Despite media glamour, awareness of security attacks in the enterprise is still low according to a new study on IT security and the workforce by CompTIA. More than half of nearly 500 organizations surveyed don’t have written IT security policies, and without established and well-known security measures, it becomes very difficult to lower the 80 percent of human errors blamed for security breaches.
The solution to the problem may lie with the learning department in an organization, rather than the IT staff. “I think it’s an awareness issue,” said Tara Manzow, skills development product manager for the Computing Technology Industry Association (CompTIA). “And the research clearly shows that if you don’t know what’s out there, then you don’t know that you need to have the security policies in place or develop the training. What they’re investing their money in is the anti-virus software because they hear about all the viruses.”
Manzow said that the number-one way companies secure their infrastructure is with firewalls, but that this is not sufficient because security assurance comes from competent human action, extensive and appropriate knowledge of security issues, as well as technological advances. Enforcement also is a problem because enforcement brings consequences, which must be meted out equally to all tiers of an organization’s workforce, regardless of position, to have impact. “In most organizations, when you’re going to enforce the company policy, you have to do it at all levels—even at top management. Having a written policy—most people don’t have it, and those people who do have it, how many enforce it? The numbers are low,” Manzow said.
Of course, money, or a lack of it, also is a problem. Research showed that spending on computer security and security training remained constant over the past year. Nearly half of organizations surveyed mandate 5 percent of their IT budget for computer security. Only 15 percent set aside between 20 percent and 50 percent of their budgets, and one in 10 do not designate any dollars for computer security. “Budgets aren’t being put into place for training and certification, and that’s some of why they’re not enforcing it because if they’re going to actually mandate it as a requirement, they’re going to have to dedicate more funding to make sure they have everything. All (companies) agree they don’t have training and certification as a requirement but they all agree that it would improve their security and reduce human error. They don’t practice what they’re preaching.”
Surveyed companies, which represent industries such as financial services, manufacturing, government and education, report that human error alone or in combination with technological glitches caused four out of five breaches. Human errors could include not installing antivirus software or not setting up the firewall correctly, which means that CLOs have to get their IT staff trained and certified to combat the sheer number of incidents. Manzow said that the increasing number of Sarbanes-Oxley and other compliance regulations cropping up means executives must think strategically about learning offerings in relation to the IT department, and throw a spotlight on the negative business operations and financial performance that result from a lack of awareness.
Half of the organizations polled said they have no plans to implement security awareness training for their employees outside the IT department, nor have they considered it. This points to a potentially huge disconnect between security knowledge and action. Additionally, training and certification requirements are still uncommon for current employees and new hires. Only 27 percent of organizations require IT security training, and just 12 percent require certification. These low numbers in conjunction with the lack of written IT security policies foster gaps in security knowledge among end users.
“As a chief learning officer, you’re setting up the career and training plans for your current staff,” Manzow said. “Security needs to be a part of it, especially for the IT staff who is implementing all these new measures. Then look at all your staff to make sure they’re aware of a security policy and then enforce it.”
