Study: More companies making IT security a top priority

The results of a new study released this week by CompTIA, a non-profit trade association that represents 2,500 companies in the IT community, show a mixed bag as it relates to the state of corporate IT security.

According to the 8th Annual Global Information Security Trends report, which consist of responses from 1,400 IT and business executives, 63 percent of organizations reported experiencing at least one security incident or breach within the last 12 months. Among those that experienced a breach, 45 percent classified it as a potentially serious threat, meaning it could have an impact financially or on the company's reputation.

Though those figures shouldn't come as a shock, given the sheer volume of IT threats, Tim Herbert, vice president of market research at CompTIA, says what's more alarming is the number of organizations that may not know they've had a breach.

"What's most disconcerting is the companies that don't realize they have had a breach and that could be both the obvious breaches, meaning they may have malicious code on a server or on a website, but also things such as data leakage," Herbert said. "(That could include) employees that may be sharing company data or other types of threats that we would put under the umbrella of security."

Sixty-seven percent of respondents also said that they believe the security threat level for IT is increasing, while 33 percent felt that threat level had not changed or was actually decreasing.

"The research does suggest that IT professionals are more concerned today than they were two years ago," Herbert said. "The trend is certainly sloping upwards."

In fact, 49 percent of survey respondents now say that security is a top IT priority versus 35 percent in 2008. By 2012, 58 percent of respondents expect security to be an upper level priority.

It's also apparent from looking at the numbers that many IT professionals believe that the technology needed to battle viruses and malware has improved, as nearly 60 percent of survey participants blamed human error rather than technology shortcoming for breaches. Forty-nine percent of respondents said that the failure of workers to comply with IT security policies was the biggest factor in human errors that led to breaches, followed by lack of security training at 36 percent and inadequate time or resources to manage threats at 30 percent.

Herbert said that oftentimes it's not an intentional act on the part of an employee that leads to a human error breach. More often than not, it's an employee trying to get caught up on work and copies sensitive information to a USB drive and then opens it on a corrupted computer at home. The resolution to this problem, according to Herbert, lies in more frequent discussion about the company's IT policies, as well as training.

"Certainly, one thing for companies to do is to make sure their security polices are up to date... and to make sure that policies are discussed more than once a year," Herbert said. "We found in some of our previous research that oftentimes an employee is introduced to the security policy at orientation and never again."

Despite the high number of breaches and increased concerns over IT threats, Herbert says that the report actually holds a lot of good news for the industry considering how seriously companies are now taking threats to their networks.

"It is pretty easy to focus on the negative, the shortcomings either in company security polices that may lead to human error or even the shortcomings in technology, but I think the results (of the survey) also point to improvements being made. While many professionals think that the security threat level will increase over the years, we also see that a number also believe that the right mix of technology, training and security policies have improved the security landscape," he said. "I think a lot of organizations are probably realistic in knowing that it's probably not a matter of if, but when the next security breach may occur. But more and more are rating security as a higher priority within the organization, which means they are committing more resources not just to the technology, but to the human elements as well."