The majority of security breaches continue to stem from internal human error rather than external threats. Yet, IT and business leaders still allocate the bulk of their information security resources to external threats, even though internal threats stand to increase with the proliferation of mobile devices.
They're used to security looking like a line item on the budget. They're used to saying, 'Let's go get a product that will make us more secure.'
director of technology analysis, CompTIA
This was the big take-home from the latest Information Security Trends study by Computing Technology Industry Association (CompTIA). Among the 308 security breaches reported by participants in the 10th annual study, 54% were caused by human error. Nearly half those errors (49%) were attributed to end-user failure to follow policy and procedure. The study is based on a survey of 508 IT and business executives directly involved in setting or executing information security policies and processes within their organizations.
"There's a growing need that we see to educate the end users and bring them up to speed with security awareness, and [increase] their knowledge of what an attack might look like," said study author Seth Robinson. "Educating the end user really should be a bigger priority."
The message doesn't seem to be getting through to the people in charge of enterprise security. About 60 % of survey respondents cited malware, such as viruses and Trojans, as a "serious concern." Other types of security threats from the outside, namely hacking (54%), also outranked human error as major threats. Indeed, only 24% of respondents viewed end-user error as a "serious concern." The respondents' focus on external threats does not surprise Robinson. "It's what they've been concerned about for years, and it informs how they've built and continue to build security defenses."
One of the biggest unaddressed internal security threats facing the enterprise stems from mobile devices, Robinson said. Only 22% of companies reported having a mobile device policy. The survey showed that most companies still take an ad hoc approach to mobile device management, in some cases tacking mobility language on to existing security policies. For the second year in a row, lost or stolen devices were the most common mobile security incident (38%) reported by survey respondents. Most mobile security efforts -- undertaken after the fact -- revolve around attempts to track and secure devices. Measures include installing tracking software (47%), establishing a lost device procedure (44%) and requiring encryption on mobile devices (43%). But this piecemeal and technology-centric approach is no longer enough, Robinson said.
"Mobility has become so important, so ingrained into the business, that it needs its own policy and its own set of rules," Robinson said.
Information security trends: New approaches to training, delegation of duties
Robinson attributes the disconnect between resource allocation and rising internal threats to both stagnant budgets and an outdated understanding of what constitutes adequate end-user training. A basic run-through of security policies at the time of hire with a yearly refresher isn't enough, he said. Today, the advice from top information security experts calls for training that is frequent and interactive. For example, Robinson said a simulated phishing attack among the workforce can be a useful training tool. IT can track the number of employees who click the link, and give those employees additional information security training to recognize that type of threat.
Read more about IT security
Is virtualization the answer to mobile device management?
Seven categories for evaluating mobile device management products
Is managing BYOD policy a waste of the CIO's time?
"Those are the sorts of activities security experts are thinking need to happen these days to keep workers aware of what attacks are out there, and it gives IT a metric to tell if their training is doing well or not," Robinson said. This emphasis on training requires a different mindset from many IT leaders. "[IT leaders] are used to seeing security as a line item on the budget. They're used to saying, 'Let's go get a product that will make us more secure.'"
But as companies have been moving more into cloud computing, mobility and social networking, that notion of purchasing a product is beginning to disintegrate, Robinson said. A desire to bring in security experts (49% of survey respondents hoped to do so in 2013) offers some proof that IT is moving away from the product-first approach to information security, he said.
"The traditional aspects of the security job aren't going away, but human element types of problems are being added to them, and that's where the need for security experts or certified specialists comes in," Robinson said.
Putting employee security training in the hands of a security specialist -- and off the to-do list of CIOs -- is something analyst Simon Yates of Cambridge, Mass.-based Forrester Research Inc. strongly advocates. Decisions about device and platform management and application access should be made by infrastructure and operations (I&O) teams, he said. However, security experts should be the ones figuring out what threats their organizations face from different end-user access scenarios.
"Both teams should come back to the CIO with a recommendation," Yates said. "The CIO cannot spend his or her time trying to understand the complexities of security appliance and risk posture."
Let us know what you think about the story; email Karen Goulart, features writer.