CompTIA: Human Error the Primary Cause of Security Breaches

A new CompTIA report highlights opportunities for the channel to help businesses improve their cybersecurity, especially firms reporting the lowest levels of satisfaction with current security practices.

The “International Trends in Cybersecurity” report is based on an online survey of more than 1,500 business and technology executives in 12 countries. Nearly three out of four organizations have been plagued by at least one security breach or incident in the past year, with about three in five breaches categorized as serious.

Amy Carrado, CompTIA’s senior director of research and market intelligence, tells Channel Partners that while most organizations are satisfied with their current level of security, there is room for improvement, as less than one in four (23 percent) report being completely satisfied.

“The primary cause of security breaches is typically human error (58 percent) versus technology error (42 percent),” she said. “Furthermore, human error has become more of a factor for most organizations over the past two years (64 percent). Top reasons being general carelessness, failure of staff to get up to speed with new threats (e.g. mobility, social media, cloud), lack of expertise with websites and applications, and the failure of end users to follow security procedures and policies.”

These and other issues in the report point to “opportunities for IT solution providers with security expertise to help these firms stay up to date, not only in the ways of technology, but training for all employees who share responsibility in keeping their company’s systems and data safe,” Carrado said.{ad}

Firms that report the lowest levels of satisfaction are small (fewer than 100 employees), especially the micro-size firms (fewer than 10 employees), she said. Also, managers in business functions report lower security-satisfaction levels than their executive and IT manager counterparts, she said.

“These are the types of firms where they may be more open to implementing or enhancing safeguards and policies, as well as investing in tools or training,” Carrado said. “Looking at the global landscape, interestingly, companies in some of the more mature economies, such as Germany and Japan, tend to be less satisfied than firms in emerging economy countries, such as India, Mexico and the UAE.”

Self-reported security breaches were most prevalent in India (94 percent), Malaysia (89 percent), Brazil (87 percent), Mexico (87 percent) and Thailand (82 percent). Organizations in Japan (39 percent) and the UAE (40 percent) self-reported the lowest …

{vpipagebreak}

… percentages of cybersecurity incidents, according to the report.

The percentage of mobile-related security incidents – such as lost devices, mobile malware and phishing attacks or staff disabling security features – was even higher: 76 percent across all 12 countries. Mobile incidents were self-reported at the highest percentages in Thailand (95 percent), India (92 percent) and Mexico (89 percent); and in the lowest percentages in Japan (60 percent), the UAE (60 percent) and the United Kingdom (64 percent).

“One of the most surprising findings from this study is how similar results are across 12 different countries representing both mature and maturing economies,” Carrado said. “For example, the change in IT operations (i.e. moving to the cloud, new mobility strategies) is the top driver of change for firms in nearly all the countries covered.”

Organizations are taking steps to assess and improve cybersecurity knowledge among their employees, such as new employee orientation, ongoing training programs, online courses and random security audits, according to the report; however, only less than one in four (23 percent) organizations rate their cybersecurity education and training methods as extremely effective.

Nearly all managers believe it is important to test after cybersecurity training to confirm knowledge gains (96 percent), according to the report. Eight in 10 indicate that professional certifications for IT workers are valuable or very valuable as a way to validate cybersecurity-related knowledge and skills.