Human error, not technology, is the most significant cause of IT security breaches, according to a security survey released by the Computing Technology Industry Association.
The survey, Committing to Security: A CompTIA Analysis of IT Security and the Workforce, found that in more than 63 per cent of security breaches identified by the survey's respondents, human error was the major cause. Respondents blamed only 8 per cent of security breaches on purely technical failures.
CompTIA’s chief operating officer, Brian McCarthy, called the results "staggering".
He pointed out that a majority of survey respondents said that most of their IT workers didn't have security training.
"It's not about the technology, but it's all about the people," McCarthy said. "Yes, technology plays a critical role, but unless you have the right people behind the wheel, and their knowledge levels are correct, you'll have some real challenges."
CompTIA, a trade association that offers technology certifications, said the survey's results showed the need for more security training and certification.
Among the results of the survey, conducted by NFO Prognostics, of 638 respondents from the public and private sectors:
- Thirty-one per cent had experienced from one to three major security breaches, causing real harm, in the last six months. Another 4 per cent of respondents said they had between four and nine major security breaches in the previous six months, and another 3 per cent said they had 10 or more major security breaches in six months.
- Twenty-two per cent said none of their IT employees have received security-related training, 69 per cent have fewer than 25 per cent of their IT staffs trained in security, and only 11 per cent said all of their IT employees hadsecurity training.
- Ninety-six percent would recommend security training for their IT staff.
- Seventy-three per cent would recommend more comprehensive security certifications for their IT staff.
- Sixty-six percent believe that staff training or certification have improved their IT security, through increased awareness and proactive risk identification.
"Frankly, we’re surprised no one's picked up on this before," McCarthy said. "The connection between having more IT security training and making our IT networks more secure seems so obvious, yet it’s been largely overlooked. It’s just common sense."
Vice-president of global public policy for CompTIA, Robert Kramer, said that more than 90 per cent of the organisations responding used anti-virus technologies and firewalls/proxy servers, but only 19 per cent required previous security experience for their IT workers while 23 per cent required security training.
"Although the problem is something that focuses on human error, the solutions you would expect are not forthcoming," Kramer added.
The survey also showed that 17 per cent of organisations responding took no measures to monitor their general security performance over time.
Sixty per cent had some kind of security awareness program in place; 53 per cent employed security audits or penetration testing.
Seventy-five per cent of respondents spent 10 per cent or less of their IT budgets on security, including 12 per cent of respondents who spent nothing, and 77 per cent of the respondents said their organisations spent less than 5 per cent of their IT security budgets on training or certification.
"There's an intent to measure improvements, but there are no metrics attached to that intent," said Kramer, citing the need for certification.