Interestingly, human error was the perceived cause for 59% of those incidents; 41% saw technology error as the cause. Almost half of respondents said that failure of end users to comply with information security policies was the most common human error.
For the US portion of its Global Information Security Trends study, CompTIA surveyed 250 information technology specialist and business executives involved in setting and executing information security processes and policies within their organization.
In total, CompTIA surveyed 1400 people from organizations in Brazil, Canada, China, France, Germany, India, Mexico, South Africa, the UK and the US. Globally, 49% of respondents cited information security as an organizational priority, up from 35% in 2008. In addition, 62% said they expected information security to be a priority in 2012. South Africa, India, Brazil and the UK placed the most emphasis on information security as an organizational priority.
“While companies continue to make strides in improving information security, the threats and vulnerabilities continue to concern them”, Tim Herbert, vice president of research at CompTIA, told Infosecurity.
Herbert said that one of the focuses of the study was how organizations respond to an information security incident. “Companies are seeking ways to get better at assessing an attack and having a better understanding of the potential ramifications of the incident, whether it was a breach of the network, data leakage, or some other type of incident.”
Having policies in place – such as how to communicate with staff – before an incident happens is important, Herbert said. According to the survey, a majority of organizations have a written cybersecurity policy, but only one-third of organizations require end-user security training. Organizations need to focus on training staff on cybersecurity policies for those policies to have any effect, he stressed.
From the perspective of IT and business executives, factors that make the security landscape riskier include the rise of social networking, cited by 52% of respondents; more reliance on web-based applications (50%); and the growing sophistication, criminalization, and organization of hackers motivated by financial gain (48%).
Herbert said that social media in particular is increasing the vulnerability of organizations to cyber attacks. “A lot of organizations are still wrestling with the security ramifications of social networking. Organizations conveyed to us the need for having better processes in place to understand what they are dealing with on the social media front.”
Organizations need to update their information security policies to take account of threats posed by social media, he noted.
“If you get an invitation from someone in your friend network, it is difficult to discern whether that is a legitimate request or malicious code….Another threat is people posing as a Monster.com recruiter. So you think it is a job offer and they are requesting personal information about your current employment. Those types of threats are very difficult for companies to set rules for every single case....These are the areas where companies are trying to update their policies and provide guidance to employees”, Herbert said.
The best way to address these threats is through updated policies and rigorous employee training, Herbert concluded.