida university's business major. Maybe..." Read more... Read more Careers posts or See all Blogs

Lithuania: Attacks focused on hosting company Google bows to pressure, adds 'Privacy' link to home page Microsoft promises four patches next week More top stories...

Google gives away home-cooked Web application security scanner Expect iPhone, Fourth of July scams, security firm says Microsoft trumpets security additions in upcoming IE8

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Learn-Fast Guide: It's All About You (Source: Computerworld) Is your career in sync with the current megatrends: business alignment, globalization, the consumerization of IT, web 2.0 and beyond? In this guide, you'll get advice about how to make yourself more valuable, how to make the global talent pool work for you and how to make sure you "get found" when you put yourself out there. Download this executive briefing  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Cost Effective Scaling with Virtualization and Coyote Point Systems Download this white paper, free, compliments of Coyote Point Systems. (Source: Coyote Point Systems) Learn more about the industry trend toward virtualization, how server consolidation has increased the importance of application uptime and the steps being taken to integrate load balancing technology with virtualized servers. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Lithuania: Attacks focused on hosting company
• Google bows to pressure, adds 'Privacy' link to home page
• Microsoft promises four patches next week
• More top stories 

Intercept Spam & Viruses With MessageLabs MessageLabs is offering a complimentary 30 day trial of its managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all know and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk. Register for a complimentary trial and receive a free datasheet. Download this white paper now!

XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now