Survey: IT Security Breaches More Severe

The severity of security breaches is climbing at a time when IT
organizations are under pressure to cut expenses and work with smaller
budgets.

But the good news is that IT security remains a major priority among IT
professionals. A total of 38 percent of U.S.-based IT professionals
ranked IT security as their top priority. That’s according to this
year’s State of IT Security survey of 1,500 IT professionals in the
United States, U.K., China and India, commissioned by CompTIA.

“The vulnerabilities have always been there,” Tim Herbert, vice
president of research at CompTIA tells Channel Insider. And because of
the recession “there has been an increase in the financial incentive to
steal data. More people are leaving organizations through potential
layoffs, buyouts and whatnot. It’s not necessarily malicious, but
people want to take their contact information with them.”

Other new vulnerabilities come from the increased use of smartphones by
employees and also from more employees accessing social networking
sites such as Facebook and Twitter.

“When used inappropriately these can also lead to problems,” Herbert says, pointing out the recent Twitter virus.

While data confirms that the number of security breaches has not
increased significantly, the severity level of breaches has been
trending upwards, Herbert says.

Survey respondents rated breach severity on a scale of 1 to 10. In 2006
the average severity ranked 4.8, in 2007 5.3 and in 2008 5.6.

For 2008, the mean total cost of security breaches came in at $85,161 while the median chosen was $5,000 to $9,999.

Survey respondents who reported breaches over during 2008 said the total cost of the breaches was as follows:

• $0  – 9 percent
• $1 to $499 – 8 percent
• $500 to $999 – 7 percent
• $1,000 to $4,999 – 19 percent
• $5000 to $9,999 – 19 percent
• $10,000 to $49,999 – 16 percent
• $50,000 to $99,999 –     12 percent
• $100,000 to $999,999 – 7 percent
• $1 million  or more – 3 percent

Most often, breaches are caused by the combination of technical
glitches together with human error. Perhaps an employee leaves a laptop
at airport security, and that laptop does not have data locked down
with a password or other security measure.

That’s why having a written IT security policy that includes mobile
devices is so essential to ensuring an organization’s IT security, says
Herbert. More companies are implementing such policies, and more
companies are making sure that they include mobile devices in the
policies. However, the likelihood of a company having such a policy
depends on the company’s size.  

Herbert recommends that companies periodically review security policies
with employees and make sure that non-IT employees are trained in
proper IT security procedures to protect against the potential for
breaches.