Security breach severity worsens, study finds

The number of reported security breaches is down, yet the average severity of breaches has doubled, according to a new study.

The Computing Technology Industry Association (CompTIA) study, based on data collected from more than 1,000 IT professionals, revealed that 34% of organizations reported a major security breach in 2006, down from 38% in 2005 and 58% in 2004.

But respondents rated the average severity of breaches as 4.8 (with 10 being most severe), up from between 2.3 and 2.6 in previous years. That might not be surprising given the number of headline-grabbing breaches, such as the TJX breach in which tens of millions of credit and debit card numbers were stolen. 

IT professionals reported increasing their spending on security technology, training and certifications. The amount of their IT budgets dedicated to security totaled 20% in 2006, an increase from 15% in 2005 and 12% in 2004. More than two-thirds (68%) of organizations allocate at least some portion of their IT budget to training or certification, an increase from 55% the year before. Security training or certification accounted for 12% of the total budget, compared with 8% in 2005. And 78% of those surveyed said management now considers information security a top priority.

"We are making real progress at reducing the number of breaches, but the threats are becoming more sophisticated," says Brian McCarthy, COO of CompTIA.

More than half (55%) of IT professionals surveyed reported spyware as a top security concern, followed by lack of user awareness for 54%. Nearly half said virus and worms continue to pose a threat, while about 44% cited abuse by authorized users as a key security challenge. Human error was reported as the cause of a security breach by 42% of organizations, compared with 59% in 2005. Other security challenges include browser-based attacks (41%), remote access (40%), wireless networking security (39%) and lack of enforcement of security policy (36%).

Click to see: See more survey results

"Compared to last year, more than half of all organizations report that security threats associated with the use of handheld devices, spyware, voice over IP, wireless networking and remote/mobile access have increased significantly over the previous 12 months," the report reads.

CompTIA says security policies and training can help prevent organizations from falling victim to attacks. Of those polled, 62% said their organization has written IT security policies in place, compared with 47% two years ago. Of those who have written security policy, 81% said the policy is specific to information on how to secure remote and mobile employees

The average cost of a security breach in 2006 was $369,388; CompTIA estimates the average costs savings of providing IT security training to staff could be $352,000. CompTIA also estimates IT organizations can save $656,000 by having IT employees with security certifications.