Hackers are becoming more sophisticated every day, but many of the problems companies experience with security breaches and compromised information come from a lack of education among the work force about what they should and shouldn’t do.
To help with this increase in security troubles, Robinson suggests ongoing, interactive and measured education, including moving away from annual security reviews and incorporating “tests” such as fake phishing emails or leaving a USB drive in the office and testing employees’ behavior. Companies must also focus on changes related to new trends, including cloud computing and the continued proliferation of mobile devices, says Robinson.
“People aren’t staying away from the cloud because of (their perceived fear of a lack of) security anymore,” he says, “but they may not be doing all the necessary due diligence. Attackers are starting to figure out how to get in to these mobile systems, and companies are more used to dealing in a homogenized environment.”
Another solution to the issue of security, says Robinson, is making security a standalone offering in your suite of services. Today, about 36 percent of companies that answered CompTIA’s Channel Partner Product Offerings study say they offer security as its own entity, with 49 percent saying they offer it as a component of other services.
“There’s some opportunity to focus on security and build that out as an offering,” says Robinson. “The problem is it’s a lot like insurance, one of those things you hope you’ll never need but wish you’d had it if something happens. How do you communicate that?”
Behind the Numbers
What’s interesting, and perhaps a bit unnerving, is the reasons companies get hacked or have their information compromised are changing, says Robinson, even in the headline-grabbing cases. The New York Times was allegedly hacked for geopolitical reasons, he says, while the hacks on Adobe and Target were essentially done to prove it was possible.
“It shows what can happen when you’ve got a small hole,” says Robinson. “Large companies have the most to lose, but small and medium-sized businesses tend to be the least protected.”
Less than 40 percent of companies that responded to CompTIA’s 11th Annual Information Security Trends study are doing what Robinson calls “real risk assessment.” Companies should be balancing risk and security better, address the entire workforce in their security practices and offer new security defenses, he says.
One thing that’s always important to remember, says Scott Barlow of CompTIA’s IT Security Community, is “security is not a brick wall,” despite a prominent portrayal as such for years.
Malware and hacking have been on the top of the priority list for companies for years, says Robinson, but they don’t always think about data loss, phishing, physical security threats or human error.
“It’s surprising to see that at the bottom of the list,” says Robinson. “It can be difficult to separate a technology error from human error. Human error is usually about a lack of knowledge and a failure to follow procedures. You can’t buy technology to solve that.”