18 Dec 2012

Who’s at Fault for Security Breaches?

Cloud computing, mobility, social tools and other technologies that put more power in the hands of individual users pose new challenges for organizations seeking to secure data, devices and networks, according to recent research by CompTIA, the nonprofit association for the IT industry.

The majority of companies in CompTIA’s 10th annual “Information Security Trends” study attribute human error as a contributing cause of security breaches, just as they have in the previous nine years of the study. What’s changing, however, is that the human element is no longer confined to malware, phishing and viruses.

Cloud computing options force end users to consider how data is handled outside of their organization. Unauthorized mobile applications and mobile malware strains are becoming more prevalent. Social networking is a growing factor affecting organizational security.

“As users gain more responsibility for their own technology, the human element becomes more and more important,” said Seth Robinson, director, technology analysis, CompTIA.

“But many organizations are not sure what to do about it,” Robinson said. “The way they’ve thought about security in the past is to purchase a firewall or antivirus software or other product. But there’s not a product that can help with end-user awareness. It really requires a commitment to training and education.”

Four out of five companies expect to keep security as a high priority over the next two years, with large companies more likely to do so than their small and medium counterparts.

“Spending on security products shows no signs of abating, but a comprehensive security solution also must focus on the end users,” Robinson said. “It boils down to policies, processes and people; making every user aware of their responsibilities for security.”

The CompTIA research shows there are multiple areas where security professionals are focusing their efforts. Along with growing concern about increasingly sophisticated and targeted cyber-attacks, changes in IT operations have also prompted new security approaches. For example, 51 percent of firms said that their move to cloud solutions or new mobility strategies was responsible for the implementation of new security tactics.

In dealing with these changes, 41 percent of organizations report a need to help their security staff close moderate or significant gaps in security expertise, with the deficit most pronounced in areas such as cloud security, mobile security and data loss prevention. The impact of these deficiencies is felt in several ways, including being unaware of where the company is exposed (44 percent of responding firms); loss of business as a result of security issues with customer data (39 percent); and costs incurred for training the current workforce (38 percent).

A net 49 percent of companies say they intend to hire security specialists, including those that also plan to train current staff. Executives have a strong preference for security professionals with industry certifications. A full 84 percent said they experienced a positive return on investment in security certifications, with certified staff viewed as more valuable because of their proven expertise and ability to perform at a high level than non-certified staff.

IT channel firms will also have a role to play in the evolving security environment. More than three-quarters of IT firms say they have involvement in the provisioning of security products and services for their customers. Areas most covered by channel firms include network security (74 percent), business continuity and disaster recovery (71 percent) and data protection (70 percent).

During the next 12 months channel firms plan to place more of their focus on cloud security and mobile security. They also may see opportunities to deliver ongoing, interactive security training to customers.

http://www.certmag.com/read.php?in=5630