Organizations are overwhelmingly confident in their readiness to combat security threats, but may not be prepared for dangers linked to new technology models and increasingly sophisticated threats, according to a new study released by CompTIA, the non-profit association for the information technology industry.
2. Most Companies Expect to Maintain
High Focus on Security
37%
Significantly Higher Priority
28%
44%
Moderately Higher Priority
51%
17%
No Change
Moderately or Significantly
Lower Priority
18%
2%
3%
2 Years from
Now Forecast
Compared to 2
Years Ago
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. IT and business executives (aka end users) responsible for security
3. Assessing the Cybersecurity Landscape
Security Concern
Change in Trend
Moderate
Concern
Serious
Concern
No Change /
Less Critical
Today
Malware (e.g. viruses, worms, trojans, botnets, etc.)
38%
53%
52%
48%
Hacking (e.g. DoS attack, APT, etc.)
42%
44%
53%
47%
Social engineering/Phishing
45%
37%
62%
38%
Data loss/leakage
46%
35%
70%
30%
Understanding security risks of emerging areas, i.e.
cloud, mobile, social
49%
32%
61%
39%
Physical security threats (e.g. theft of a device)
42%
28%
72%
28%
Intentional abuse by insiders, i.e. staff, contractors
42%
26%
76%
24%
Lack/inadequate enforcement of company security
policy
45%
23%
77%
23%
Lack of budget/support for investing in security
42%
23%
76%
24%
Human error among IT staff
47%
22%
80%
20%
Human error among general staff
55%
21%
76%
24%
Security Threats
More
Critical
Today
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. end users responsible for security
4. Security Defenses in Use
Data Loss Prevention
Large Firms
Medium Firms
Small Firms
71%
54%
55%
61%
Identity and Access Management
43%
39%
51%
Formal risk assessment
40%
35%
44%
Security Information and Event Management
37%
32%
41%
Enterprise Security Intelligence
34%
22%
40%
External Vulnerability Assessments
25%
28%
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. end users responsible for security
5. Human Element a Major Part of Security Risk
Factors in
Security Breaches
Top Human Error Sources
Human
Error
55%
45%
Technology
Error
42%
End user failure to follow
policies and procedures
41%
IT staff failure to follow
policies and procedures
39%
Lack of security expertise
with website/applications
38%
Lack of security expertise
with IT infrastructure
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 320 end users experiencing security breaches/244 end users with human error issues
6. Change in Security Approach
Over Past Two Years
51%
36%
View of
Drastic/Moderate
Change
by Job Function
70% Business Function
13%
69% IT Function
44% Executives
Drastic
amount of
change
Moderate
No
amount of change/small
change
amount of
change
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. IT and business executives (aka end users) responsible for security
7. Formal Risk Analysis Not a Part of Security
Planning for Most Companies
Planning
to Use
Currently
Using
33%
41%
No plans/Not
familiar
26%
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. end users responsible for security
8. Balancing Risk and Security
Reasons to Mitigate
Security Risk
Reasons to Accept
More Security Risk
66%
67% Nature of
emerging threats
66% Desire to use new
technology
56% Result of security
evaluation
63% Changing security
landscape
50% New business
model/offerings
53% Potential business
benefits
18%
17%
Too Much Appropriate Security
Balance Too Stringent
Risk
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. IT and business executives (aka end users) responsible for security
9. Rating of Workforce Security Mindset
44%
48%
8%
Advanced –
Understand Policies
and Try to Stay
Compliant
Basic –
Unfamiliar with
Some Details but
Generally Aware
Low Priority –
More Focused on
Work Tasks and Less
on Security
Source: CompTIA’s 10th Annual Information Security Trends study
Base: 306 end users experiencing security breaches over past year
10. Changes on the Technology Landscape
Affecting Security
Rise of social networking
52%
Cloud Computing
51%
Availability of easy-to-use hacking tools
49%
Interconnectivity of devices/systems
48%
Sophistication of security threats
47%
Growing organization of hackers
47%
Volume of security threats
Consumerization of IT
39%
33%
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. IT and business executives (aka end users) responsible for security
11. Review of Cloud Provider Security
Amount of Review Done by End Users
Areas Reviewed by End Users
• Identity and access management
