Lack of End-User Training Threatens IT Security

The Computing Technology Industry Association (CompTIA) is set to release the results of its 7th Annual IT Security Trends in the Workforce study on Monday, during the RSA Conference. The study focuses on identifying key trends in IT security through the responses of more than 1,000 IT professionals responsible for security at their organizations.

The study found that security issues remained largely consistent with previous years, with spyware, virus/worm, and lack of user awareness again being the most common. Security threats from browser-based attacks, spyware, use of handheld devices and VoIP intensified for the majority of respondents.

In 2008, the average number of security breaches increased slightly from previous years. Although the number of security breaches remained moderate over the last few years, the data indicates the severity levels have increased. This suggests many organizations have made significant progress in dealing with security issues, but the number and types of threats has increased in step.

The most significant cost of security breaches remains the overall impact on employee productivity. About one-third of U.S. respondents cite loss of productivity as the top consequence of a breach, followed by a disruption of revenue-generating activities.

The primary cause for the most severe security breaches remains unintentional in nature and typically caused by human error. This demonstrates a need for more employee trainings and deeper knowledge of technology functions.

Almost all U.S. respondents (87 percent) note improvements in security when their

organizations provide security training for non-IT employees, notably through increased awareness and proactive risk identification. However, relatively few respondents say this type of training decreases the severity of incidents when they do happen.

The number of organizations where IT security certification is required continues to grow – particularly for current employees (32 percent in 2008 compared to 20 percent in 2006).

Most respondents feel that IT security certification for IT staff improves security, especially through risk identification and quick response to security issues. This doesn’t always translate to better corporate policy though. Less than half of respondents feel certification leads to better security policies, which suggests many corporations fail to recognize the need for a comprehensive security strategy.