Study: Companies not as secure as they think

CompTIA says 80 percent of companies surveyed believe their security is satisfactory, but only 13 percent had made changes since embracing cloud and BYOD

CompTIA, the nonprofit association for the IT industry, has a warning for companies: You are likely less prepared then you think for defending against security threats.

[Senior executives blamed for a majority of undisclosed security incidents]

[ The Web browser is your portal to the world -- and the gateway for security threats. InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

In a recent survey of 1,000 IT professionals and companies, CompTIA found that more than 80 percent believed their current level of security was completely or mostly satisfactory. This high level of confidence was expressed despite the fact that only 13 percent of the respondents had made drastic changes to their security approach over the last two years.

During that time, many organizations have embraced cloud computing, bring-your-own-device practices and expanded their use of social media, all of which would require new technologies and policies to secure. Without the latter changes, a company's security is likely inadequate.

"Sometime in the past, they did a fairly thorough analysis of their security situation," Seth Robinson, director of technology analysis for CompTIA, said Monday. "But with the large technology changes that we're seeing today, that analysis may be a little bit stale."

For many companies, the focus remains on hacking and malware as persistent threats. Yet, the landscape has changed dramatically with the rise of advanced persistent threats, denial of service and IPv6 attacks and mobile malware.

The survey indicates that many companies need to step back and re-evaluate their security tactics, starting with the top-level of business down through all departments.

For the 11 years CompTIA has been doing the annual survey, employee mistakes have always been a major cause of security breaches. In the latest report, more than half of the respondents said human error has become a bigger problem over the last two years.

CompTIA believes the increase is likely due to employees' use of cloud services, such as Dropbox or Google Apps; mobile devices and social media. In the majority of cases, employees do not realize that their behavior is risky or violates corporate policies.

While acknowledging that human error has become a greater threat, only one in five of the respondents in the CompTIA survey viewed it as a "serious concern."

This contradiction is likely due to the cause of most human error stemming from ignorance in using new technologies, Robinson said. While companies know how to bolster security against malware, they have less experience in solving problems stemming from a lack of education.

"Companies need to think about security education differently than they have before, so it's taking some time for that to sort itself out," Robinson said.

[Study: Business leaders lacking confidence in IT]

Companies are also struggling to find security professionals with the skills to lockdown emerging technologies, CompTIA found. The areas most lacking in talent included cloud and mobile security, data loss prevention and risk analysis.

This story, "Study: Companies not as secure as they think" was originally published by CSO.

Copyright © 2013 IDG Communications, Inc.