Organizations across industries are investing heavily in cybersecurity tools and technologies, spending an average of $18.4 million annually on such measures. However, 53% of IT teams remain unsure if the security tools they have deployed are actually working, according to Tuesday report The Cybersecurity Illusion: The Emperor Has No Clothes from the Ponemon Institute and AttackIQ.

The report surveyed 577 US IT security practitioners. While 58% of these professionals said their organizations will increase their IT security budget by an average of 14% in the next year, only 39% reported getting full value from their security investments.

SEE: How to get users on board with essential security measures (free PDF) (TechRepublic)

On average, companies deploy 47 different cybersecurity solutions and technologies, according to the report. But less than half of IT practitioners said they are confident that data breaches can be stopped with their current investments in technology and staff.

When asked why data breaches still happen, despite investments in cybersecurity technologies, IT and security professionals gave the following 12 reasons, the report found:

  1. Attackers are persistent, sophisticated, well trained and well financed (70%)
  2. It is difficult to protect complex and dynamically changing attack surfaces (66%)
  3. There is a lack of adequate security staff with the necessary skills (65%)
  4. Human error (62%)
  5. Inability to prevent employees from falling for a phishing scam (61%)
  6. Networks are not scanned frequently for vulnerabilities (58%)
  7. Lack of visibility into the operations of our security program (56%)
  8. Lack of control over access privileges (50%)
  9. System glitches (49%)
  10. Difficulty keeping security tools updated (48%)
  11. Misconfigured or incorrectly installed tools (45%)
  12. Threats that have evaded traditional security defense and are now inside the IT environment (39%)

Human factors—including the sophistication of attackers, the lack of sophistication of end users, and gaps in cybersecurity skills in organizations—clearly remain a major security threat to the enterprise. While IT and security professionals often look to security tools and technologies to combat this, there is no replacement for strong employee training practices and seeking out skilled cybersecurity practitioners.

For more, check out How to make your employees care about cybersecurity: 10 tips on TechRepublic.

Also see

Image: iStockphoto/Suebsiri