My wife and I have a running joke. For reasons on the Holy Spirit can explain, and more often than not, something I teach, mention or quote in my Sunday school class is later repeated up on the pulpit by my pastor. On those occasions, I’ll either mention on the way out, or later in email “.. thanks for making me look good …”
That’s how I feel after reading these articles appeared around the same time as my post on security this past monday. The following articles in InfoWorld, ComputerWorld and NetworkWorldFusion all bear headlines similar to one found in BusinessWeek: “CompTIA Survey Reveals Human Error Most Likely Cause of IT Security Breaches.”
According to a survey by the Computing Technology Industry Association (CompTIA) greater emphasis is required in educating employees about security risks as over 63 per cent of identified security breaches identify human error as a significant underlying factor.
The study, conducted by NFO Prognostics, surveyed 638 respondents from the public and private sectors. The survey assessed the causes, severity, responsibility and frequency, and compared them to investments made in security implementations, both with and without respect to governing regulations.
Here is a bullet-point blow-by-blow of the survey:
- 31 percent had experienced from one-to-three “major security breaches” – i.e., that caused real harm, resulted in confidential information taken, or interrupted business – in the last six months
- 22 percent said none of their IT employees have received security-related training; 69 percent have fewer than 25 percent of their IT staffs security-trained; and only 11% said that all of their IT employees have received security training
- 96 percent would recommend security training for their IT staff
- 73 percent would recommend more comprehensive security certification for their IT staff
- 66 percent believe that staff training/certification have improved their IT security, primarily through increased awareness, as well as through proactive risk identification
- 59 percent said that government security regulations are largely inappropriate, failing to adequately address the practical side of the problem