Study: Companies are not as secure as they think
80 percent of respondents satisfied with current level of security despite only 13 percent having recently updated security approach
November 25, 2013 — CSO — CompTIA, the nonprofit association for the IT industry, has a warning for companies: You are likely less prepared then you think for defending against security threats.
In a recent survey of 1,000 IT professionals and companies, CompTIA found that more than 80 percent believed their current level of security was completely or mostly satisfactory. This high level of confidence was expressed despite the fact that only 13 percent of the respondents had made drastic changes to their security approach over the last two years.
During that time, many organizations have embraced cloud computing, bring-your-own-device practices and expanded their use of social media, all of which would require new technologies and policies to secure. Without the latter changes, a company's security is likely inadequate.
"Sometime in the past, they did a fairly thorough analysis of their security situation," Seth Robinson, director of technology analysis for CompTIA, said Monday. "But with the large technology changes that we're seeing today, that analysis may be a little bit stale."
For many companies, the focus remains on hacking and malware as persistent threats. Yet, the landscape has changed dramatically with the rise of advanced persistent threats, denial of service and IPv6 attacks and mobile malware.
The survey indicates that many companies need to step back and re-evaluate their security tactics, starting with the top-level of business down through all departments.
For the 11 years CompTIA has been doing the annual survey, employee mistakes have always been a major cause of security breaches. In the latest report, more than half of the respondents said human error has become a bigger problem over the last two years.
CompTIA believes the increase is likely due to employees' use of cloud services, such as Dropbox or Google Apps; mobile devices and social media. In the majority of cases, employees do not realize that their behavior is risky or violates corporate policies.
While acknowledging that human error has become a greater threat, only one in five of the respondents in the CompTIA survey viewed it as a "serious concern."
This contradiction is likely due to the cause of most human error stemming from ignorance in using new technologies, Robinson said. While companies know how to bolster security against malware, they have less experience in solving problems stemming from a lack of education.
"Companies need to think about security education differently than they have before, so it's taking some time for that to sort itself out," Robinson said.
Companies are also struggling to find security professionals with the skills to lockdown emerging technologies, CompTIA found. The areas most lacking in talent included cloud and mobile security, data loss prevention and risk analysis.
Read more about security leadership in CSOonline's Security Leadership section.
Other stories by Antone Gonsalves