Lack Of Training Root Cause Of Most IT Security Lapses

When it comes to inefficiencies surrounding information technology security practices, global corporations are discovering that to err is human.A survey conducted by Oakbrook Terrace, Ill.-based global trade association Computing Technology Industry Association (CompTIA) discovered that human error-defined mainly as a lack of adequate certification and training-is the root cause of lax IT security at most corporations.

Oddly enough, the lack of training is occurring even as corporations are placing more emphasis than ever on security practices and procedures, as well as spending more on preventative measures. But these measures are proving to be a hollow investment because training of personnel-IT or otherwise-is inadequate, according to the survey, titled "Commitment to Security Benchmark Study."

The result: Nearly six in 10 organizations indicate that the lack of training has led to at least one major IT security breach-defined as one that caused real harm, resulted in the loss of confidential information or interrupted business operations-in the last six months. That's up significantly from a year ago when 38% of organizations reported at least one major IT security breach, states CompTIA, which represents the business and IT interests of more than 19,000 members.

"The findings underscore the fact that security and human capital, more so than security and technology, should be given the highest priority by all organizations," says John Venator, president and chief executive officer, CompTIA, which polled 900 organizations, including approximately 30 insurers.

"Human knowledge and action are critical to making networks and IT infrastructure secure. Many organizations have been slow to make the appropriate investments in time and budget to properly address these threats," he says.

Lack of execution

The survey, which was first performed in 2002, discovered that a slight majority of respondents (51%) have established a written IT security policy-a small increase from 2002.

But even those companies are not going the extra mile. Only seven percent of respondents reveal that staff never reviews the policy and nine percent admit that directors and higher level staff never update it, states CompTIA.

Additionally, nearly one in five companies in the 2003 survey indicate that none of their staff has any formal security training.

This lack of policy execution may stem from the mentality that IT security policies are required mainly to placate IT departments, Venator says. On top of that, IT security policies often are not include in corporate handbooks issued by human resource department, and therefore, are not viewed as enterprisewide policies.

As a result, proper training often is never established.

"It's not that organizations don't develop an IT security infrastructure, it's just that in many instances the people are not properly trained on security protocols," Venator says. And, training makes a difference. The positive effects of training and certification include potential risk identification, increased awareness, improved security measures, and an ability to respond more rapidly to problems, Venator notes.

Companies with one-quarter or more of their IT staff trained in security are less likely (46.3%) to have had a departmental security breach than those with less than one-quarter of their IT staff trained in security (66%).

Perhaps the problem can be best summed up by one survey respondent: The "perception is that most corporations are unwilling to spend what is necessary to safeguard their most valuable assets.

They have neither a thorough security policy nor recovery policy and rely on people without necessary real skills to safeguard their information."

For reprint and licensing requests for this article, click here.
Core systems Data security Policy adminstration Analytics Workforce management Data and information management Compliance Security risk
MORE FROM DIGITAL INSURANCE