In-Depth

Few Organizations Increase Spending to Improve Security

While operator errors get blamed for the majority of security incidents, organizations aren’t budgeting a fix.

• By Mathew Schwartz
• 06/01/2005

While operator errors cause the majority of security incidents, organizations aren’t taking needed steps to fix the problem.

So says the Computing Technology Industry Association (CompTIA), which released its third annual “Study on IT Security and the Workforce.”

According to the survey, organizations blame 80 percent of all security incidents on human error, or on human error in conjunction with a technical malfunction. That number is unchanged from last year’s survey findings.

What’s also unchanged, however, is that organizations aren’t increasing their budgets to train staff or to craft new security policies to help fix the problem. This year, half of the surveyed organizations have budgeted 5 percent of their overall IT budget for training, fifteen percent of organizations allocated anywhere from 20 to 50 percent to training, and 10 percent will spend nothing. Those numbers remain unchanged from last year’s survey.

Do organizations have a way to fix the problem that doesn’t require additional spending? Unfortunately, that doesn’t seem to be the case. In the last six months, “nearly 40 percent of organizations experienced a major IT security breach—defined as one that causes real harm, results in the loss of confidential information, or interrupts business,” notes CompTIA. That percentage has remained constant since 2002.

The absence of additional spending on training is especially puzzling given the spate of data-theft incidents over the past year, to say nothing of regulations such as Sarbanes-Oxley and HIPAA. “Organizations are relying on the Internet more than ever before, making the storage and housing of personal account information and proprietary data even more vulnerable to identity theft and data corruption,” notes Brian McCarthy, CompTIA’s chief operating officer. “This is especially true for large organizations with multiple points of vulnerability and thousands of employees.”

So why hasn’t spending tracked the increased risk from storing or trafficking in large amounts of data? As McCarthy notes, “security assurance continues to depend on human actions and knowledge as much, if not more so, than it does on technological advances.” Training is notably one of the few ways of preventing social-engineering attacks, in which criminals trick employees into installing Trojan software on their PC or sharing passwords to sensitive systems.

Companies seem to agree that training is the answer, even if their budgets don’t reflect this. For example, 89 percent of respondents believe “major security breaches have been reduced as a result of IT security training and certification.” According to the survey, the perceived benefits of training include “improved potential risk identification, increased awareness, improved security measures, and an ability to respond more rapidly to problems.”

Security policies are another useful tool for preventing attacks. Yet CompTIA found half of organizations don’t have written security policies. In addition, it found many organizations with written security policies don’t enforce them.

Two-thirds of organizations also don’t plan to hire additional security personnel to help. For those that will hire, previous training or certification is unimportant: Only a quarter of organizations require potential security hires to have IT security training, and only one in 10 requires them to be certified.

Training lags at the general employee level as well. For example, half of the surveyed companies provide only IT employees with computer security training and have “no plans to implement security awareness training for their employees outside the IT department,” says CompTIA.

To create more effective information security programs, McCarthy recommends organizations reconsider that stance. “To be truly effective in preventing and combating security threats, organizations need to take further steps by spreading security awareness and knowledge from a select group of IT staff to larger portions of their employee base.”

Related Articles:

Best Practices: Defending Against Insider Attacks
http://www.esj.com/Security/article.aspx?EditorialsID=1395

Avoiding Time Warner’s Backup Mistakes
http://www.esj.com/Security/article.aspx?EditorialsID=1396