Severity of security breaches worsens

The average severity of security breaches has doubled, according to a new study, even though the number of actual reported break-ins is down.


The average severity of security breaches has doubled, according to a new study, even though the number of actual reported break-ins is down.

The US Computing Technology Industry Association (CompTIA) study, based on data collected from more than 1,000 IT professionals, revealed that 34% of organisations reported a major security breach in 2006, down from 38% in 2005 and 58% in 2004.

But respondents rated the average severity of breaches as 4.8 (with 10 being most severe), up from between 2.3 and 2.6 in previous years. That might not be surprising given the number of headline-grabbing breaches, such as the TK Maxx breach in which tens of millions of credit and debit card numbers were stolen.

IT professionals reported increasing their spending on security technology, training and certifications. The amount of their IT budgets dedicated to security totalled 20% in 2006, an increase from 15% in 2005 and 12% in 2004. More than two-thirds (68%) of organisations allocate at least some portion of their IT budget to training or certification, an increase from 55% the year before. Security training or certification accounted for 12 percent of the total budget, compared with 8% in 2005. And 78% of those surveyed said management now considers information security a top priority.

“We are making real progress at reducing the number of breaches, but the threats are becoming more sophisticated,” says Brian McCarthy, COO of CompTIA.

More than half (55%) of IT professionals surveyed reported spyware as a top security concern, followed by lack of user awareness for 54%. Nearly half said virus and worms continue to pose a threat, while about 44% cited abuse by authorised users as a key security challenge. Human error was reported as the cause of a security breach by 42% of organisations, compared with 59% in 2005. Other security challenges include browser-based attacks (41%), remote access (40%), wireless networking security (39%) and lack of enforcement of security policy (36%).

“Compared to last year, more than half of all organisations report that security threats associated with the use of handheld devices, spyware, voice over IP, wireless networking and remote/mobile access have increased significantly over the previous 12 months,” the report reads.

CompTIA says security policies and training can help prevent organisations from falling victim to attacks. Of those polled, 62% said their organisation has written IT security policies in place, compared with 47% two years ago. Of those who have written security policy, 81% said the policy is specific to information on how to secure remote and mobile employees.

Now take part in our How Green is your IT? survey.

"Recommended For You"

Business data theft rising remorselessly says government IT security jobs largely ‘untouched’ by recession