Companies can spend all they want on antivirus, intrusion prevention systems and all-in-one appliances. These tools will do nothing for enterprises that ignore the human side of security, said Tara Manzow, product manager for the workforce development group at the Computing Technology Industry Association [CompTIA].
"Security has to be everyone's concern, right down to the person who fills the mailboxes," Manzow said. "You have to educate anyone in the enterprise that touches a PC."
Unfortunately, too many companies are missing the point, according to the 489 IT professionals the Chicago-based association surveyed in December and January. CompTIA, which provides IT certification, among other things, found that 40% of organizations surveyed have suffered a major IT security breach. Human error was to blame 79.3% of the time, the study found.
"First and foremost, the findings show that due to human error, it's imperative that your IT staff be trained and certified in security," Manzow said. "It's also crucial to have a security policy in place and ensure that everyone is abiding by it."
Those findings are backed up by the rash of recent disclosures of data theft, particularly powerhouses ChoicePoint and Lexis Nexis, which both were emphatic that their breaches came not from technology but the flawed processes and policies within their organizations.
The association said it found a large discrepancy between the security technology companies say they need and the level of investment they're putting toward education and prevention. Forty percent of respondents said their organizations suffered a major security breach -- defined as one that causes real harm, results in the loss of confidential information or interrupts business -- within the last six months. That percentage remained fairly consistent between 2002 and 2004, CompTIA said.
The association also found that:
- 53% of respondents lack a written set of IT security policies, about the same as last year.
- Half of them have no plans to implement security awareness training for their employees outside the IT department, nor have they considered it.
- 63% have no plans to hire IT security personnel in the next year.
- Just 27% of organizations require IT security training and 12% require certification.
- 89% of those who have spent more time and money on training and policy saw fewer breaches and were able to respond more rapidly to trouble.
Manzow said the findings are surprising when you consider all the attention information security has gotten in the media lately. But she doesn't believe apathy is the problem.
"I wouldn't say these organizations don't care. They're just confused as to what they should be doing," she said. "There's even confusion over what to do about compliance. The number-one tool organizations invest in are the antivirus software and firewalls. They're investing in hardware and software -- not humans. It's up to all of us to better inform enterprises on what's needed step-by-step."