CompTIA Study Finds IT Managers Struggle to Solve Emerging Threats

IT executives consider information security as high priority but struggle to develop policies to deal with emerging threats from social networking sites, mobile devices and the cloud.

IT managers are ranking information security as high IT priority within their organizations, but more training and better policies are necessary to protect them from new threats, according to survey results released by CompTIA on Nov. 18.

CompTIA's Global Security Trends, an annual report examining information security in its eighth year, surveyed 1,400 IT and business executives "directly" involved with defining or implementing information security in the organization. The surveyed countries include Brazil, Canada, China, France, Germany, India, Mexico, South Africa, United Kingdom and the United States.

About 49 percent of respondents in the United States rated information security as an "upper level" IT priority in the 2010 report. This was over a 10 percent jump from 2008, and researchers expect to see another jump of almost 10 percent, to 58 percent, in 2012, said Tim Herbert, vice president of research at CompTIA to eWEEK.

When looked at globally, the numbers remained the same, with the 2012 results edging up slightly to 62 percent. Companies in South Africa, India, Brazil and the United Kingdom placed the most emphasis on information security as an organizational priority, according to CompTIA.

Organizations continue to deal with traditional IT security threats, such as viruses, e-mail spam and user abuse. About 63 percent of organizations reported at least one security incident or breach in the past 12 months, and a little less than half threatened financial or reputation damage, according to the survey.

However, while IT executives "feel safer" because of better technology, IT expertise, training and policies, they are still trying to understand "emerging threats," including social media-based attacks, mobile security and security ramifications of the cloud, said Herbert.

"As organizations invest in new solutions to enable employees anytime, anywhere access to information, tools and collaboration, they must contend with the possibility of introducing new vulnerabilities into the security equation," Herbert said.

Different countries ranked the emerging challenges differently. China, the United Kingdom and South Africa ranked social networking threats highly, but Germany ranked it low, according to the study.

Overall, 52 percent of the respondents felt social networking made the security landscape riskier, followed by 50 percent concerned over the organization's growing reliance on Web-based applications.

About 48 percent of the respondents felt the growing "sophistication, criminalization and organization" of hackers looking for financial gain were a risk. In the past, hackers were more interested in being disruptive, or looking for bragging rights, according to Herbert.

Executives were concerned that hackers' methods were too "sophisticated" for their IT staff, said Herbert.

According to the study, surveyed executives were more likely to blame "human error" versus "technology error" for security breaches, at 59 percent. Human error could be unintentional or malicious, said Herbert, and ranged in behavior such as "failure to follow policy," downloading unauthorized applications and intentionally stealing information. A user trying to catch up on work could take the laptop home and attach an external storage device that had malware that might violate the security policy.

Herbert felt that training was critical to enforce security policies, noting that if the employee went over the security policies during orientation, it was "expected" that at over time, the employee will forget. Frequent reminders were important, he said.

The survey defined technology errors as scenarios such as hardware failure or an up-to-date antivirus not detecting or stopping a virus infection, said Herbert. If the antivirus software was not updated with current signature definitions, then the survey counted that as human error.

The survey also noted that the economic recession caused 34 percent of executives to worry about potential insider threats. If an employee was fired, that employee might retaliate by stealing intellectual property or customer lists, said Herbert. Executives needed to define policies for disabling passwords and removing access for dismissed employees, he said.

The survey wasn't all doom and gloom, as despite the recession and many IT budgets being slashed, overall IT security expenditures held firm, said Herbert, citing a Gartner estimate.