New Survey Data: Only 1/4 Breaches Are Intentional

CompTIA Research has published “Trends in Information Security”:

Information security is seen as a key risk among firms, with 80% of US respondents indicating that it is considered top priority by management. Nearly two-thirds of US firms, more than half of UK and Chinese firms, and two-fifths of Canadian firms have implemented written IT security policies.

Impressive, sort of. Is that a top ten or top five priority? What kind of survey asks about top priorities without qualifying how long the list actually runs? Another way of asking might be “what size font does your powerpoint presentation use for priority lists?” Ok, joking aside, here is some hard data:

The percentage of their IT budget that companies dedicate to security is growing year after year. In the US, companies earmarked 12% of their IT budget in 2007 for security purposes – up from only 7% in 2005. The bulk of these dollars are used to procure security-related technologies.

Companies spend substantial amounts on prevention because security breaches can be costly if they occur. In the past year, US firms shelled out an average of over $200,000 as a result of security breaches, a third of which was attributed to the loss of employee productivity. Moreover, in the last year in the US, Canada and UK, IT staff members spent over 10% of their time dealing with security breaches, and in China, almost 20% of their time.

I suspect that earthquake is going to seriously drive up the numbers for China this year.

12%!! Holy smokes. I remember when executives were practically choking to death on 10% budget requests. How will anyone survive spending 12% on security…unless it becomes integrated into the business logic and bottom line calculations of the company? Consider this number:

Security training has saved US organizations upwards of $2.2 million in total, much of which is due to a reduction of server/network downtime and fewer impacts to employee productivity.

That’s correct, uptime is security. Let’s hear it for the availability metrics.

Speaking of which, the survey goes on to reveal that 31 percent of breaches are from combined human error and/or technical malfunction, 29 percent are due to human error alone and 14 percent from technical malfunction alone. Another 10 percent are described as intentional internal breaches, with the remaining16 percent from the outside.

In other words, 26 percent of “breaches” are intentional and the rest are malfunctions by humans or the technology they manage. I guess I am supposed to say it comes from technical malfunction, but I am not exactly sure yet how that differs from human error. The survey clarifies that 45 percent of human error is caused by a failure to follow security procedures while 25 percent is from and a lack of security knowledge.

This report should help security managers make the case for monitoring uptime as part of their remit and let them report downtime, even for potential incidents, as a breach.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.