• BC/DR plans of cloud provider
• Data integrity assurances
40%
• Data encryption at rest and in transit
29%
14%
Little/None/ Moderate
Don’t Know
• Data and backup retention policies
• Regulatory compliance of provider
Heavy
• Credentials held by provider
• Geographic location of data centers
17% say it depends on situation
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 435 end users with cloud solutions
12. Mobile Security Incidents Within Businesses
Lost/stolen device
Mobile malware
Employees disabling security features
Mobile phishing attack
Violation of policy on corporate data
None of the above
2013
2012
39%
38%
28%
19%
26%
19%
24%
20%
23%
25%
31%
34%
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 U.S. end users responsible for security
13. The Growing Threat of Data Loss
Experiencing Data Loss in the Past Year
Types of Data Lost
55%
50%
25%
Data about employees
Intellectual property
28%
Definitely
43%
42%
19%
Corporate financial data
Customer data
22%
Believe data was lost, but not
sure which data
Probably
6%
Don’t
Know
No
Yes
Source: CompTIA’s 11th Annual Information Security Trends study
Base: 500 end users/190 end users experiencing data loss
14. As the voice of the IT industry, CompTIA has hundreds
of tools, market intelligence reports and business
training programs to help IT organizations grow through
education, certification, advocacy and philanthropy.
Check it out at www.comptia.org.
Want to know about our research on the IT workforce?
Visit http://www.comptia.org/research/it-workforce.aspx.
comptia.org
Want to know more?
Hinweis der Redaktion
Security is a top priority for firms among many different IT initiatives, and many firms expect to increase their focus in this area over the next to years. For all this focus, though, companies may not be analyzing their security situation as thoroughly as possible.
Malware and hacking continue to be the top security concerns. Given the wide range of threats today, companies should take a more balanced view of the different ways they can be attacked, paying special attention to the threat of human error.
There is also not much adoption in a range of new security defenses or techniques beyond DLP. Especially for smaller businesses, these new tools can address areas of exposure brought on by usage of new technology.
Even though companies do not cite human error as a major concern, it accounts for over half of the root cause of security breaches. This is generally not malicious activity but simply a lack of awareness for policies and procedures.
Although 82% of businesses feel that their security systems are completely or mostly satisfactory, they may be basing this on historical activity. With only 13% of companies drastically changing their security approach over the past two years (a time of major technology disruption), many firms may want to refresh their analysis.
Formal risk assessment has become a necessary part of security planning as it is impossible to keep all corporate data behind a firewall. Companies need to assess which data they could allow in public cloud providers and on mobile devices.
As with the view on overall security, a more robust examination of risk tolerance may lead to areas where more risk can be accepted or security needs to be tightened up.
Addressing the human element begins with raising the level of security literacy across the entire workforce. Over half of all companies believe that their workforce may have a lower understanding of policy, which can lead to mistakes when faced with new situations.
Many organizations are beginning to use new technology first and worry about the security implications later. This is especially true when it comes to cloud computing, mobility, and Big Data.
A first step in securing cloud data is understanding what steps a cloud provider takes for security. From there, companies can add on the pieces they need to ensure that their assets are secure.
Although incidence of mobile malware has risen rapidly in the past year, many companies still do not list it as a top concern (lost/stolen device takes that spot). As different kinds of mobile attacks increase, companies will need to build the skills needed for mobile security.
The reliance on digital data and the interest in Big Data solutions has increased the focus on data security. Many companies need to start with basic data management, as shown by the fact that 22% of companies believe data has been lost over the past year but do not know which data has been compromised.