The growing proliferation and sophistication of hackers, combined with greater reliance on interconnected applications, devices and systems, has created a security environment that’s challenging for even the best prepared organizations, according to CompTIA.
“It’s not that businesses need to be convinced that security is important,” said Seth Robinson, senior director, technology analysis, CompTIA. “Instead, they need to be convinced of the ways that their current security approach is putting them at risk.”
The growing organization of hackers (cited by 54 percent of firms), the sophistication of threats (52 percent) and the greater availability of hacking tools (48 percent) carry implications for business. Attacks can be more dynamic, changing rapidly and targeting with greater efficiency.
Just over half of the companies surveyed (52 percent) say greater interconnectivity has complicated their security. As organizations have embraced cloud computing and mobile technology solutions, they have extended the security perimeter, creating new security considerations. Legacy security systems and practices are often not sufficient to protect the expanded perimeter.
Robinson identifies three areas where organizations are changing their security posture: technology, processes and personnel.
Companies are bringing in new security technologies to go along with the new business technologies they’re using. Data loss prevention (DLP) is one of the most common new tools, currently is use by 58 percent of companies. Identity and access management (IAM) and security information and event management (SIEM) both showed strong growth in adoption, at 57 percent and 49 percent, respectively.
But technology is only one component of the new security approach. Processes must be considered, and the best place to document process decisions is in a formal security policy. Yet only half of all companies believe they have a comprehensive security policy in place.
One process that more companies need to focus on is a formal risk analysis. Compared to 2013 data, fewer firms feel that they have the appropriate balance between risk and security, a viewpoint shared evenly across all company sizes.
Malware and hacking are still the top threats causing concern, with nearly half of all companies citing these as serious concerns. The human element in security is still present, too
“Though human error ranks low as a serious concern, companies report that it is the largest factor behind security breaches,” Robinson said.
With regard to human error, more training is the clear answer, but companies struggle with understanding how to make an investment in training that will pay off. Only 54 percent of companies offer some form of cybersecurity training, typically done through new employee orientation or an annual refresher course. But there are few metrics to evaluate the effectiveness of this training. Businesses readily acknowledge that they would like to see better content in their security training.
Data for CompTIA’s Trends in Information Security study was derived from two online surveys conducted in January 2015 among business executives and technology professionals at U.S. companies. One survey focused on general security issues (400 respondents) and the other on security training issues (300 respondents).