Employee error fuels data security breaches, survey finds

By Robert Westervelt, News Editor 24 Sep 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Employee misconduct and unintentional actions like errors and omissions are the greatest cause of data security breaches, according to a survey released recently by auditing and accounting firm Deloitte Touche Tohmatsu.

Highly publicized breaches certainly affected the amount of budget, protection and resources that security gets to battle the problem. Michelle Stewart, CISO, AirTran Airways

The firm surveyed senior information technology executives on the current trends in security and privacy from 169 major global institutions. Deloitte said 68% of those surveyed were banks.

Almost two-thirds of survey respondents reported repeated external security breaches, and the top three breaches this year were viruses and worms, email attacks, and phishing/pharming-- all unwittingly perpetrated via the customer, Deloitte said.

The survey also revealed a shift in priorities from protecting sensitive data from attack by outsiders to addressing internal threats. An overwhelming majority of respondents, 91% are concerned about employees. Nearly 80% cited the human factor as the root cause for information security failures.

The high profile data breaches in recent months, starting with the massive breach at Framingham, Mass.-based TJX Cos., made security a higher priority among senior executives. Michelle Stewart, CISO at AirTran Airways has been upgrading security systems at the Orlando Fla.-based airline as part of her company's compliance initiatives. Stewart said high profile data breaches helped give some security projects a much needed boost.

"Security used to be a cost thing and in many areas of IT we needed to reduce our costs," Stewart said. "A lot more risk was accepted than there is today because of the publicity of the data breaches."

According to the Deloitt survey, virtually all respondents indicated increased security budgets. But 35% said that their investment in information security is lagging behind business needs and only 20% of U.S. respondents feel that they have the required skills and competencies to deal with existing and foreseeable security requirements.

"Due to the increased number of high-profile losses or theft of customer data, data protection has been the subject of intense attention over the past 18 months," Deloitt said.

Data security breaches: Report: Companies still stumped by PCI DSS: A VeriSign review of PCI Data Security Standard (PCI DSS) assessments it conducted found that more than half were still stumbling on the path to compliance. Fewer security breaches blamed on human error: Human error is still the main reason for security breaches, but a little learning, it turns out, isn't a dangerous thing after all. Companies seek identity, access management strategies: Experts say the road to strong access management and authentication begins with the basic problem of user provisioning.

Stewart couldn't agree more, saying the press attention has helped boost the budgets of security pros across various industries. AirTran is currently deploying ArcSight Enerprise Security Management software to log and examine event information and discover risks within the organization. The company is also rolling out security awareness programs and getting its various business units involved in identifying security issues.

"We're saying that we're all in this together, we're all on the same team and we should all be looking out for one another," Stewart said. "We could look all day long for correlations of events, but the source of the pain is at the user level and that's where the insider threats come in."

The Deloitt survey identified identity and access management as the top operational initiative of the year, followed by regulatory compliance, security training and awareness, governance for security and disaster recovery and business continuity.

In addition, 90% of those surveyed said government-driven security regulations are effective in improving security in their industry. Still, only 20% of respondents said that they have the required skills and competencies to deal with existing and foreseeable security requirements.

"There's no longer an imaginary bad guy," AirTran's Stewart said. "Highly publicized breaches certainly affected the amount of budget, protection and resources that security gets to battle the problem."

While companies are taking action to beef up security by deploying new technologies, many firms need to better educate employees to increase their security awareness. Two other recent studies show that some firms are not doing enough planning before throwing money at the issue. A study on IT security by the Computing Technology Industry Association (CompTIA) found that proper training of IT pros could help stave off a security breach. Meanwhile, a VeriSign review of PCI Data Security Standard (PCI DSS) assessments it conducted found that more than half were still stumbling on the path to compliance.

Tags: Information security awareness training,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security awareness training Social engineering tests should make sense, not headlines Laid off workers likely to steal company data, survey warns Phishing, malware to strain banks in 2009 How to make information security a company-wide effort The Societe Generale fraud story: Keith White on fraud Rogue activity thwarted by early warning systems An overview of the FFIEC IT Examination Handbooks How to use PCI to your (budgetary) advantage Bank boosts security after couriers lose backup tapes Security survival skills critical to weathering shrinking budgets

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary