Vulnerabilities / Threats
11/14/2012
09:50 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Employee-Empowering Technologies Raise Security Stakes For Organizations, New CompTIA Study Reveals

Majority of companies attribute human error as a contributing cause of security breaches

DOWNERS GROVE, Ill., Nov. 14, 2012 /PRNewswire-USNewswire/ -- Cloud computing, mobility, social tools and other technologies that put more power in the hands of individual users pose new challenges for organizations seeking to secure data, devices and networks, new research released today by CompTIA, the non-profit association for the information technology (IT) industry, reveals.

The majority of companies in CompTIA's 10th Annual Information Security Trends study attribute human error as a contributing cause of security breaches, just as they have in the previous nine years of the study. What's changing, however, is that the human element is no longer confined to malware, phishing and viruses.

Cloud computing options force end users to consider how data is handled outside of their organization. Unauthorized mobile applications and mobile malware strains are becoming more prevalent. Social networking is a growing factor affecting organizational security.

"As users gain more responsibility for their own technology, the human element becomes more and more important," said Seth Robinson, director, technology analysis, CompTIA.

"But many organizations are not sure what to do about it," Robinson continued.

"The way they've thought about security in the past is to purchase a firewall or antivirus software or other product. But there's not a product that can help with end-user awareness. It really requires a commitment to training and education."

Four out of five companies expect to keep security as a high priority over the next two years, with large companies more likely to do so than their small and medium counterparts.

"Spending on security products shows no signs of abating, but a comprehensive security solution also must focus on the end users," Robinson said. "It boils down to policies, processes and people; making every user aware of their responsibilities for security."

Along with growing concern over increasingly sophisticated and targeted cyber-attacks, changes in IT operations have also prompted new security approaches. For example, 51% of firms said that their move to cloud solutions or new mobility strategies was responsible for the implementation of new security tactics.

In dealing with these changes, 41% of organizations report a need to help their security staff close moderate or significant gaps in security expertise, with the deficit most pronounced in areas such as cloud security, mobile security and data loss prevention. The impact of these deficiencies is felt in several ways, including being unaware of where the company is exposed (44 percent of responding firms); loss of business as a result of security issues with customer data (39 percent); and costs incurred for training the current workforce (38 percent).

A net 49% of companies say they intend to hire security specialists, including those that also plan on training current staff. Executives have a strong preference for security professionals with industry certifications. A full 84% said they experienced a positive return on investment in security certifications, with certified staff viewed as more valuable because of their proven expertise and ability to perform at a high level than non-certified staff.

CompTIA's 10th Annual Information Security Trends study is based on surveys of

508 U.S. business and IT executives involved in setting or executing information security policies and processes for their organizations; and 368 executives at U.S. IT firms. Surveys were conducted in late September and early October 2012.

About CompTIA

CompTIA is the voice of the world's information technology (IT) industry. Its members are the companies at the forefront of innovation; and the professionals responsible for maximizing the benefits organizations receive from their investments in technology. CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy. Visit http://www.comptia.org/home.aspx or follow CompTIA at http://www.facebook.com/CompTIA and twitter.com/comptia.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

CVE-2014-2393
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

CVE-2011-5279
Published: 2014-04-23
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Best of the Web