[Dataloss] (Semi-OT) CompTIA Press Release Regarding Security Breaches

lyger lyger at attrition.org
Tue Apr 11 16:04:21 EDT 2006 

(not exclusive to data loss and data theft, but related)

http://www.comptia.org/about/pressroom/get_pr.aspx?prid=903

Organizations Ignoring Main Culprit in Information Security Breaches, New 
CompTIA Research Reveals

Oakbrook Terrace, IL, April 11, 2006 - Organizations are doing little to 
address the most serious threat to their information security and technology 
infrastructure, according to new research released today by the Computing 
Technology Industry Association (CompTIA).

Human error was responsible for nearly 60 percent of information security 
breaches experienced by organizations over the last year, according to the 
fourth annual CompTIA study on information security and the workforce. That 
figure is significantly higher than one year ago, when 47 percent of security 
breaches were blamed on human error alone.

Yet despite the prominent role that human behavior plays in information 
security breaches, just 29 percent of the 574 organizations that participated 
in the survey said that security training is a requirement at their company. 
Only 36 percent of organizations offer end-user security awareness training.

"The primary cause of security breaches - human error - is not being adequately 
addressed," said Brian McCarthy, chief operating officer, CompTIA. "The person 
behind the PC continues to be the primary area where weaknesses are exposed."

Over the past several years a sophisticated security infrastructure that is 
better able to detect and prevent attacks has emerged. The CompTIA study found 
that antivirus software is nearly universal (96 percent penetration); and the 
vast majority or organizations utilize firewalls and proxy servers (91 
percent). Disaster recovery plans, intrusion detection systems and written 
information security policies are also popular measures.

"As we get better from a technology standpoint, many organizations seem to 
believe that technology solutions alone are sufficient to turn back all 
attacks, and a level of complacency may be setting in," McCarthy said. "The 
fact remains that no technology on its own can be completely successful without 
an equally strong commitment to information security awareness and training 
throughout every level of the organization."

For its part, CompTIA offers its CompTIA Security+. certification, a 
foundation-level, vendor-neutral professional certification for network 
security practitioners with two years. experience and who have daily 'hands-on' 
responsibility for information security. The certification was developed with 
the involvement of some 1,100 experts around the world with first-hand 
experience in IT security implementation.

Virus, worm attacks still prevalent

Virus and worm attacks were the most commonly mentioned security problem, as 
they have been through all four years of the CompTIA study on information 
security. A lack of user awareness, browser-based attacks and remote access 
were the next most frequently mentioned security problem areas.

About 40 percent of organizations participating in the survey said they had 
experienced at least one security attack in the past year. The most severe 
security breaches were reported by large organizations (7,000 or more 
employees) and educational institutions.

The financial impact of information security issues was vividly illustrated 
when survey respondents were asked to place a dollar value on the cost of their 
last security breach. The mean values were over $11,000 for the last security 
breach and just under $35,000 for breaches over the last year. Some 
organizations reported a financial impact above $50,000 for security breaches, 
showing that while a 'garden variety' breach may be little more than an 
inconvenience, the potential for serious harm is always present.

CompTIA commissioned TNS Prognostics, a leader in market research and 
consulting for the IT industry, to conduct the study to identify current IT 
security practices and highlight security challenges confronted by 
organizations of varying sizes and sectors. For more information on the study 
please visit: http://www.comptia.org/sections/research.aspx.

About CompTIA
The Computing Technology Industry Association (CompTIA) represents the business 
interests of the information technology (IT) industry. For 24 years CompTIA has 
provided research, networking and partnering opportunities to its 20,000 member 
organizations in more than 100 countries worldwide. CompTIA initiatives extend 
to areas such as convergence technologies, electronic commerce, information 
security, IT services, public policy, skills development, and software. CompTIA 
helps organizations maximize the benefits they receive from their investments 
in technology; and assists IT workers in obtaining the skills they need for 
productive careers in technology. For more information, please visit: 
www.comptia.org.

Contact:
Steven Ostrowski
CompTIA
Phone: 630-678-8468
Email: sostrowski at comptia.org

More information about the Dataloss mailing list