Human Error Tops List of Vulnerabilities

Only half of respondents in a new survey say their company has a written security policy. Furthermore, despite the increases in threats, many organizations have been slow to make the appropriate investments in time and budget to properly address them.

Today viruses, worms, and software vulnerabilities get the ink, but there’s often another factor to blame: human error. That’s according to the second annual “Analysis of IT Security and the Workforce” survey from the Computing Technology Industry Association (CompTIA).

Almost 900 organizations from 17 countries responded to the survey, reporting on security goings-on in their organization for the last six months of 2003.

A major finding is that respondents label human error as the leading cause—for about half of all incidents—of security breaches. A combination of human error and technical malfunction was second, at 37 percent.

What, or who, is to blame for human error? A lack of security knowledge, inadequate training, or not following established security procedures, say 84 percent of organizations, up from 63 percent in 2002.

To which humanists might reply: organization, heal thyself. Turns out only half of organizations have a written IT security policy in place. For years, security experts have been recommending written policies as a crucial first step to align people, policies, and procedures. Don’t expect perfection without the basics.

Despite seeing increasing numbers of threats, “many organizations have been slow to make the appropriate investments in time and budget to properly address these threats,” notes John Venator, president and CEO of CompTIA

When it comes to written security policies, as usual the financial services industry is ahead of the game: 62 percent have a written policy. That’s followed by 58 percent of government respondents and 41 percent of the education sector. Only about a third of technology companies have a written security policy.

Company size does, however, matter. Of large companies (more than 7,000 employees), 75 percent had a written security policy, compared with only a third of small organizations (49 or fewer employees) having one.

Based on those findings, the report’s authors say much the same thing they said last year: “The issue of security and human capital—versus security and technology—is becoming increasingly important to address. Security assurance rides on human actions and knowledge as much, if not more so, than it does on technological advances.”

Keeping a written security policy up to date is also important. About half of organizations say they review their security policies at least twice a year, and about a third update them that frequently.

The sooner organizations tackle the basics the better. For 2002, about one-third of respondents said they’d had between one and three breaches in the preceding six months. For 2003, the figure rose slightly. Likewise, in 2002, 38 percent of organizations reported a major security breach, which increased to 58 percent last year.

Is that a surprise when almost one in five organizations have IT staff with no formal security training? CompTIA says more organizations need to look at the costs of security breaches before writing off either training or certification as too expensive. In fact, 80 percent of organizations think their training investments have translated to improved security—better risk identification and awareness, smarter security, and more rapid response to security incidents. Almost as many say the same for certification.

Numbers back up the ROI assertion: Organizations with more than a quarter of IT staff trained in security were less likely to have a security breach than organizations with less than a quarter of IT staff similarly trained.

“The findings underscore the fact that security and human capital, more so than security and technology, should be given the highest priority by all organizations,” says Venator. “Human knowledge and action are critical to making networks and IT infrastructure secure.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.