Major security breaches, defined by a survey "as one that caused real harm, resulted in confidential information taken or interrupted business," are slowly increasing and are most often attributed to human error (47%), rather than technical problems. The survey found 80% of respondents believe that human errors or mistakes were caused by a lack of IT security knowledge, a lack of training or a failure to follow security procedures.
A survey of 896 Computing Technology Industry Association (CompTIA) members and IT security professionals last December indicated that 39% experienced one to three major security breaches in the previous six months, an increase of 8% over its study a year ago. Respondents were from government, IT, financial and education sectors, among others.
Attacks by malicious code (68.6%) were the most commonly noted security issue mentioned by respondents this round. CompTIA said network intrusion -- the second-most commonly faced issue in 2002 -- is much less common now (dropping from 65.1% in 2002 to 39.9% in 2003). Browser-based attacks may be an emerging threat, rising from 25% to 36.8%.
CompTIA found that 80% of respondents attribute the breaches to a lack of IT security knowledge, a lack of training or a failure to follow security procedures. Nearly 1 in 5 of those surveyed reported that none of their IT staff have any formal security training.
Half (49%) of those surveyed don't have a written security policy. Of those who have a policy, 7% say that director-level or higher staff never review it and 9% indicate that director-level or higher staff never update it.
Some 80% of respondents who have invested in security training believe their security has improved; 70% say the same of certification. Reported improvements include enhanced potential risk identification, increased awareness, improved security measures and a generalized ability to respond more rapidly to problems.
According to CompTIA, those who have 25% or more of their IT staff trained in security are less likely (46.3%) to have had a security breach than those with less than 25% of their IT staff trained in security (66%).