Networking: Human error largely to blame

April 17, 2006

What's the most grave IT security threat today? Hackers? Overly complicated corporate networks? None of the above, experts are telling United Press International's Networking column. Good, old-fashioned human error -- not nefarious, new technologies or super-sophisticated computer geeks, holed up in a shack near the Caspian Sea by the Russian mafia -- are to blame for about 60 percent of IT security breaches.

A new survey, a copy of which was provided to Networking, by the Computing Technology Industry Association (CompTIA), said human error is increasing as an IT problem. Last year, only 47 percent of security breaches were blamed on human error alone.

Though miscues by staffers are largely to blame, only 29 percent of the 574 organizations that participated in the CompTIA survey indicated that security training is a requirement at their company. Only 36 percent of organizations offer end-user security training.

"The person behind the PC continues to be the primary area where weaknesses are exposed," said Brian McCarthy, chief operating officer, CompTIA. "The primary cause of security breaches is not being adequately addressed."

That's because the primary focus of most IT vendors is, simply put, selling hardware or software solutions to their customers. "Where does your e-mail message travel after you hit send?" a spokesman for vendor Echoworx Secure Mail, asked Networking, rhetorically. "Who might be scanning your message? Is it a good guy just doing his job? Or is it a bad guy with malicious intent? When it comes to e-mail and protecting your identity, these are questions that everyone should consider, but most people never think about."

This week, Echoworx is introducing a new desktop-to-desktop e-mail encryption tool to secure the confidentiality of communications.

Other sophisticated security infrastructure, similar to that technology, has emerged over recent years and enables IT departments to more effectively detect and prevent attacks. For example, the CompTIA study demonstrated that anti-virus software is "nearly universal" with nearly 96 percent penetration. The vast majority or organizations utilize firewalls and proxy servers, at 91 percent. What is more, disaster recovery plans, intrusion detection systems and written information security policies are also popular measures, the survey showed.

"As we get better from a technology standpoint, many organizations seem to believe that technology solutions alone are sufficient to turn back all attacks, and a level of complacency may be setting in," McCarthy said.

But, McCarthy stressed, the fact is that no technology "on its own" can be completely successful without a strong commitment to information security awareness and training throughout every level of the organization.

To be sure, hackers are still on the attack - whether they be employed by the Russian mob or not. Virus and worm attacks were the "most commonly mentioned" security problem in the CompTIA study, which was completed by TNS Prognostics, a leading market research firm.

Approximately 40 percent of organizations participating in the survey said they had experienced at least one security attack in the past year. The most severe security breaches were reported by large organizations -- with 7,000 or more employees -- and educational institutions, like colleges and high schools. The mean value for each security breach is $11,000, according to the survey by the Oakbrook Terrace, Ill.-based trade association.

Experts tell Networking that there is no way to completely prevent IT security problems from happening. "Executive summary -- nothing is 100 percent secure," Ted Demopolous, an IT consultant, based in Durham, N.H., and business book author, told Networking.

Copyright 2006 by United Press International