Computer security's weak link: Humans
When it comes to computer security, the problems most companies experience can be traced to the biological units that interface with their systems. Otherwise known as humans, and with humans come errors.
A study released Friday by the IT trade association CompTIA found that human error was the root cause of 52 percent of all security breaches. The tricky part, though, comes in addressing the issue, particularly as computer security becomes an increasingly important issue for boards of directors in light of recent high-profile attacks on Sony (SNE) Pictures, Target (TGT), Anthem (ANTM) and so many other corporations.
The report noted:
"The main reason that companies exhibit a low level of concern over human error is that it is a problem without an obvious solution. A high level of concern over malware or hacking can be addressed with an investment in technology. A high level of concern about employee error can possibly be addressed with an investment in training, but there are complications involved. ... Only 54% of companies offer some form of cybersecurity training, with the format most often being new employee orientation or some kind of annual refresher course."
Unfortunately, many companies can't afford to provide adequate training, with 26 percent saying they don't have a sufficient budget. Another 20 percent aren't sure where to find the proper security training, and 19 percent aren't sure which training is the most effective.
Companies are starting to see more examples of human error in their day-to-day operation. The trade group noted that 39 percent of respondents said human error was more of an issue than it was two years ago.
A CompTIA survey of 300 end users outlined the biggest sources of human error, including failure to follow general policies and procedures (42 percent), general carelessness (42 percent) and failure to get up to speed with new threats (31 percent).
The incidents of human error don't always indicate incompetence or negligence. As insurance coverage for cybercrime becomes increasingly common, insurance companies are demanding that companies adhere to stricter security practices. Moreover, most states have implemented laws that require companies to disclose cyberattacks to the public.
"I don't want to equate human error with negligence," said Brenda Sharton, a partner in law firm Goodwin Procter's Privacy & Data Security Practice. "Human nature is human nature. You are never going to have perfect security."
Wall Street also is paying closer attention to the issue because the ramifications can be serious. Target last year ousted CEO Greg Steinhafel after the second-largest retailer bungled its response to a data breach that exposed information on 40 million customers. And Sony Pictures CEO Amy Paschal resigned her position after hackers, perhaps with backing from North Korea, infiltrated the company's network and publicized some of her personal emails that contained racially insensitive language.