A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos. A summary of the study is below.
Cyber security is often not a priority
- 58% of respondents say that management does not see cyber-attacks as a significant risk
- 44% say a strong security posture is not a priority.
- Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
- While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.
Senior management rarely makes decisions about IT security
Who is responsible for determining IT Security Priorities?
- CIO 32%
- 31% no one
Lack of in-house expertise hinders the achievement of a strong security posture
- Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.
Security threats and attacks experienced
“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months
- 42% of respondents say they were
- 33% are unsure
- 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
- Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.
Data breach incidents are known with greater certainty
More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.
More than half of respondents say their organization has had a data breach
- 51% Cited is a third-party mistake or negligent employee or contractor
- 44% cannot identify the root cause.
Most organizations say cyber-attacks are increasing or there is no change
- 76% of respondents say their organizations face more cyber-attacks or at least the same
- 18% are unable to determine
Most organizations see cyber-attacks as becoming more sophisticated
- 56% say cyber-attacks are more sophisticated
- 45% say they are becoming more severe
- 28% of respondents are uncertain if their organizations are being targeted
- 25% are unsure if the attacks are more sophisticated
- 23% do not know if these attacks are becoming more severe.
The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.
Disruptive technology trends
The cloud is important to business operations
- 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
- 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
- 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services
The use of cloud applications and IT infrastructure is not believed to reduce security
- 45% of respondents say the cloud is not considered to have an affect on security posture
- 12% say it would actually diminish security posture
- 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected
The use of mobile devices to access business-critical applications will increase
- 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
- 69% of respondents expect this usage to increase over the next 12 months.
While respondents do not seem to be worried about cloud security, mobile device security is a concern.
- 50% of respondents say such use diminishes an organization’s security posture
- 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.
BYOD also affects the security posture
- 26% of mobile devices owned by employees are used to access business-critical applications.
- 70% of respondents either expect their use to increase or stay the same
- 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD
BYOD is a concern for respondents
- 32% say there is no affect on security posture
- 45% of respondents believe BYOD diminishes an organization’s security effectiveness.
Effectiveness of security technologies
The majority of respondents have faith in their security technologies
- 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
- 23% are unsure
Big data analytics and web application firewalls are technologies growing in demand
Today, the top three technologies in use are:
- client firewalls
- endpoint management
They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.
The cost impact of disruptions and damages to IT assets and infrastructure
Damage or theft to IT assets and infrastructure are costly
- 1 the cost of damage or theft to IT assets and infrastructure
- 2 the cost of disruption to normal operations
The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.
Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197
The uncertainty security index
The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:
- Did their organization have a cyber-attack during the past year?
- Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
- Are the root causes of these data breaches known?
- Are the cyber-attacks against their organization increasing or decreasing?
- Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
- Do they understand the nature of advanced persistent threats (APTs)?
- Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
- Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture
Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).
U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.
Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.
An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.
Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.