Forget the countless software flaws, worms, viruses and Trojans that crop up every week; or the spam and phishing attacks that cost enterprises time and money. One in four IT practitioners say users who refuse to obey company policies pose the biggest hurdle to computer security, according to a study by Evans Data Corp.
The Santa Cruz, Calif.-based research firm polled more than 400 IT developers and managers for its Summer 2004 survey, which also found that a lack of qualified personnel contributes to the security problem.
"As with any other security concern, the best technology in the world can be undone by untrained or inattentive end users. The same holds true for the development of secure computing applications and projects," said Glenn MacEwen, an analyst with Evans Data. "Until the culture of computing security evolves to encompass regular security practices, businesses and people will remain vulnerable to attack and exploitation." @
A quarter of respondents said social engineering and a lack of policy compliance poses the biggest security threat, while 15% of the problem is a lack of qualified personnel. Only 11% said the solutions are too difficult for users to manage.
MacEwen cited frustration over multiple passwords as one reason users often defy computer policies. "There is a proliferation of passwords – I have 30 to 40 of them myself – and people find it unmanageable," he said, referring to passwords required for everything from opening e-mail and Internet programs to accessing bank accounts, newsletters and other services enterprises rely on. "It's a legitimate gripe. People trip over multiple passwords and the situation is awkward."
He said one solution is for companies to come up with systems that require as few passwords as possible.
While users rail against a patchwork of passwords, they are also failing to update their antivirus programs. MacEwen is less sympathetic toward that group.
"Users need to think of security as a way of life," MacEwen said. "The security infrastructure is moving so fast it's hard to tell what the main issues will be in the future. The lesson users should take from that is the importance of keeping up with the security updates, however inconvenient they may seem."
Those surveyed don't see security implementation as something that negatively impacts computing performance. Only 1.3% of respondents agree with uncooperative users who complain about that.
Asked which areas their security procedures are focused on, 71% said database communications, 66% said Web traffic and 65% said Web services.
The study also found respondents split down the middle on which libraries and application program interfaces (APIs) to use when building security applications.
While 17% use Java security APIs, another 17% said they use Microsoft Web Services Enhancement (WSE). OpenSSL is preferred by 15% of respondents. Also, 25% believe the Linux operating system has the best innate security, while 19% said Windows 2003 is best. The majority view IBM as the leader in security tools and infrastructure.
Evans Data is making the full study available to subscribers for a fee.