Every year Deloitte releases an in-depth study on the state of IT security. And every year it returns with the same predictable result. Systems are most vulnerable not necessarily due to clever attacks or weaker than necessary defenses, but rather due to the carelessness of their users.
Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu notes, "People continue to be an organization's greatest asset as well as its greatest worry. That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement."
While much of the study falls into the realm of the painfully obvious (such as that robots are unlikely to replace humans in security in our lifetimes) it does raise some interesting points. The obvious solution to the problem -- denial of access -- just doesn't work, it states. The result is that productivity necessitates connectivity, raising security dangers. The report states, "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)."
Social networking and new technologies are cited as critical threats to security. The good news, according to a separate research firm, Identity Theft Resource Center, is that data breaches due to human error declined slightly in 2008. Still, such breaches encompass 35.2 percent of the cases studied which had a reported cause.
In Deloitte's Global Security Survey, it showed more positive signs as well. External breaches arising from viruses and worms dropped from affecting 43 percent of respondents in 2007 to 15 percent in 2008. Email attacks likewise fell from 57 percent to 24 percent. Phishing attacks also fell greatly, down to 7 percent from 38 percent the previous year.
Of the respondents, 80 percent reported being on the receiving end of an external attack which succeeded in breaching their systems. And 70 percent reported internal attacks breaching their systems. The biggest cause for internal breaches was found to be viruses and worms, which hit the systems of 11 percent of respondents.
The study states that the industry, while successful in greatly cutting email and phishing attacks, is having trouble stamping them out entirely. This is due largely to their diverse nature. Still, the study states that firms are getting better prepared to prevent repeated attacks from viruses or worms.
As to the threats posed by user error, recent studies have shown that many users will click on windows that are obviously malware-loaded, in a misguided effort to make them disappear. These studies and others show that you can build an imposing castle, but it can't protect you from people inside it opening the gate.