CompTIA survey reveals human error most likely cause of IT security breaches

At a Washington briefing with government officials today, the Computing Technology Industry Association (CompTIA) revealed results from its new security survey Committing to Security: A CompTIA Analysis of IT Security and the Workforce. The survey shows human error - not technical malfunction - to be the most significant cause of IT security breaches in the public and private sectors. With an overwhelming majority of respondents stating that IT training and certification have improved network security, the survey's results strongly suggest that more training and certification for IT professionals will help America become better protected against mounting cyber threats.

"We think the results are pretty staggering," said Brian McCarthy, CompTIA's Chief Operating Officer. "Where agencies and companies have looked primarily to technology for network safety, in over 63 percent of identified security breaches, human error looks to be a major, underlying factor. Because our findings also show that security-related training and certification have been underutilized - with 80 percent of respondents saying that a lack of IT security knowledge, training or failure to follow security procedures were the root causes of human error - CompTIA believes that better training and certification of IT staffs will make our networks safer."

Recently, the President unveiled his National Strategy to Secure Cyberspace, seeking to thwart a digital catastrophe through a series of industry-recognized recommendations. A significant portion of the Strategy focuses on ensuring America's workforce receives better IT training. "Getting America's workforce more security-cognizant represents a key goal of the President's Strategy," said briefing participant Andy Purdy, White House Cyberspace staff member, and former Senior Advisor to the President's Critical Infrastructure Protection Board. "Undeniably, when workers get IT security training, networks become less vulnerable."

Amplifying this, Congress has long urged federal agencies to take IT security seriously, especially in regard to calls for better IT training for staff and management. "Increasingly, IT infrastructure, like web services and computer databases, help drive the government's outreach to citizens," noted Congressman Adam Putnam, Chairman of the Technology & Information Policy Subcommittee (House Government Reform), and briefing keynote presenter. "When government networks are sound, Americans can continue to receive the services they depend upon, even in the most challenging of circumstances."

The CompTIA-commissioned study, conducted by NFO Prognostics, surveyed 638 respondents from the public and private sectors. Among other things, the survey assessed security breach frequency and common causes, security resources, responsibility and enforcement practices, investment in security and certification, and steps taken in response to government regulatory and legislative mandates.

Other highlights from respondents show:
- 31 percent had experienced from one-to-three "major security breaches" - i.e., that caused real harm, resulted in confidential information taken, or interrupted business -in the last six months

- 22 percent said none of their IT employees have received security-related training; 69 percent have fewer than 25 percent of their IT staffs security-trained; and only 11% said that all of their IT employees have received security training

- 96 percent would recommend security training for their IT staff

- 73 percent would recommend more comprehensive security certification for their IT staff

- 66 percent believe that staff training/certification have improved their IT security, primarily through increased awareness, as well as through proactive risk identification

- 59 percent said that government security regulations are largely inappropriate, failing to adequately address the practical side of the problem

"Frankly, we're surprised no one's picked up on this before," noted McCarthy. "The connection between having more IT security training and making our IT networks more secure seems so obvious, yet it's been largely overlooked. It's just common sense. If the public and private sectors better train and certify their IT professionals, we'll be safer from malicious cyber threats."