Posted by Heidi Schwartz
The growing proliferation and sophistication of hackers, combined with greater reliance on interconnected applications, devices, and systems, has created a security environment that’s challenging for even the best prepared organizations, according to new research released by CompTIA, the IT industry association.
“It’s not that businesses need to be convinced that security is important,” said Seth Robinson, senior director, technology analysis, CompTIA. “Instead, they need to be convinced of the ways that their current security approach is putting them at risk.”
In the new CompTIA study, Trends in Information Security, companies identify a series of factors that are complicating their security readiness. The growing organization of hackers (cited by 54% of firms), the sophistication of threats (52%), and the greater availability of hacking tools (48%) carry implications for business. Attacks can be more dynamic, changing rapidly and targeting with greater efficiency.
Just over half of the companies surveyed (52%) say greater interconnectivity has complicated their security. As organizations have embraced cloud computing and mobile technology solutions, they have extended the security perimeter, creating new security considerations. Legacy security systems and practices are often not sufficient to protect the expanded perimeter.
Robinson identifies three areas where organizations are changing their security posture: technology, processes, and personnel.
Companies are bringing in new security technologies to go along with the new business technologies they’re using. Data loss prevention (DLP) is one of the most common new tools, currently in use by 58% of companies. Identity and access management (IAM) and security information and event management (SIEM) both showed strong growth in adoption, at 57% and 49%, respectively.
But technology is only one component of the new security approach. Processes must be considered, and the best place to document process decisions is in a formal security policy. Yet only half of all companies believe they have a comprehensive security policy in place.
One process that more companies need to focus on is a formal risk analysis. Compared to 2013 data, fewer firms feel that they have the appropriate balance between risk and security, a viewpoint shared evenly across all company sizes.
The Trends in Information Security reveals that malware and hacking are still the top threats causing concern, with nearly half of all companies citing these as serious concerns. The human element in security is still present, too.
“Though human error ranks low as a serious concern, companies report that it is the largest factor behind security breaches,” Robinson said.
With regard to human error, more training is the clear answer, but companies struggle with understanding how to make an investment in training that will pay off. Only 54% of companies offer some form of cybersecurity training.
The complete report is available to CompTIA Premier Members and Registered Users at http://www.comptia.org/resources/trends-in-information-security-study.