IT Managers Struggle To Tackle Emerging Threats

IT managers are ranking information security as a high priority within the organisation but more training and better policies are necessary to protect against new threats, according to CompTIA survey results.

UK companies, along with those in the US, South Africa, India, and Brazil placed the greatest emphasis on information security as an organisational priority, according to CompTIA.

About 49 percent of respondents rated information security as an “upper level” IT priority. This was over a 10 percent jump from 2008, and researchers expect to see the 2012 results edging up slightly to 62 percent. In the United States, the 2012 estimate was slightly lower at 58 percent, Tim Herbert, vice-president of research at CompTIA told eWEEK.

Baffled By Emerging Threats

Organisations continue to deal with traditional IT security threats, such as viruses, email spam and user abuse. About 63 percent of them reported at least one security incident or breach in the past 12 months and a little less than half of these threatened financial or reputation damage, according to the survey.

However, while IT executives “feel safer” because of better technology, IT expertise, training, and policies, they are still trying to understand “emerging threats”,  including social media-based attacks, mobile security, and security ramifications of the cloud, said Herbert.

“As organisations invest in new solutions to enable employees anytime, anywhere access to information, tools and collaboration, they must contend with the possibility of introducing new vulnerabilities into the security equation,” Herbert said.

Different countries ranked the emerging challenges differently. The UK, China and South Africa ranked social networking threats highly, but Germany ranked it low, according to the study.

Overall, 52 percent of the respondents felt social networking made the security landscape riskier, followed by 50 percent concerned over the organisation’s growing reliance on Web-based applications.

About 48 percent of the respondents felt the growing “sophistication, criminalisation, and organisation” of hackers looking for financial gain were a risk. In the past, hackers were more interested in being disruptive or looking for bragging rights, according to Herbert. Executives were concerned that hackers’ methods were too “sophisticated” for their IT staff, said Herbert.

According to the study, 59 percent of respondents were more likely to blame “human error” versus “technology error” for security breaches. Human error could be unintentional or malicious, said Herbert, and ranged in behaviour such as “failure to follow policy”, downloading unauthorised applications, and intentionally stealing information. A user trying to catch up on work could take the laptop home and attach an external storage device infected with malware that might violate the security policy.

Herbert felt that training was critical to enforce security policies, noting that if the employee only had security policies explained during orientation it was “expected” that, over time, they would forget much of it. Frequent reminders were important, he said.

The survey defined technology errors with scenarios such as hardware failure or an up-to-date anti-virus not detecting or stopping a virus infection, said Herbert. If the antivirus software was not updated with current signature definitions, then the survey counted that as human error.

The survey also noted that the economic recession caused 34 percent of executives to worry about potential insider threats. If an employee was fired, they might retaliate by stealing intellectual property or customer lists, said Herbert. Executives needed to define policies for disabling passwords and removing access for dismissed employees, he said.

The survey was not all doom and gloom as, despite the recession and many IT budgets being slashed, overall IT security expenditures held firm, said Herbert, citing a Gartner estimate.

CompTIA’s Global Security Trends, an annual report examining information security is in its eighth year. It surveyed 1,400 IT and business executives directly involved with defining or implementing information security in their organisation. The surveyed countries included Brazil, Canada, China, France, Germany, India, Mexico, South Africa, the United Kingdom, and the United States.