The growing proliferation and sophistication of hackers, combined with greater reliance on interconnected applications, devices and systems, has created a security environment that’s challenging for even the best prepared organizations. Yet, defenses aren’t keeping up.
According to research from CompTIA, businesses know that the growing organization of hackers (cited by 54% of firms), the sophistication of threats (52%) and the greater availability of hacking tools (48%) carry implications for business. Attacks can be more dynamic, changing rapidly and targeting with greater efficiency.
And indeed, companies are bringing in new security technologies to go along with the new business technologies they’re using. Data loss prevention (DLP) is one of the most common new tools, currently in use by 58% of companies. Identity and access management (IAM) and security information and event management (SIEM) both showed strong growth in adoption, at 57% and 49%, respectively.
But technology is only one component of the new security approach. Processes must be considered, and the best place to document process decisions is in a formal security policy. Yet only half of all companies believe they have a comprehensive security policy in place.
“It’s not that businesses need to be convinced that security is important,” said Seth Robinson, senior director of technology analysis at CompTIA, in a statement. “Instead, they need to be convinced of the ways that their current security approach is putting them at risk.”
One process that more companies need to focus on is a formal risk analysis. Compared to 2013 data, fewer firms feel that they have the appropriate balance between risk and security, a viewpoint shared evenly across all company sizes.
As an example of the disconnect, just over half of the companies surveyed (52%) say greater interconnectivity has complicated their security. As organizations have embraced cloud computing and mobile technology solutions, they have extended the security perimeter, creating new security considerations. And legacy security systems and practices are often not sufficient to protect that expanded perimeter.
The Trends in Information Security report also revealed that malware and hacking are still the top threats causing concern, with nearly half of all companies citing these as serious concerns. But the human element in security is still present, too—and organizations have trouble keeping up here too.
“Though human error ranks low as a serious concern, companies report that it is the largest factor behind security breaches,” Robinson said.
With regard to human error, more training is the clear answer, but companies struggle with understanding how to make an investment in training that will pay off. Only 54% of companies offer some form of cybersecurity training, typically done through new employee orientation or an annual refresher course. But there are few metrics to evaluate the effectiveness of this training. Businesses readily acknowledge that they would like to see better content in their security training.