CIOs, CSOs feel powerless to fix the human IT-security hole

Stupid mistakes, poor training and intentional sabotage among employee depredations

Been hit by a security breach? You're not alone, with new research suggesting that fully 63 percent of Australian organisations have had to deal with cybersecurity incidents – and that Australians are better than most at compromising their company's security.

The figures come from a multi-country survey of 1509 business and technology executives worldwide conducted by technology-industry association CompTIA, which found that 72 percent of Australian respondents expected cybersecurity to become a higher priority in the next two years.

Much of this changing attitude was due to internal factors such as a change in IT operations due to adoption of cloud of mobility (reported by 41 percent of respondents) or a change in business operations or client base (27 percent).

Fully 32 percent said their business was increasing its cybersecurity focus after an internal security breach or incident. Indeed, such internal breaches were commonly reported, with 61 percent of the 125 participating Australian organisations admitting that human error was a major contributor to their security risk – compared with an average of 58 percent internationally.

Such breaches reflected the high prevalence of undesirable human behaviour ranging from unintentional omissions – for example, failing to keep up with new threats (37 percent), end-user failure to follow policies and procedures (31 percent), general carelessness (28 percent) and lack of expertise with Web sites and applications (27 percent) – to intentional disabling of security features, reported by 28 percent of respondents.

Reuse of passwords had proven to be a major issue amongst employees who were favouring convenience over security to retain access across social-media sites. CompTIA director of channel dynamics and ANZ community director Moheb Moses told CSO Australia. “The battle between security and convenience is an issue in security generally,” he explained. “Employees know they need to be more secure, but if they can't use the same password on every site it's more secure but less convenient. It's the attitude and culture created by the use of social media that creates this security issue. Many don't even realise this is a security breach.”

The problem was compounded with the number of sites on which employees used similar credentials. “An average person reuses a favourite or easy-to-remember password across multiple sites and apps,” Chris Webber, security strategist with Centrify, said in a statement in the wake of recent news that a Russian hacker had leaked tens of millions of stolen Webmail credentials. “Password theft is getting simpler every day. Forget about movie-style, brilliant-minded, sophisticated hackers. Forget about savvy criminals planning Ocean’s Eleven-style capers; password harvesting can now be done by anyone clever enough to make a cat meme, or post a nasty comment on YouTube, thanks to simple downloadable toolkits.”

One out of four respondents to the CompTIA survey said they had had breaches because IT staff failed to follow policies and procedures – yet they admitted being powerless to fix the situation: just 23 percent of organisations rate their cybersecurity education and training methods as being extremely effective.

The rest highlighted the need for strategies including making employee cybersecurity education mandatory; more comprehensive training delivered more often; and follow-up tests and assessments. Interestingly, Australian companies seemed less concerned about following up users after training: just 50 percent said testing after training was very important, compared with 63 percent globally.

There were some positives from the findings, however: Australian companies were less likely than the international average to suffer security breaches overall, with 37 percent of respondents saying they had had no breaches in the past 12 months – compared with 27 percent internationally.

Some 55 percent of Australian and 64 percent of international respondents had experienced from 1 to 10 breaches over the past 12 months.

Australian companies were also less likely to be panicking over the need for cybersecurity policy change, with just 25 percent expecting a significantly higher focus on security in the next 12 months as opposed to 35 percent globally.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritynew threatsleakhackersecurity breachCSO AustraliaCompTIA ANZ

More about CentrifyCompTIACSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts