IT executives consider information security as high priority but struggle to develop policies to deal with emerging threats from social networking sites, mobile devices and the cloud.
IT managers are ranking information security as high IT priority within their
organizations, but more training and better policies are necessary to protect them
from new threats, according to survey results released by CompTIA on Nov. 18.
CompTIA's Global Security Trends, an annual report examining information
security in its eighth year, surveyed 1,400 IT and business executives
"directly" involved with defining or implementing information
security in the organization. The surveyed countries include Brazil,
South Africa, United
Kingdom and the United
About 49 percent of respondents in the United
States rated information security as an
"upper level" IT priority in the 2010 report. This was over a 10
percent jump from 2008, and researchers expect to see another jump of almost 10
percent, to 58 percent, in 2012, said Tim Herbert, vice president of research
at CompTIA to eWEEK.
When looked at globally, the numbers remained the same, with the 2012
results edging up slightly to 62 percent. Companies in South
Brazil and the United
Kingdom placed the most emphasis on
information security as an organizational priority, according to CompTIA.
Organizations continue to deal with traditional IT security threats, such as
viruses, e-mail spam and user abuse. About 63 percent of organizations reported
at least one security incident or breach in the past 12 months, and a little
less than half threatened financial or reputation damage, according to the
However, while IT executives "feel safer" because of better
technology, IT expertise, training and policies, they are still trying to
understand "emerging threats," including social
, mobile security and security ramifications of the
cloud, said Herbert.
"As organizations invest in new solutions to enable employees anytime,
anywhere access to information, tools and collaboration, they must contend with
the possibility of introducing new vulnerabilities into the security
equation," Herbert said.
Different countries ranked the emerging challenges differently. China,
the United Kingdom
and South Africa
ranked social networking threats highly, but Germany
ranked it low, according to the study.
Overall, 52 percent of the respondents felt social networking made the
security landscape riskier, followed by 50 percent concerned over the
organization's growing reliance on Web-based applications.
About 48 percent of the respondents felt the growing "sophistication,
criminalization and organization" of hackers looking for financial gain
were a risk. In the past, hackers were more interested in being disruptive, or
looking for bragging
, according to Herbert.
Executives were concerned that hackers' methods were too
"sophisticated" for their IT staff, said Herbert.
According to the study, surveyed executives were more likely to blame
"human error" versus "technology error" for security
breaches, at 59 percent. Human error could be unintentional or malicious, said
Herbert, and ranged in behavior such as "failure to follow policy,"
downloading unauthorized applications and intentionally stealing information. A
user trying to catch up on work could take the laptop home and attach an
external storage device that had malware that might violate the security
Herbert felt that training was critical to enforce security policies, noting
that if the employee went over the security policies during orientation, it was
"expected" that at over time, the employee will forget. Frequent
reminders were important, he said.
The survey defined technology errors as scenarios such as hardware failure
or an up-to-date antivirus not detecting or stopping a virus
, said Herbert. If the antivirus software was not updated with
current signature definitions, then the survey counted that as human error.
The survey also noted that the economic recession caused 34 percent of
executives to worry about potential insider threats. If an employee was fired,
that employee might retaliate by stealing
or customer lists, said Herbert. Executives needed to
define policies for disabling passwords and removing access for dismissed
employees, he said.
The survey wasn't all doom and gloom, as despite the recession and many
IT budgets being slashed
, overall IT security expenditures held firm, said
Herbert, citing a Gartner estimate.