A new study reveals that companies believe malware and hacking are the top data security concerns, but actually their own employees’ actions are the largest cause of security breaches.
Human error accounts for 52 percent of the root causes of security breaches, according to a study from CompTIA, the IT industry association. CompTIA’s Trends in Information Security study was conducted in January 2015 among 700 business executives and technology professionals at U.S. companies.
Asked about the top examples of human error, 42 percent of those surveyed cited “end user failure to follow policies and procedures,” another 42 percent cited “general carelessness,” 31 percent named “failure to get up to speed on new threats,” 29 percent named “lack of expertise with websites/applications,” and 26 percent cited “IT staff failure to follow policies and procedures.”
Notably, despite over half of respondents naming human error as the leading cause of security breaches, only 30 percent cited “human error among general staff” as a serious concern, and only 27 percent cited “human error among IT staff” as a serious concern.
Experts often say more employee training is needed to address the “human firewall” issue, however, according to the study, only 54 percent of those surveyed said that their company offers some form of cybersecurity training.
Of those, 71 percent indicated that training is done during new-hire orientation, 65 percent responded that training is ongoing, 50 percent said they use random security audits, 46 percent said security policies are physically posted, and 39 percent said an online course is offered.
There are certain technology solutions available that can help mitigate human error. Data loss prevention tools are currently in use by 58 percent of companies, according to the survey, identity and access management solutions are being used by 57 percent of respondents, and security information and event management technology is being employed by 49 percent.
Only half of the companies surveyed believe they have a comprehensive security policy in place, whereas the other half indicated that their company does not currently have a security policy, or that the organization is still working on one.
Just over half of the companies surveyed (52 percent) said greater interconnectivity such as cloud computing and mobile technology has created new security considerations and that legacy security systems and practices are often not sufficient.
Roy Maurer is an online editor/manager for SHRM.
Quick Links:
SHRM OnlineSafety & Security page
Subscribe to SHRM’s Safety & Security HR e-newsletter
