The number of reported security breaches is down, yet the average severity of breaches has doubled, according to a new study.
The Computing Technology Industry Association (CompTIA) study, based on data collected from more than 1,000 IT professionals, revealed that 34 per cent of organizations reported a major security breach in 2006, down from 38 per cent in 2005 and 58 per cent in 2004.
But respondents rated the average severity of breaches as 4.8 (with 10 being most severe), up from between 2.3 and 2.6 in previous years. That might not be surprising given the number of headline-grabbing breaches, such as the TJX breach in which tens of millions of credit and debit card numbers were stolen.
IT professionals reported increasing their spending on security technology, training and certifications. The amount of their IT budgets dedicated to security totaled 20 per cent in 2006, an increase from 15 per cent in 2005 and 12 per cent in 2004. More than two-thirds (68 per cent) of organizations allocate at least some portion of their IT budget to training or certification, an increase from 55 per cent the year before. Security training or certification accounted for 12 per cent of the total budget, compared with 8 per cent in 2005. And 78 per cent of those surveyed said management now considers information security a top priority.
More than half (55 per cent) of IT professionals surveyed reported spyware as a top security concern, followed by lack of user awareness for 54 per cent. Nearly half said virus and worms continue to pose a threat, while about 44 per cent cited abuse by authorized users as a key security challenge. Human error was reported as the cause of a security breach by 42 per cent of organizations, compared with 59 per cent in 2005. Other security challenges include browser-based attacks (41 per cent), remote access (40 per cent), wireless networking security (39 per cent) and lack of enforcement of security policy (36 per cent).