CIOs, CSOs feel powerless to fix the human IT-security hole
- 06 May, 2016 14:06
Been hit by a security breach? You're not alone, with new research suggesting that fully 63 percent of Australian organisations have had to deal with cybersecurity incidents – and that Australians are better than most at compromising their company's security.
The figures come from a multi-country survey of 1509 business and technology executives worldwide conducted by technology-industry association CompTIA, which found that 72 percent of Australian respondents expected cybersecurity to become a higher priority in the next two years.
Much of this changing attitude was due to internal factors such as a change in IT operations due to adoption of cloud of mobility (reported by 41 percent of respondents) or a change in business operations or client base (27 percent).
Fully 32 percent said their business was increasing its cybersecurity focus after an internal security breach or incident. Indeed, such internal breaches were commonly reported, with 61 percent of the 125 participating Australian organisations admitting that human error was a major contributor to their security risk – compared with an average of 58 percent internationally.
Such breaches reflected the high prevalence of undesirable human behaviour ranging from unintentional omissions – for example, failing to keep up with new threats (37 percent), end-user failure to follow policies and procedures (31 percent), general carelessness (28 percent) and lack of expertise with Web sites and applications (27 percent) – to intentional disabling of security features, reported by 28 percent of respondents.
Reuse of passwords had proven to be a major issue amongst employees who were favouring convenience over security to retain access across social-media sites. CompTIA director of channel dynamics and ANZ community director Moheb Moses told CSO Australia. “The battle between security and convenience is an issue in security generally,” he explained. “Employees know they need to be more secure, but if they can't use the same password on every site it's more secure but less convenient. It's the attitude and culture created by the use of social media that creates this security issue. Many don't even realise this is a security breach.”
The problem was compounded with the number of sites on which employees used similar credentials. “An average person reuses a favourite or easy-to-remember password across multiple sites and apps,” Chris Webber, security strategist with Centrify, said in a statement in the wake of recent news that a Russian hacker had leaked tens of millions of stolen Webmail credentials. “Password theft is getting simpler every day. Forget about movie-style, brilliant-minded, sophisticated hackers. Forget about savvy criminals planning Ocean’s Eleven-style capers; password harvesting can now be done by anyone clever enough to make a cat meme, or post a nasty comment on YouTube, thanks to simple downloadable toolkits.”
One out of four respondents to the CompTIA survey said they had had breaches because IT staff failed to follow policies and procedures – yet they admitted being powerless to fix the situation: just 23 percent of organisations rate their cybersecurity education and training methods as being extremely effective.
The rest highlighted the need for strategies including making employee cybersecurity education mandatory; more comprehensive training delivered more often; and follow-up tests and assessments. Interestingly, Australian companies seemed less concerned about following up users after training: just 50 percent said testing after training was very important, compared with 63 percent globally.
There were some positives from the findings, however: Australian companies were less likely than the international average to suffer security breaches overall, with 37 percent of respondents saying they had had no breaches in the past 12 months – compared with 27 percent internationally.
Some 55 percent of Australian and 64 percent of international respondents had experienced from 1 to 10 breaches over the past 12 months.
Australian companies were also less likely to be panicking over the need for cybersecurity policy change, with just 25 percent expecting a significantly higher focus on security in the next 12 months as opposed to 35 percent globally.