Survey: Major security breaches usually due to human error

Major security breaches are on the rise and most often attributed to human error, rather than technical problems, according to a recently released survey by an IT industry group.

Major security breaches, defined by a survey "as one that caused real harm, resulted in confidential information...

taken or interrupted business," are slowly increasing and are most often attributed to human error (47%), rather than technical problems. The survey found 80% of respondents believe that human errors or mistakes were caused by a lack of IT security knowledge, a lack of training or a failure to follow security procedures.

A survey of 896 Computing Technology Industry Association (CompTIA) members and IT security professionals last December indicated that 39% experienced one to three major security breaches in the previous six months, an increase of 8% over its study a year ago. Respondents were from government, IT, financial and education sectors, among others.

Attacks by malicious code (68.6%) were the most commonly noted security issue mentioned by respondents this round. CompTIA said network intrusion -- the second-most commonly faced issue in 2002 -- is much less common now (dropping from 65.1% in 2002 to 39.9% in 2003). Browser-based attacks may be an emerging threat, rising from 25% to 36.8%.

CompTIA found that 80% of respondents attribute the breaches to a lack of IT security knowledge, a lack of training or a failure to follow security procedures. Nearly 1 in 5 of those surveyed reported that none of their IT staff have any formal security training.

Half (49%) of those surveyed don't have a written security policy. Of those who have a policy, 7% say that director-level or higher staff never review it and 9% indicate that director-level or higher staff never update it.

Some 80% of respondents who have invested in security training believe their security has improved; 70% say the same of certification. Reported improvements include enhanced potential risk identification, increased awareness, improved security measures and a generalized ability to respond more rapidly to problems.

According to CompTIA, those who have 25% or more of their IT staff trained in security are less likely (46.3%) to have had a security breach than those with less than 25% of their IT staff trained in security (66%).

Dig Deeper on Security Resources



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: