Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Ponemon

Corporate Data: A Protected Asset or a Ticking Time Bomb?

Corporate Data: A Protected Asset or a Ticking Time Bomb? is a Ponemon Institute study sponsored by Varonis, surveying a total of 2,276 employees in US and European organizations (United Kingdom, Germany and France), including 1,110 individuals (hereafter referred to as end users) who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,166 individuals who work in IT and IT security (hereafter referred to as IT practitioners).

In the context of this research, both IT practitioners and end users are witnessing a lack of control over their organizations’ data and access to it, and the two groups generally concur that their organizations would overlook security risks before they would sacrifice productivity. Employees are often left with needlessly excessive data access privileges and loose data-sharing policies.

Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls.

This presents a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data. Efforts to address these risks will need to overcome employee perceptions, as they believe data protection is not considered a high priority by senior leadership.

Following are research findings that illustrate the growing risks and challenges to productivity that data growth and a lack of internal controls currently present for organizations of all sizes:

End users believe they have access to sensitive data they should not be able to see, and more than half say that access is frequent or very frequent. 71% of end users say that they have access to company data they should not be able to see. 54% characterize that access as frequent or very frequent.

End users believe data protection oversight and controls are weak. 47% of end users say the organization does not strictly enforce its policies against the misuse or unauthorized access to company data and 45% say they are more careful with company data than their supervisors or managers. Furthermore, only 22% of employees say their organization is able to tell them what happened to lost data, files or emails.

IT agrees. Most IT practitioners surveyed state that their companies do not enforce a strict least-privilege (or need-to-know) data policy. Four in five IT practitioners (80%) say their organizations don’t enforce a strict least-privilege data model. 34% say they don’t enforce any least-privilege data model.

End users and IT agree that data growth is hindering productivity more every day. 73% of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.

Uncertainty about whether senior executives view data protection as a priority affects. compliance with security policies. Only 22% of end users believe their organizations overall place a very high priority on data protection. About half (51%) of IT practitioners believe their CEO and other C-level executives consider data protection a high priority.

IT practitioners say end users are likely to put critical data at risk. 73% of IT practitioners say their department takes data protection very seriously. However, only 47% believe employees in their company take the necessary steps to make sure confidential data is secure. Thus, IT departments know end user security risks exist but think they are limited in what they can do about it.

End users think it is OK to transfer confidential documents to potentially unsecure devices. 66% of end users say there are times when it is acceptable to transfer work documents to their personal computer, table, smart phone and even the public cloud. Only 13% of IT practitioners agree.

End users and IT practitioners do not think their organization would accept diminished productivity to prevent the risk to critical data. 55% of end users say their company’s efforts to tighten security have a major impact on their productivity. Only 27% of IT practitioners say their organization would accept diminished productivity to prevent the loss or theft of critical data.

End users and IT agree that employees are unknowingly the most likely to be responsible for the leakage of company data. 64% of end users and 59% of IT practitioners believe that insiders are unknowingly the most likely to be the cause of leakage of company data. And only 46% of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

Advertisements

What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

Ponemon Institute has released its CA Technologies sponsored study “The Identity Imperative for the Open Enterprise: What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

They surveyed 1,589 IT and IT security practitioners and 1,526 business users with more than 1,000 employees in United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom to understand current trends in Bring your Own Identity or BYOID, which is defined as the use of trusted digital or social networking identities.

  • 74% of the IT users surveyed report to the CIO
  • 15% report to the CISO
  • 55% of the business users in this research report to the lines of business leader
  • 10% report to the marketing officer 

The majority of respondents in both groups have high levels of interest in BYOID, but IT users and business user groups have different views about the perceived potential value of BYOID. 

  • IT users view BYOID primarily for fraud reduction, risk mitigation and cost reduction
  • Business end users are more interested in how BYOID can streamline customer’s experience and assist in targeted marketing campaigns.

Some of these differences can be expected because of the different job responsibilities of each group. These differences do not necessarily portend conflict, but rather show the need for collaboration between IT and the business functions to yield maximum benefits for any organisation deploying a BYOID system. By developing a cross-functional BYOID strategy around several well-defined use cases, organisations can differentiate themselves from competitors and further grow their business.

Key finding of the study are:

The Application Economy Drives BYOID Interest

In today’s application economy, organisations need to securely deliver new apps to grow their business quickly. This can increase IT risks, which puts a premium on an organisation’s ability to simplify the user experience without sacrificing security. Using an existing digital or social identity issued by a trusted third party to access applications can help organisations meet the need for simplicity, security and a positive customer experience.

  • 67% of IT users say the primary value of BYOID is from strengthening the authentication process
  • 54% from reducing impersonation risk
  • 79% of Business users believe the BYOID value comes from delivering a better customer experience 76% believe it is from increasing the effectiveness of marketing campaigns

While IT sees value primarily in risk mitigation/cost reduction, business users see the value of BYOID in improving the consumer experience to increase customer loyalty and generating new revenue streams. This underscores the need for IT and business collaboration to address the challenge that today’s organisations face: how to secure the business while simultaneously empowering

Mobile and Web Users Drive BYOID

Today’s IT organisations must deliver secure access to a highly distributed and growing user population. These users expect to access information anywhere, anytime from multiple devices. This is changing how user identities should be managed and is affecting the demand for BYOID.

When IT practitioners and business users were polled on their level of interest in accepting identities for different user populations such as job prospects, employees, contractors, retirees, website customers or mobile customers, mobile and web customers received the most interest, far exceeding that of the other populations.

  • 50% of IT respondents and 79% of business respondents have very high or high interest in BYOID for website user populations
  • 48% of IT respondents and 82% of business respondents have very high or high interest in BYOID for mobile user populations

BYOID Requires Security Enhancements to Drive More Adoption

While the survey results indicate interest in BYOID from both IT users and business users, both groups identified features that could contribute to broader BYOID adoption.

When asked which features would most likely increase BYOID adoption within their organisation;

  • 73% of IT users’ top features are identity validation processes
  • 66% have multi-factor authentication as the top feature
  • 71% of Business users say both identity validation processes and simplified user registration are the most popular features for increasing adoption.

The study also indicates a high level of interest for some level of accreditation of the identity providers

  • 59% of IT saying it is essential or very important
  • 21% saying it is important
  • 27% of business respondents say accreditation is essential or very important with 48% believe it’s important

.

Why is there a Cloud Multiplier effect on the risk of a Data Breach?

Netskope-data-breach

65% have experienced an SQL injection attack

The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released. 

The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk. 

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database. 

69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards. 

SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.

Background on retail breaches 

Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far. 

Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII). 

The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff. 

Some of the key takeaways from this study include:

  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16% believe an individual perpetrated the attack.
  • Many respondents believe notification of victims is better later than sooner. 36% of respondents would prefer to wait to notify victims until a thorough investigation was conducted.
  • SQL injection threat was one of the components of these retail breaches. 53% of respondents say SQL injections were used to steal sensitive and confidential information.
  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 33% of respondents say they either scan continuously or daily for active databases. However, 25% scan irregularly and 22% do not scan at all
  • SQL injection was considered by respondents to be one of the components of these attacks. 57% (36% + 21%) of respondents believe the likelihood that the attacks against the U.S. retailers involved SQL injection was 51% or greater
  • 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals.
  • 46% are familiar with the term Web Application Firewalls (WAF) bypass
  • 39% of respondents are very familiar or familiar with the techniques cybercriminal use to get around WAF perimeter security devices
  • BYOD makes understanding the root causes of an SQL injection threat more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers
  • Expertise and the right technologies are critical to preventing the SQL injection threat. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect SQL injection threats and 34% agree that they have the technologies or tools to quickly detect a SQL injection threat 

Find the report here

The risk to Industrial Control Systems and SCADA is believed to have substantially increased

In a Unisys sponsored Ponemon survey of 599 Global IT and IT security executives across 13 countries, IT practitioners whose job involves securing or overseeing the security of their organisation’s information systems or IT infrastructure were permitted to complete the survey. They are also familiar with security standards such as NERC, CIP, NIST, ISO, PCI DSS, Sarbanes Oxley and other regulations on the protection of information assets and the critical infrastructure.

Key findings of this research

Most companies have not fully deployed their IT security programs

  • 17% of companies represented in this research self-report that most of their IT security program activities are deployed
  • 50% of respondents say their IT security activities have not as yet been defined or deployed (7%)
  • 43% say they have defined activities but they are only partially deployed
  • 28% of respondents agree that security is one of the top five strategic priorities across the enterprise

The risk to industrial control systems and SCADA is believed to have substantially increased

  • 57% of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk
  • 11% say the risk has decreased due to heightened regulations and industry-based security standards

Security compromises are occurring in most companies

It is difficult to understand why security is not a top a priority because 67% of respondents say their companies have had at least one security compromise that that led to the loss of confidential information or disruption to operations over the last 12 months. 24% of respondents say these compromises were due to an insider attack or negligent privileged IT users

Upgrading existing legacy systems may result in sacrificing mission-critical security

36% of respondents are not confident and 18% are unsure that their organisation would be able to upgrade legacy systems to the next improved security state in cost-effective ways without sacrificing mission-critical security.

Many organisations are not getting actionable real-time threat alerts about security exploits

  • 34% of respondents say their companies do not get real-time alerts, threat analysis and threat prioritisation intelligence that can be used to stop or minimise the impact of a cyber-attack
  • 22% of those that does receive such intelligence say they are not effective
  • 15% of respondents say threat intelligence is very effective and actionable

Find the full report here.

 

110 million Americans hacked in the last 12 months

In a CNNMoney commissioned study Ponemon Institute researchers found:;-

  • 110 million Americans — roughly half of the nation’s adults — in the last 12 months alone.
  • 432 million accounts were hacked accounts

It’s becoming more acute,” said Ponemon Institute head Larry Ponemon. “If you’re not a data breach victim, you’re not paying attention

The CNNMoney article points to recent examples of large hack attacks:-

  • 70 million Target customers’ personal information, plus 40 million credit and debit cards
  • 33 million Adobe user credentials, plus 3.2 million stolen credit and debit cards
  • 4.6 million Snapchat users’ account data 3 million payment cards used at Michaels
  • 1.1 million cards from Neiman Marcus “A significant number” of AOL’s
  • 120 million account holders
  • Potentially all of eBay’s 148 million customers’ credentials 

Full article here.

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

Cybercriminals see a 9% year on year improved yield on stolen records from $136 to $145

IBM and Ponemon have released their ninth annual Cost of Data Breach Study: Global Study. According to the research, the average total cost of a data breach for the companies participating in this research increased 15% to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145 in this year’s study. 

For the first time, the study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in the research, Ponemon believe they can predict the probability of a data breach based on two factors:

  1. How many records were lost or stolen
  2. The company’s industry

According to the findings, organizations in India and Brazil are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Australia are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 314 companies representing the following 11 countries participated:-

  1. Australia
  2. Brazil
  3. France
  4. Germany
  5. India
  6. Italy
  7. Japan
  8. Saudi Arabia (Saudi Arabia and the United Arab Emirates were combined as the Arabian region)
  9. United Arab Emirates
  10. United Kingdom
  11. United States

All participating organizations experienced a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records. Ponemon define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

As the findings reveal, the consolidated average per capita cost of data breach (compiled for eleven countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face as well as the data protection regulations and laws in their respective countries.

In this year’s global study, the average consolidated data breach increased from $136 to $145

However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.

Ponemon Institute conducted its first Cost of Data Breach study in the United States nine years ago. Since then, they have expanded the study to include the United Kingdom, Germany, France, Australia, India, Italy, Japan, Brazil and, for the first time this year, United Emirates and Saudi Arabia. To date, 1,279 business and government (public sector) organizations have participated in the benchmarking process since the inception of this research series.

This year’s study examines the costs incurred by 314 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the 1,690 individuals interviewed over a ten-month period in the companies that are represented in this research.

The following are the key findings, measured in US dollars:

  • The most and least expensive breaches. German and US companies had the most costly data breaches ($201 and $195 per record, respectively). These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million). The least costly breaches occurred in Brazil and India ($70 and $51, respectively). In Brazil, the average total cost for a company was $1.61 million and in India it was $1.37 million. 
  • Size of data breaches. On average, U.S. and Arabian region companies had data breaches that resulted in the greatest number of exposed or compromised records (29,087 and 28,690 records, respectively). On average, Japanese and Italian companies had the smallest number of breached records (18,615 and 19,034 records, respectively). 
  • Causes of data breaches differ among countries. Companies in the Arabian region and in Germany were most likely to experience a malicious or criminal attack, followed by France and Japan. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure and UK companies were more likely to have a breach caused by human error. 
  • The most costly data breaches were malicious and criminal attacks. Consolidated findings show that malicious or criminal attacks are the most costly data breaches incidents in all ten countries. U.S. and German companies experience the most expensive data breach incidents at $246 and $215 per compromised records, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $77 and $60 per capita, respectively. 
  • Factors that decreased and increased the cost of a data breach. Having a strong security posture, incident response plan and CISO appointment reduced the cost per record by $14.14, $12.77 and $6.59, respectively. Factors that increased the cost were those that were caused by lost or stolen devices (+ $16.10), third party involvement in the breach (+ $14.80), quick notification (+ $10.45) and engagement of consultants (+ $2.10). 
  • Business continuity management reduced the cost of a breach. For the first time, the research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $8.98 per compromised record. 
  • Countries that lost the most customers following a data breach. France and Italy had the highest rate of abnormal customer turnover or churn following a data breach. In contrast, the Arabian region and India had the lowest rate of abnormal churn. 
  • Countries that spent the most and least on detection and escalation. On average, German and French organizations spent the most on detection and escalation activities such as investigating and assessing the data breach ($1.3 million and $1.1 million, respectively). Organizations in India and the Arabian region spent the least on detection and escalation at $320,763 and $353,735 respectively. 
  • Countries that spent the most and least on notification. Typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. U.S. and German organizations on average spent the most ($509,237 and $317,635 respectively). Brazil and India spent the least amount on notification ($53,772 and $19,841, respectively). 
  • Will your organization have a data breach? As part of understanding the potential risk to an organization’s sensitive and confidential information, we thought it would be helpful to understand the probability that an organization will have a data breach. To do this, we extrapolate a subjective probability distribution for the entire sample of participating companies on the likelihood of a material data breach happening over the next two years. The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22%. In addition to overall aggregated results, we find that the probability or likelihood of data breach varies considerably by country. India and Brazil have the highest estimated probability of occurrence.

 The full report can be obtained here.

Tracking how fast a security incident is discovered and contained is the most important metric but not often used

In a Firemon sponsored Ponemon study respondents were asked to rate the importance of specific metrics in communicating the state of security risk to senior executives and IT management.

The following metrics are considered to be most important in achieving more effective communications. 

  • Metrics on compliance with security standards and frameworks. Metrics most often used are length of time to implement security patches and the reduction in audit findings, especially repeat findings.
  • Metrics on the management of security threat. Metrics most often used are reduction in the number of known vulnerabilities and percentage of endpoints free of malware and viruses. 
  • Metrics on the minimization of disruption to business & IT operations. Metrics most often used is reduction in unplanned system downtime. 
  • Metrics on staff and employee competence. Metrics most often used is number of end users receiving appropriate training. 
  • Metrics on efficient management of resources and spending. Metrics most often used is reduction in the cost of security management activities. 
  • Time-dependent metrics on the discovery and containment of compromises and breaches. Metrics most often used are mean time to fix, to identify and know root causes. 
  • Metrics on the minimization of third-party security risks. Metrics most often used is the number of third parties that attest to meeting compliance and security standards.

 The full study can be found here.

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? A Ponemon Study.

The Firemon sponsored study by Ponemen surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields. All respondents are involved in IT security management activities in their organizations. They also are involved in assessing or managing the impact of change on their organization’s IT security operations. The following are the themes of this study:

  • Tale of two security departments
  • The importance of metrics to driving more informed decisions
  • Practices to achieve effective security change management
  • The right metrics for managing change

What is security change management?

Ponemon defines this in the study as “security change management as a formal approach to assessing, prioritizing and managing transitions in personnel, technologies, policies and organizational structures to achieve a desired state of IT security. The security risk landscape is defined as rapidly mutating threats at every point of entry from the perimeter to the desktop; from mobile to the cloud. The fast evolution of the threat landscape and changes in network and security architectures creates a challenging and complex security ecosystem.

The key findings of the study

The security posture perception gap puts organizations at risk. 13% of respondents would rate the security posture of their organization as very strong. Whereas, 33% of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.

Why can’t communication be better? 71% of respondents say communication occurs at too low a level or only when a security incident has already occurred (63% of respondents). 51% admit to filtering negative facts before talking to senior executives.

Agility is key to managing change. However, when asked to rate their organization’s agility in managing the impact of change on IT security operations, only 16% of respondents say their organizations have a very high level of agility and 25% say it is very low.

Metrics that reveal the impact of change are most valuable. According to 74% of respondents, security metrics that measure the impact of disruptive technologies on security posture are important. 62% of respondents say metrics fail to provide this important information.

Real-time analysis for managing change is essential. When asked about the importance of real-time analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

Organizations are not using more advanced procedures to understand the impact of change on their organization’s security posture. 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture. 15% are using automated risk impact assessments, 13% say they are using continuous compliance monitoring and 11% rely on internal or external audits.

Senior executives are believed to have a more positive outlook on the effectiveness of their IT security function. While respondents rate their organization’s security posture as just about average, they believe their CEOs and board members have a much more positive perception, and would rate their organization’s security posture as above average. 13% of respondents would rate the security posture as strong. Whereas, 33% of respondents say their CEO and Board believes their organization has a very strong security posture. This perception gap signals that security practitioners are not given an opportunity and/or cannot communicate effectively the true state of security in the organization. As a result it is difficult to convince senior management of the need to invest in the right people, processes and technologies to manage security threats. Likewise, respondents believe key stakeholders also consider the organization’s security posture as being above average. 26% of respondents say this group rates their organization’s security posture as very strong. These include business partners, vendors, regulators, and competitors.

Lack of communication seems to be at the root of the C-suite and IT security disconnect. Too little and too late characterizes communication to senior executives about the state of security risk. 29% of respondents say they do not communicate to senior executives about risks and 31% say such communication only occurs when a serious security risk is revealed. As a result, they admit the state of communication about security risks is not effective. 6% of respondents say they are highly effective in communicating all relevant facts to management.

Why can’t communication be better? The main complaints are that communication occurs at too low a level or when a security incident has already occurred. Other problems stem from the existence of silos that keep information from being communicated throughout the organization. Respondents also recognize that the technical nature of the information could be frustrating for senior executives. Very often, the whole story is not revealed because negative facts are filtered before being disclosed to senior executives and the CEO.

What are the implications of senior executives and IT security not having the same understanding of the organization’s security effectiveness? According to the findings, an important capability such as having the agility to manage the impact of change on IT security operations could be affected by not being able to convince management of the need for enough resources, budget and technologies. When asked to rate their organization’s overall agility in managing the impact of change on IT security operations, respondents say it is fairly low. 16% of respondents say their organizations have a very high level of agility and 25% say it is very low. This is also the case when asked to rate their organization’s effectiveness in managing the impact of change on IT security operations. 17% say their organizations are very effective and 30% say their organizations are very ineffective.

The top three barriers to achieving effective security change management activities are

  1. insufficient resources or budget
  2. lack of effective security technology solutions
  3. lack of skilled or expert personnel

When asked about the importance of real time-analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

  • 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture
  • 15% are using automated risk impact assessments
  • 13% say they are using continuous compliance monitoring
  • 11% rely on internal or external audits

Those technologies most often fully deployed to facilitate the management of changes that impact an organization’s security risk profile are:

  • Incident detection and alerting (including SIEM)
  • Vulnerability risk management
  • Network traffic monitoring
  • Security configuration management follow
  • Technologies that are often only partially deployed are log monitoring (46% of respondents) and file integrity monitoring (35% of respondents).
  • Minimally or not deployed at all are: big data analytics (64% of respondents), automated policy management (45% of respondents), and sandboxing (44% of respondents).

Current metrics in use do not communicate the true state of security efforts. When asked if the metrics that are in use today adequately convey the true state of security efforts deployed by their organization, 43% of respondents say they do not and 11% are unsure. The biggest reasons for the failure to accurately measure the state of security are more pressing issues take precedence, communication with management only occurs when there is an actual incident, the information is too technical to be understood by nontechnical management, and a lack of resources to develop or refine metrics.

What are the strengths and weaknesses of the security function? Respondents were asked rate their organizations’ ability to accomplish seven specific factors that may impact the security posture. The findings reveal that most respondents say their organizations are best at managing security threats, hiring and retaining competent security staff and employees and discovering and containing compromises and breaches quickly. They are not as effective at achieving compliance with leading security standards and frameworks and minimizing third-party security risks.

What events are most likely to disrupt the organization’s infrastructure and ability to manage security threats? The expansion of mobile platforms and migration to the cloud are the most likely to affect the security posture. Use of employee-owned devices (BYOD) and the implementation of a next generation firewall have moderate impact. Events that are considered to have a low impact are the move or consolidation of data center resources, implementation of virtualized computing and storage, a security audit failure, and reorganizing and downsizing the enterprise and IT function. Who is accountable for managing the risk created by the introduction of such changes as mobile platforms and the clouds? According to respondents, most responsible for managing the impact of these changes is the CIO or CTO followed by no one has overall responsibility.

Metrics must be aligned with business goals. 83% of respondents say it is important to have security metrics fully aligned with business objectives. However, most organizations represented in this study do not seem to be achieving this goal. In fact, 69% say security metrics sometimes conflict with the organization’s business goals.

  • 74% agree that security metrics that show the impact of disruptive technologies on security posture are important
  • 62% of respondents say metrics fail to provide information about the impact of change
  • 54% agree that metrics do not help understand the vulnerabilities to criminal
  • 46% of respondents say they do not help assess or manage risks caused by the migration to the cloud
  • 56% agree that metrics can help justify investment in people, processes and technologies
  • 57% of respondents agree the CEO and board do care about the metrics used to measure security posture

What is the metrics that matter gap? Respondents were asked to rate the metrics most important in communicating relevant facts about the state of security risks to senior executives and IT management. The top metrics in terms of their importance are discovery and containment of compromises and breaches and management of resources and spending. However, the actual average use of metrics in these categories average only 43% and 37% of organizations represented in this research. The biggest gaps in importance vs. use are with metrics that track disruption to business & IT operations (36% gap), management of resources and spending (35% gap), and discovery and containment of compromises and breaches (31% gap). The smallest gaps between importance and use are with third-party risks (7%) and staff and employee competence (2%).

Tracking how fast a security incident is discovered and contained is the most important metric but not often used.

Practices to achieve effective security change management. In this section, we look at the different practices of organizations that were self-reported to have a high security posture and those that have a low security posture. The findings reveal that there is a difference in the technologies deployed, perceptions about barriers to managing the impact of change to the security infrastructure, effectiveness in communication with senior management, and frequency of communications.

Firemon’s report can be found here.

65% of organisations have been breached by a SQL Injection attack

Ponemon Institute have released their The SQL Injection Threat Study sponsored by DB Networks. The purpose of the research was to understand how organisations respond to the SQL injection threat and their awareness about different approaches to managing this risk.

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents were familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.

SQL injections are defined as:-

being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways

Key findings extracted from the report:-

  • The SQL threat is taken seriously because 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% of respondents say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals. 46% of respondents are familiar with the term Web Application Firewalls (WAF) bypass. Only 39% of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.
  • BYOD makes understanding the root causes of an SQL injection attack more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers.
  • Expertise and the right technologies are critical to preventing SQL injection attacks. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect a SQL injection attack and 34% agree that they have the technologies or tools to quickly detect a SQL injection attack.
  • Measures to prevent SQL injection attacks are also lacking. Despite concerns about the threat, 52% do not take such precautions as testing and validating third party software to ensure it is not vulnerable to SQL injection attack.
  • Organizations move to a behavioural analysis solution to combat the SQL injection threat. 88% of respondents view behavioural analysis either very favourably or favourably.
  • 44% of respondents say their organization uses professional penetration testers to identify vulnerabilities in their information systems but only 35% of these organizations include testing for SQL injection vulnerabilities.
  • 20% continuously scan active databases, 13% do it daily, 25% scan irregularly and 22% do not scan at all.

The full report can be found here.



Challenges to maintaining a strong security posture

A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos.  A summary of the study is below. 

Cyber security is often not a priority

  • 58% of respondents say that management does not see cyber-attacks as a significant risk
  • 44% say a strong security posture is not a priority.
  • Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
  • While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.

Senior management rarely makes decisions about IT security

Who is responsible for determining IT Security Priorities?

  • CIO 32%
  • 31% no one

Lack of in-house expertise hinders the achievement of a strong security posture

  • Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.

Security threats and attacks experienced

“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months

  • 42% of respondents say they were
  • 33% are unsure
  • 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
  • Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.

Data breach incidents are known with greater certainty

More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.

More than half of respondents say their organization has had a data breach

  • 51% Cited is a third-party mistake or negligent employee or contractor
  • 44% cannot identify the root cause.

Most organizations say cyber-attacks are increasing or there is no change

  • 76% of respondents say their organizations face more cyber-attacks or at least the same
  • 18% are unable to determine

Most organizations see cyber-attacks as becoming more sophisticated

  • 56% say cyber-attacks are more sophisticated
  • 45% say they are becoming more severe
  • 28% of respondents are uncertain if their organizations are being targeted
  • 25% are unsure if the attacks are more sophisticated
  • 23% do not know if these attacks are becoming more severe.

The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.

Disruptive technology trends

The cloud is important to business operations

  • 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
  • 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
  • 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services

The use of cloud applications and IT infrastructure is not believed to reduce security

Effectiveness

  • 45% of respondents say the cloud is not considered to have an affect on security posture
  • 12% say it would actually diminish security posture
  • 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected

The use of mobile devices to access business-critical applications will increase

  • 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
  • 69% of respondents expect this usage to increase over the next 12 months.

While respondents do not seem to be worried about cloud security, mobile device security is a concern.

  • 50% of respondents say such use diminishes an organization’s security posture
  • 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.

BYOD also affects the security posture

  • 26% of mobile devices owned by employees are used to access business-critical applications.
  • 70% of respondents either expect their use to increase or stay the same
  • 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD

BYOD is a concern for respondents

  • 32% say there is no affect on security posture
  • 45% of respondents believe BYOD diminishes an organization’s security effectiveness.

Effectiveness of security technologies

The majority of respondents have faith in their security technologies

  • 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
  • 23% are unsure

Big data analytics and web application firewalls are technologies growing in demand

Today, the top three technologies in use are:

  1. Antivirus
  2. client firewalls
  3. endpoint management

They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.

The cost impact of disruptions and damages to IT assets and infrastructure

Damage or theft to IT assets and infrastructure are costly

  1. 1 the cost of damage or theft to IT assets and infrastructure
  2. 2 the cost of disruption to normal operations

The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.

Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197

The uncertainty security index

The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:

  • Did their organization have a cyber-attack during the past year?
  • Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
  • Are the root causes of these data breaches known?
  • Are the cyber-attacks against their organization increasing or decreasing?
  • Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
  • Do they understand the nature of advanced persistent threats (APTs)?
  • Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
  • Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture

Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).

U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.

Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.

An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.

Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.

Professional Security Training is substantially better than PowerPoint or Handouts

Ponemon Institute conducted an experimental study on how participants of a Digital Defense training program experienced substantially higher learning gains when compared to results of a placebo group.

The experiment was conducted in seven participating companies and involved 277 employees, all office workers with routine and regular access to IT services. Approximately half of the participants completed two of three separate SecurED models the other half were asked to read three PowerPoint presentations containing identical content on data security. Both groups completed three quizzes. The first quiz provided a baseline level of knowledge for each subject. The second quiz measured immediate learning after completing the SecurED module or PowerPoint script. The third and final quiz was used to measure each subject’s learning gain about 2 to 3 weeks after the training experiment.

The learning gains for both groups were measured as the difference or net change in quiz results from the baseline reading. In addition to measuring participants’ learning, we asked questions about the importance and relevance of data security training in their workplace.

How learning is improved

SecurED out performs the alternative training intervention, termed placebo. All three SecurED training modules tested in this study held consistently positive results. For instance, with respect to quiz performance, subjects on average scored above an 80% correct response rate.

Results of this study

  • The average subject’s long-term learning gain was a 60% increase from baseline
  • Only 5% showed a decline or “tone down” after 2 or 3 weeks
  • The long-term learning gain for the placebo group was a 15% increase from baseline, and a 20% tone down over 2 to 3 weeks

The following are findings related to staff level, age, function and gender.

  • Staff and associate level employees experienced a higher learning gain than director and VP level employees (70% versus 40%).
  • Employees between 26 to 35 years had the highest learning gain at nearly 75%, while older subjects between 56 to 65 years experiencing an average learning gain at about 30%.
  • Employees in customer services and IT have the highest learning gains at 80 and 70%, respectively. In contrast, respondents in legal and general management have a much lower learning gain at 20 and 30%, respectively
  • Female employees experienced a higher long-term learning gain than their male counterparts (e.g., 65 versus 55%).

Perceptions about security training

Relevancy of training

Debriefings of subjects revealed 72% perceive SecurED as relevant to their present job functions. In addition, 88% of subjects perceive SecurED as enjoyable and worthwhile.

Availability of training

Subjects experiencing SecurED appeared to hold a stronger belief that training on data protection and information security should be made available to all employees, including high-level executives. However, 58 of subjects experiencing SecurED and 65 in the placebo group believe security training should be optional (not mandatory).

Deployment of training

A majority of subjects believe security training should be rolled out top down rather than bottom up. In other words, senior executives taking the time to do security training is helpful in demonstrating the importance of information risk management to rank-and-file employees.

Concluding thoughts

Subjects experiencing SecurED are more likely to believe training will positively impact employee behaviour with respect to more cautious handling of data assets and endpoint devices. We believe training effectiveness should be an essential activity for all organizations due to an increase in privacy and security risks resulting from employee negligence, cyber attacks and insecure devices and platforms.

To illustrate this growing risk, another recent Ponemon study found office workers (employees) are not taking appropriate steps to protect computing devices or company’s information assets. Specifically, 53% said the sharing of business information does not negatively impact or harm the company. 51% said the company has policies that are not strictly enforced and 68% said their organization does not take steps to ensure employees do not wrongfully obtain and misuse competitive information.

Many companies are also failing to keep employees’ access privileges in check. While 51% say their access privileges appropriately match what they need to do in their job, 29% say they allow them to see data that is unnecessary to their work.

According to IT security practitioners, the number one most serious challenge to addressing insider fraud is raising employee awareness. Despite its importance, however, research finds less than half of U.S. companies provide formal security training for their employees, even for those who have privileged access to highly sensitive or confidential data.

Taken together, recent research findings demonstrate employee indifference to the loss or misuse of business information or the theft of mobile devices (such as laptops, tablets and smart phones). In short, they fail to understand the importance of personal accountability in order to achieve and maintain a secure workplace.

The lack of live cyberthreat intelligence could be costing businesses millions

The 2013 Live Threat Intelligence Impact Report from the Ponemon Institute, sponsored by Norse reveals how 700+ respondents from 378 enterprises defines

  • What “live threat intelligence” is.
  • How global enterprises are using it defend against compromises, breaches and exploits;
  • The financial damage that slow, outdated and insufficient threat intelligence is inflicting on them.

The key findings were:

  • They spent an average of $10 million in the past 12 months to resolve the impact of exploits.
  • If they had actionable intelligence about cyberattacks within 60 seconds of a compromise, they could reduce this cost on average by $4 million (40%).
  • Those that have been able to stop cyberattacks say they need actionable intelligence 4.6 minutes in advance to stop them from turning into compromises.
  • 60% were unable to stop exploits because of outdated or insufficient threat intelligence.
  • Those not successful in detecting attacks believe 12 minutes of advanced warning is sufficient to stop them from developing into compromises.
  • 57% believe threat intelligence currently available to most companies is often too stale to enable them to grasp and understand the strategies, motivations, tactics and location of attackers.
  • Only 10% know with absolute certainty that a material exploit or breach to networks or enterprise systems occurred.

Other findings include:

  • 72% believe that in order to defend against an attack, it is important to essential to know the geo-location of attack sources.
  • 69% believe that future attacks are most likely to come from China, but 71% said they were seeing most of their current attacks originating in the U.S.
  • 57% of say Advanced Persistent Threats (APTs) are their greatest concern; 54% say they are most concerned about root kits; 45% say SQL and code injection is their biggest worry.
  • 35% rely on IT security teams’ “gut feel” to determine whether or not an attack will occur.
  • 34% believe that criminal syndicates pose the biggest threat to their enterprise; 19% said state-sponsored attackers were the greatest threat.
  • 9% cannot determine whether or not they are compromised.
  • A wide range of technologies is used to gather threat intelligence, ranging from SIEM to IDS to IAM to Big Data analytics and firewalls. On a one-to-10 scale of effectiveness, only 22% rate these technologies between a 7 and a 10, and 78% rate them between a 1 and 6.

These findings are startling but not surprising. Enterprises are conditioned to believe that after-the-fact threat intelligence is all that is available, a perception that is leaving them open to compromises and data breaches that are costing them millions,” said Sam Glines, CEO, Norse. “This report makes it clear that enterprises are in need of an advanced level of threat intelligence that shrinks the interval between attack identification and mitigation down to minutes or even seconds if they are to survive the modern-day cyberthreat juggernaut

Ponemon Institute has conducted IT security research for over a decade, and this is one of the first studies that reveals the facts behind the impact that weak threat intelligence is having on organizations,” said Larry Ponemon, founder and chairman of Ponemon Institute. “Anyone who reads this report will come to understand that live threat intelligence must be an integral part of any security strategy.”

To view the report click here.

The State of Risk-Based Security Management

The Tripwire sponsored Ponemon study called “The State of Risk-Based Security Management: United States” is designed to discover what organizations are doing with respect to Risk-based Security Management (RBSM), where RBSM is defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organization’s information assets and IT infrastructure. RBSM can be considered one component of a wider enterprise risk management system.

My summary of the document is below.

  • 77% express significant or very significant commitment to RBSM
  • yet 52% have a formalized approach to it
  • 46% have actually deployed any RBSM program activities

Of those that have a formal function, program or set of activities dedicated to RBSM, 74% have partially or completely deployed some or all RBSM activities. It appears that having a formalized strategy or plan for RBSM is an important precursor for ensuring that RBSM activities are deployed

41% of respondents say that their organizations do not categorize their information according to its importance to the organization. Organizations must take this step to make informed, rational decisions about what data is most critical to protect.

Only 45% have specific metrics for determining RBSM effectiveness. Those responsible for the program need a scorecard that demonstrates its success in order to secure funding and resources.

Few organizations have achieved a balanced approach with their preventive and detective controls. While most (80 to 90%) deploy the majority of necessary and appropriate preventive controls, only around half deploy the majority of necessary detective controls.

30% of organizations have no formal RBSM strategy for the enterprise, and almost a quarter (23%) have only an informal or ad hoc strategy.

The existence of a formal RBSM function, program or set of activities

  • Yes 52%
  • No 48%

The existence of a risk management strategy

  • 30% Do not have a strategy
  • 24% Formal but inconsistently applied strategy
  • 23% Informal or “ad hoc”strategy
  • 23% Formal and consistently applied strategy

The US and UK (25 and 36%, respectively) are less concerned about regulatory non-compliance than Germany and the Netherlands (60 and 58%, respectively). This can be attributed to the strict rules governing the handling of personal and sensitive information in Germany and the Netherlands.

Organizations in Germany and the Netherlands have more concern about the cloud than the US and UK. Specifically, 65%t of German organizations and 59% of organizations in the Netherlands are concerned or very concerned about software as a cloud service.  In contrast, 46% of US and 48% of UK organizations are concerned or very concerned.

US organizations are far more concerned about the human factor risk to their IT infrastructure today and in the immediate future. Specifically, 71% of respondents from US organizations say they are concerned about malicious insiders. In the UK that number drops to 49%.

A larger gap exists between the US and Germany (32%) and the Netherlands (16%). The US and UK are more concerned about employee carelessness (66 and 65%, respectively) than Germany and the Netherlands (34 and 38%, respectively).

Threats to information security faced by organizations

The greatest rise of potential security risk within today’s IT environment

Find the full report here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: