A study on IT security by the Computing Technology Industry Association (CompTIA) finds that human error continues to be the main reason for security breaches, cited by 42% of the IT professionals polled. The good news is the industry can learn from its mistakes: Two years ago, that number was 59%.
The decrease in human error parallels both an increase in the number of organizations that have instituted written security policies and a notable decline in major security breaches, suggesting that a greater awareness of IT security risks is paying off. Sixty-two percent of organizations said they had written security policies in 2006, compared with 47% in 2004. Thirty-four percent of respondents said they experienced a major security breach last year, down from 58% in 2004.
However, some sectors are better prepared than others. Financial services are most likely to have a written policy, while fewer than half of education institutions do. Companies also are focusing more on educating mobile workers about security threats: 81% said their policies now cover issues specific to remote and mobile employees.
The findings, released this week, present a slightly muddled view of the security landscape, not surprising perhaps on a topic no one is eager to advertise.
First, concern about the safety of information is at an all-time high -- 78% of those polled said management now sees information security as a top priority. And the threat is spreading. Security threats associated with handheld devices, Voice over Internet Protocol, wireless networking and mobile access increased significantly over the past year, respondents said.
Second, organizations are spending more on security. The overall percentage of the average IT budget funneled to information security rose to 20% in 2006, compared with 12% in 2004. Nearly half expect to spend more on security-related technologies, while one-third plan to increase spending on security training.
Third, while fewer companies experienced a major security breach in 2006, the level of harm inflicted by a breach rose sharply. According to the report, the "average severity level" of breaches in 2006 was 4.8 on a scale of 1-10, a dramatic increase from the ratings of 2.3 and 2.6 for the past two years. The average cost of a security breach was $369,388, but the study warns that number was driven by a "handful of companies who estimated costs in excess of $10 million."
Khalid Kark, who covers IT security at Forrester Research Inc. in Cambridge, Mass., said the industry's average security costs in particular are not useful, precisely because the large companies as well as large breaches at a small or medium-sized company "skew the numbers so much." A better way to look at the problem is cost per record breached, he said, although that has issues, too.
"If there are smaller numbers of data points breached, it usually tends be a smaller cost," Kark said, referring to research he published recently.
That said, the cost of a security breach is increasing, Kark said, and will continue to, until "we put in controls where we are not just complying to regulation X but protecting the whole environment," he said. Costs are rising, in part because of the dramatic increase in the number of external entities now involved when a breach occur.
"A few years, when a company had a security breach, although California [Senate Bill] 1386 existed, all you had to do was notify your clients and tell them what you were doing and be done with it. Now the SEC gets involved, credit card companies may be involved and other external regulatory bodies," Kark said. "The other aspect is, how do you verify you have the right controls in place, so this doesn't happen again."
Then there are the tolls security breaches take on employee productivity, loss of reputation and the deep-and-still unfathomed money pit extracted by lawyers. Indeed, the CompTIA respondents broke down the damage as follows: loss in employee productivity at 35%, server downtime 21%, impact on revenue-generating activities 20%, loss of physical assets 17%, legal fees or fines 8%.
But Kark agreed that the mindset around security has changed. A few years ago, when he asked chief security officers and CIOs why they were allocating a certain percentage of the budget to security, the common response was "because they had to -- 'regulation x requires to do so,'" Kark recalled.
Indeed, employee education is critical. He pointed to data suggesting that human error accounts for as much as 80% of breaches. But business has not really grappled with the problem, in his view.
"I ask companies if they consider security to be a function of people, processes and technology. 'Absolutely,' they say. 'Processes we have to spend money on because many regulations require us to. Technology we have traditionally been spending a lot of money on. Then in terms of people, the only spend we have is the salaries,'" Kark said, which is not adequate protection. "So, there is a lot of work to do in education. That is a significant area of risk."
One of CompTIA's missions is to provide IT certification training. The association said specialized training for IT staff members is still the exception rather than the rule, but the data suggests that's shifting. Security training or certification now accounts for 12% of the total IT budget, compared with 8% in 2005. And, 68% of organizations now allocate some portion of their IT budget to security training or certification, up from 55% last year. The bottom line, however, is that only 45% of the IT staff members at the companies that responded have security-related training.