12 reasons why data breaches still happen

Half of IT security leaders don't know if their cybersecurity tools are working, according to a report from the Ponemon Institute and AttackIQ.

Why 70% of healthcare orgs have suffered data breaches Digital transformation initiatives bring a slew of data privacy concerns to US health organizations, according to a Thales report.

Organizations across industries are investing heavily in cybersecurity tools and technologies, spending an average of $18.4 million annually on such measures. However, 53% of IT teams remain unsure if the security tools they have deployed are actually working, according to Tuesday report The Cybersecurity Illusion: The Emperor Has No Clothes from the Ponemon Institute and AttackIQ. 

The report surveyed 577 US IT security practitioners. While 58% of these professionals said their organizations will increase their IT security budget by an average of 14% in the next year, only 39% reported getting full value from their security investments. 

SEE: How to get users on board with essential security measures (free PDF) (TechRepublic)

On average, companies deploy 47 different cybersecurity solutions and technologies, according to the report. But less than half of IT practitioners said they are confident that data breaches can be stopped with their current investments in technology and staff. 

When asked why data breaches still happen, despite investments in cybersecurity technologies, IT and security professionals gave the following 12 reasons, the report found:

  1. Attackers are persistent, sophisticated, well trained and well financed (70%)
  2. It is difficult to protect complex and dynamically changing attack surfaces (66%)
  3. There is a lack of adequate security staff with the necessary skills (65%)
  4. Human error (62%)
  5. Inability to prevent employees from falling for a phishing scam (61%)
  6. Networks are not scanned frequently for vulnerabilities (58%)
  7. Lack of visibility into the operations of our security program (56%)
  8. Lack of control over access privileges (50%)
  9. System glitches (49%)
  10. Difficulty keeping security tools updated (48%)
  11. Misconfigured or incorrectly installed tools (45%)
  12. Threats that have evaded traditional security defense and are now inside the IT environment (39%)

Human factors—including the sophistication of attackers, the lack of sophistication of end users, and gaps in cybersecurity skills in organizations—clearly remain a major security threat to the enterprise. While IT and security professionals often look to security tools and technologies to combat this, there is no replacement for strong employee training practices and seeking out skilled cybersecurity practitioners

For more, check out How to make your employees care about cybersecurity: 10 tips on TechRepublic. 

Also see 

data breach concept. internet compute privacy compromised. unsecured network and data transfer. hacker hacked in to the system. cyber crime. Red binary code background with open black padlock icon.

Image: iStockphoto/Suebsiri

By Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.