1 The State of Information Security Awareness: Trends & Developments Global Findings from the Ponemon Research Institute and Security Innovation 187 Ballardvale Street, Wilmington, MA
2 2 Table of Contents Introduction... 3 A. Training Goals... 4 TRAINING OBJECTIVES... 4 B. Curriculum Development, Customization, Delivery... 5 CONTENT CUSTOMIZATION... 5 DELIVERY METHOD... 6 TRAINING DEVELOPMENT... 6 PROGRAM CUSTOMIZATION... 8 FREQUENCY OF UPDATES... 9 DURATION OF TRAINING... 9 C. Measuring Results IMMEDIATE FEEDBACK MEASURING LONG-TERM EFFECTIVENESS D. Plans for Training IMPLEMENTATION SCHEDULE AND BUDGET PROGRAM REQUIREMENTS Summary Appendix A Survey Respondents Appendix B Detailed Survey Results... 17
3 3 Introduction Organizations of all sizes face serious challenges with online payment card security. Technical environments frequently change, best practices continually evolve, and industry standards are regularly updated - all while hackers and other criminals diligently develop new ways to cause trouble. Security awareness training programs have become a much higher, more accelerated priority for risk-sensitive employers, due in large part to the efforts of the PCI Security Standards Council and other global agencies that promote employee awareness to mitigate data security risk. To better understand the extent that organizations are educating employees about information security standards, Security Innovation commissioned a research study from Ponemon Institute, a leading independent research firm specializing in privacy, data protection and information security. Ponemon Institute surveyed a global sample of 3,089 IT and security professionals who are influential in their organization s PCI DSS compliance and/or audit activities. 45% of the respondents currently provide information security awareness training to their employees, while 55% do not (although as you will Qualified Responses* 3,089 Currently Offer Training 1,394 (45%) Currently Do Not 1,695 (55%) see, many of them plan to in the near future). This report presents information for each category those who currently offer training, and those who do not yet. Because there was minimal variation between global regions, this report represents worldwide responses in aggregate. Below are the key findings of the 2014 Ponemon Institute Information Security Awareness Training Trends survey, and what they mean to the IT managers and decision makers responsible for ensuring the highest levels of data security within the enterprise. PCI DSS and Security Awareness Training: Major Themes and Trends Mitigating the Human Risk Given the increase in information security threats, it s not surprising that 26% of organizations surveyed plan to roll out training programs in the coming year... and spend some serious money doing it. There s Room for Improvement Most managers and employees are less than satisfied with the training currently available within their organizations. Short, Flexible and Online Awareness training is most effective when available in short sessions, making computer-based training (CBT) the most popular approach for many companies. It s not Just About Compliance Although compliance is currently the single biggest driver of data security training, protecting sensitive data is rapidly growing in importance. * Excludes incomplete responses or those considered invalid for other reasons.
4 4 A. Training Goals It is impossible to understand, plan for, and properly measure the outcome of any training initiative without first understanding its context or purpose. Knowing whether an organization is required to satisfy a set of industry regulations, needs to improve customer experience, or has some other reason for employee education, is the first step in implementing a relevant, effective training strategy. TRAINING OBJECTIVES Ensuring compliance with PCI requirements and advancing good data security practices are two of the main drivers of data security awareness training. Ensuring compliance with PCI requirements (specifically requirement 12.6 of the PCI DSS) is the predominant goal of security awareness training for companies who currently offer it. This aligns with an increased emphasis on security awareness training as reflected in the latest version (v3.0) of the PCI DSS standard. PCI Data Security Standard v3.0 requirement 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions. The Ponemon study also shows that a significant number of organizations implement programs to improve their overall level of data security. This quickly growing trend stems from an increase in the number and severity of security threats, and encompasses objectives such as advancing good data security practices, preventing information loss or theft, preventing reputation or brand damage, and changing employee behaviors. Question: What is the primary purpose of PCI DSS or other security awareness training? (select the top two) Note: Percentages total 200% due to allowing two answers from each of the 1,394 respondents.
5 5 B. Curriculum Development, Customization, Delivery Once the training objectives are understood, the next step is to make some decisions about the curriculum itself, and how it will be delivered to employees. CONTENT CUSTOMIZATION Of the respondents who do provide training, 38% adapt the content to fit employees job functions. Of that group, 45% stated that IT professionals are the most likely to receive customized training. Each job function or role requires different types of information, and very few technical training programs are applied equally across employee roles. For instance, when it comes to information security practices, management and administrative teams may require merely a broad awareness of the subject matter. Conversely, the technical IT team, which is typically responsible for critical infrastructure and support systems, needs customized (and possibly more frequent) training to recognize and manage new threats and attacks. In some cases, increasingly granular distinctions in job responsibility drive further training customization within the IT department. Where some employees focus on hardware and networking, for example, others may be solely responsible for Internet-dependent transactions or application deployment. All Employees In these cases, focused awareness training can be developed using a tiered approach: all employees receive general content; the IT department receives a more technical layer; and the Web or Networking teams get even more specific material related to secure coding and/or the technologies they use. An effective program builds the right level of detail for each group of constituents using this layering approach, building upon foundational concepts that are relevant and timely for each role. IT Department Only Web Team, Networking Team, etc. 70% 60% 50% 40% 30% 20% 10% 0% 66% IT 45% 31% 22% Internal audit or Senior or middle Customer-facing risk management management people 10% Finance & accounting 13% Other Question: Which functions receive customized training? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.
6 6 DELIVERY METHOD Most companies who offer PCI DSS training deliver it via computer-based training (CBT). In addition to content customization, the learning platform itself should be tailored to specific organizational roles and training goals. There are many ways to train employees, but the Ponemon survey results show CBT to be the most popular method of delivery, which supports the need for frequent curriculum updates and short education sessions. And because the timeframe for rolling out training for many companies is within 6 months, quick development and deployment are important. Training Formats However, CBT is not the only effective method, and it is not the right solution for all training needs. Effective organizations assess their training audience and goals, and then evaluate all delivery options before assuming one method of training is better than the rest. It is not uncommon for companies with more complex training requirements to implement a hybrid program consisting of multiple delivery options which can include instructor-led courses, virtual instructor-led courses, recorded live presentations, static slide decks, and many others. Additionally, companies leverage newsletters, updates, posters and other reinforcement assets to keep security in the forefront of their staff s minds. Question: How is your organization s PCI DSS training delivered? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.
7 7 TRAINING DEVELOPMENT About half of the organizations that currently provide training for their employees procure it from a third-party vendor, rather than developing a program in-house. Developing, implementing and tracking an information security awareness training program usually requires a significant investment in both staff and technology. Many organizations don t have the internal resources to devote to this endeavor; therefore, they partner with external organizations to make sure employees are trained effectively on the most current threat information. What to Look for when Selecting a Third-Party CBT Vendor Meeting PCI DSS requirements. PCI DSS compliance is as important for small companies as it is for enterprises, but they operate with fewer resources and smaller budgets, so outsourcing is often the best option for them. According to a 2011 study from the American Society for Training and Development (ASTD) 1, smaller organizations (fewer than 500 employees) spent almost twice as much per employee on training than large companies (more than 10,000 employees), or $1,605 vs. $825, respectively. It s logical to assume that ASTD s explanation for this phenomenon applies to the information security industry: The cost to develop and administer an hour of training at a large corporation is spread among many more employees than at a small organization with fewer employees. 1 American Society for Training and Development, ASTD 2012 State of the Industry Report: Organizations Continue to Invest in Workplace Learning, November 8, 2012.
8 8 PROGRAM CUSTOMIZATION Of the companies that currently provide formal training to employees via externally developed CBT programs, most have it customized with content or branding unique to their organization. Companies frequently outsource training program development to a third party, but often the curriculum must comprise unique content about the company s equipment or industry. It s not uncommon for organizations to require training about a unique process or custom hardware. And in many cases, they must satisfy niche industry regulations that necessitate specialized subject matter. Even when the training curriculum does not require customization, many companies incorporate internal product and program lingo into the instructional content, questions and answers, giving employees an increased sense of relevance. This technique is effective in any situation where the goal is to personally engage the user. Regardless of whether the training content itself reflects customization, it is usually branded with the organization s logo or other internally recognized imagery, reinforcing employees perception of corporate endorsement or validation. This subtly helps underscore the message that the company believes in the importance of this training initiative, and considers it to be a significant part of the corporate culture. Without this message, participants may feel the training is strictly a formality and as a result, may not pay as close attention as they would if they recognized it as a management-sponsored initiative. Furthermore, many companies brand everything they publish internally or externally, if only to further establish brand strength. 80% 70% 60% 50% 69% 64% 40% 30% 32% 29% 20% 10% 0% Our company's logo Partially customized for company-specific content Fully customized for company-unique regulations, equipment, etc. Other custom features Question: Did the computer-based training feature any of the following types of customization? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.
9 9 FREQUENCY OF UPDATES Most respondents who provide training said the curriculum is updated at least once per year. Because data security is an extremely dynamic issue, employee training on security threats, recent attacks and industry trends must be current. The Ponemon research shows that 21% of companies who offer security awareness training update the curriculum more than once per year, and another 40% update it about once per year. Many content changes reflect developments in the data security industry, such as technologies, threats, policies and more. Since it doesn t take long for security awareness content to become obsolete, organizations must be able to disseminate updated material easily. The variability of data security training content makes it ideal for on-line CBT delivery, since updates can be rolled out easily and quickly. Question: How often is the security training curriculum changed or updated? DURATION OF TRAINING More than half said their PCI DSS training contains less than 30 minutes of material. The advantage of focused, short modules is that they allow bitesized learning sessions that fit well into employee schedules. This works well, as long as employees get what they need to ensure the appropriate level of data security for the company. In addition, a long session that covers an exhaustive list of problems and solutions won t be useful when a specific issue crops up and the employee can t readily access the right information. When it comes to compliance, quite often the most effective training support consists of short CBT modules, with access to reference materials, trainers and other subject matter experts when real-time issues arise. Question: On average, how long does it take employees to complete the PCI DSS training? A secondary risk is that a short training program may not have as high a perceived value as something more involved. As a result, it is incumbent upon every organization to convey the importance of the initiative, and to ensure the curriculum is comprehensive.
10 10 C. Measuring Results Given the importance of information security awareness, as well as the corporate investment of time and money that goes into training, measurement of success is critical. Organizations should evaluate whether their training program contains the right content and uses the right approach, so that any necessary adjustments can be made, thus ensuring the highest possible return on investment (ROI). IMMEDIATE FEEDBACK Most organizations that currently provide formal PCI DSS training measure the impact upon program completion. Gathering immediate subjective feedback about the training program is important because a significant element of immediate and long-term training completion and success is participant satisfaction. Asking mostly multiple-choice and a few simple open-ended questions typically gives the review team the information needed: Was the program easy to follow? Did the curriculum seem applicable to the job at hand? Did you feel the time it took was well spent? How could it be better? Employee Satisfaction 58% of survey respondents reported employees were not fully satisfied with existing PCI DSS security training. Regardless of whether a company surveys or tests the employees (or uses another means of measuring the session s immediate impact), it s important they take the next step by communicating the participants feedback to the management and tactical teams responsible for training, either via an informal brainstorm session, a dataheavy report, or something in between. The final crucial step is acting on the feedback. Even if a third party developed the training program, organizations should be able to work closely with them to make adjustments. By gathering, sharing and acting on participant feedback, the training experience can be more positive and effective. Question: How does your organization measure the impact of its PCI DSS training?
11 11 MEASURING LONG-TERM EFFECTIVENESS 38% percent of organizations track the long-term effectiveness of their PCI DSS training programs, and of those, more look at reductions in non-compliance incidents than any other indicator. Although it s important to get employee feedback about the content and curriculum, the success of any information security awareness program must be tied back to the goals of increasing the level of PCI DSS and other compliance mandates, as well as a demonstrable reduction in attacks. If a training initiative falls short of reaching the organization s objectives (e.g., x% fewer compliance incidents over a y-month period ), it can sometimes help to incorporate learning milestones. Employees are often more motivated to learn - and retain knowledge - when the training isn t treated as just a check box activity. Employer Satisfaction 64% of survey respondents reported being less than fully satisfied with existing PCI DSS security training. Although only 38% of survey respondents say they measure the long-term effectiveness of their PCI DSS training, measurable milestones throughout a training effort are an easy way to show progress, and to share individual accomplishments within the team. Question: Does your organization use the following metrics to track the long-term effectiveness of its PCI DSS training?
12 12 D. Plans for Training With an increased focus on Information Security Awareness training in the new version of the PCI DSS, many organizations that don t currently provide training are feeling the need to formalize their programs and ensure applicable staff members are trained. IMPLEMENTATION SCHEDULE AND BUDGET Of the companies who do not currently have a formal training program but plan to develop one, 26% expect to do so in Many of these organizations will spend a significant amount of money ensuring their employees receive the right training. Many organizations now prioritize employee security awareness training more than they have in the past. This is not surprising given the level of risk in today s online payment environment. And because most of these companies employ thousands of people, the training budgets are reaching into the hundreds of thousands of dollars in many cases. $100,001 to $250,000 11% $250,001 to $500,000 21% $50,000 to $100,000 11% < $50,000 12% $500,001 to $1,000,000 27% More than $1,000,000 14% None 5% Budget 0 Immediately 5% When to implement 0 Don't know 11% More than a year 25% Within 6 months 24% Within 1 year 35% Question: What best describes the timeframe for starting the deployment of a formal security training or awareness program? Question: What is the total cost of ownership budgeted for the new security training or awareness program? (excludes employees direct labor costs)
13 13 PROGRAM REQUIREMENTS For the organizations who don t currently offer a formal training program but who plan to deploy one in the future, most will require the ability for training to be delivered through an extranet portal, incorporate social media and , and be delivered on-line. The most important criteria when developing employee training strategies is ensuring access to training via an extranet portal, making it easily available wherever an employee has a web browser and Internet connection. Organizations also benefit from being able to centralize training deployment for ease of content updates (this regularly applies to information security awareness training) and tracking. In some cases, portals also offer a collaborative environment, encouraging participants to work together and share information. As in almost every other area of business communications, the use of social media is growing quickly. As the Ponemon survey data shows, many companies are building it into what is increasingly considered a social learning model. Organizations who use social media platforms to share information internally via an intranet can apply the same approach for sharing information security awareness content. Social media communities also enhance online coursework by making information sharing and collaboration easier, and can be helpful as an ongoing reference resource. The use of and newsletters is the next most common requirement for awareness training. This is not surprising, given the ubiquitous nature and low cost of this method of communication. Sharing processes, standards and other updates by push communication lets an organization get the information to the right audience quickly and consistently. Computer-Based Training (CBT) is the final of the top criteria when developing a new security training or awareness program. This correlates to a previous finding, which showed that the vast majority of training is already delivered this way. It s scalable, more cost-effective and convenient than classroom training, and is easy to update. Question: What are the requirements for the new security training or awareness program? (check all that apply) Note: Percentages do not total 100% due to the potential for multiple answers from each respondent.
14 14 Summary Today s information security landscape is in constant flux, and IT professionals have learned to anticipate change of all kinds new threats, new risks, new technologies, and new processes. Employee training is one of the most effective tools to combat this onslaught of attacks to remain in compliance with PCI DSS and other industry compliance mandates and standards. To summarize, the results of the 2014 Ponemon Institute Information Security Awareness Training Trends survey illustrate the current state of employee training in the payment card industry via the following key findings: 1. Improving overall security and ensuring compliance with PCI requirements are the two most common drivers of data security awareness training. 2. Within organizations that offer training tailored to job function, IT departments receive the most customized PCI DSS curriculum. 3. Most companies who offer PCI DSS training deliver it via computer-based training (CBT). 4. About half of the organizations that provide training via CBT lean on third-party vendors for development of the programs.
15 5. Most organizations customize their externally developed training curriculum with content that is relevant to their organization. 6. Most of the respondents who provide formal training indicated their curriculum is updated at least once per year. 7. Most survey respondents say their PCI DSS training takes less than half an hour to complete. 8. The predominant requirements for a new training program are that it is accessible through an extranet portal, includes social media and , and is primarily computer based. 9. More than two-thirds of organizations measure the immediate impact of their PCI DSS training using employee tests or satisfaction surveys upon program completion. 10. The most popular way for organizations to measure the long-term effectiveness of their PCI DSS training is by tracking reductions in non-compliance incidents. 11. Most companies who offer formal training programs update the content regularly. 12. About two-thirds of companies who offer a formal program currently train less than a quarter of their workforce. 13. More than a quarter of companies who don t currently offer a formal training program plan to roll one out in Of the companies that plan to implement a new training program, about three-quarters plan to spend over $100,000 and many of them will spend over $500,000. With the right attention to content delivery method, customization, and measurement, organizations can achieve and maintain compliance with PCI DSS and other standards, while making the most of training budgets and employees time. 15
16 16 Appendix A Survey Respondents In November 2013, the Ponemon Institute collected 3,089 responses to their online PCI Awareness Training Survey. Following is a breakdown of the participants by various categories. Global Region Annual Transactions Asia- Pacific 23% Latin America 16% EMEA 29% N. America 32% 1 to 6 million (Tier 2) 46% Less than 1 million (Tiers 3, 4) 17% Over 6 million (Tier 1) 35% Credit card issuer or service provider 3% Supervisor 13% Job Position Staff/ technician 33% Manager 21% Director 16% Admin 6% Consultant / contractor 3% Other 2% Business owner C-level 2% executive/ VP 3% Employee Headcount 5,001 to 10,000 20% 1,001 to 5,000 20% 10,001 to 25,000 24% 500 to 1,000 19% More than 25,000 7% Less than % Primary Industry Classification Ecommerce 12% Technology / software 5% Retail 8% Automotive 4% Financial Other 7% Communications 4% Consumer products 7% Education & research 4% Public sector 7% Logistics / distribution 4% Services 7% Non-profit 4% Industrial / manufacturing 6% Financial Service provider 3% Entertainment / publishing 5% Airlines 3% Health / pharmaceutical 5% Other 4%
17 17 Appendix B Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in November Global Sample 3,089 Screen question S1. What best describes your level of involvement in PCI DSS training, compliance and/or audit activities within your organization? Freq Pct% Very significant % Significant % Some % Minimal or none (stop) 0 0% Total % Part 1. PCI DSS training & awareness programs Q1. What best describes your role in managing the IT security function or activities within your organization? Check all that apply. Freq Pct% Setting IT security priorities % Administering security programs % Managing IT security budgets % Selecting vendors and contractors % Determining IT security strategy % Evaluating program performance % None of the above (stop) 0 0% Q2. In your role, how much responsibility do you have for IT security training activities? Freq Pct% Full or primary responsibility % Some or secondary responsibility % Minimal or no responsibility 285 9% Total % Q3. Does your organization have a PCI DSS training or other security awareness program? Freq Pct% Yes No [Go to Part 2] % Total % Q4. What best describes your level of satisfaction with existing PCI DSS security training or awareness activities? Freq Pct% Very satisfied % Satisfied % Somewhat satisfied % Not satisfied % Total %
18 Q5. What best describes employees satisfaction with their existing PCI DSS security training or awareness activities? Freq Pct% Very satisfied % Satisfied % Somewhat satisfied % Not satisfied % Total % Q6. What percentage of your total workforce participated in a basic IT security training program within the past 12 months? Freq Pct% < 10% % 10 to 25% % 26 to 50% % 51 to 75% % 76 to 100% 71 5% Total % Q7. What percentage of your total workforce participated in a security training program that specifically focused on PCI DSS requirements within the past 12 months? Freq Pct% < 10% % 10 to 25% % 26 to 50% % 51 to 75% % 76 to 100% 39 3% Total % Q8. How is your organization s PCI DSS training delivered? Please check all that apply. Freq Pct% Computer-based training % Classroom training % updates/newsletter % Extranet or internal web site % Social media 109 8% Posters % Other % Q9. If the training is computer based, what features does it include? Please check all that apply. Freq Pct% Audio % Animation % Live action video vignettes % Tests or quizzes % Games % Other 58 6% Q10a. Did a third party (contractor or vendor) produce the computer-based training used by your organization? Freq Pct% Yes % No % Total % 18
19 19 Q10b. If yes, did the computer-based training feature any of the following? Please check all that apply. Freq Pct% Our company s logo % Partially customized content to be relevant to our company % Fully customized content to cover our company s unique regulations, specific % equipment, specific environmental and facility factors Other custom features % None of the above % Q11. On average, how long does it take employees to complete the PCI DSS training? Freq Pct% < 15 minutes % 15 to 30 minutes % 31 to 60 minutes % More than one hour % Total % Q12. Is the PCI DSS training delivered in a single session or spread over the year? Freq Pct% One time % Once a year % Quarterly % Monthly % Other 36 3% Total % Q13. When does your organization deliver the bulk of its security awareness and/or PCI DSS training? Freq Pct% January through March 117 8% April through June % July through September % October through December % Staggered different times for different groups % Total % Q14. How often is the security training curriculum changed or updated? Freq Pct% Never or infrequently % Approximately once each year % More than once each year % Unsure % Total % Q15. If computer-based training is used, are PCI DSS training sessions hosted on your organization s in-house learning management system or in the cloud? Freq Pct% On our own learning management system % In the cloud or on vendor servers % Combination (hybrid) % Total %
20 Q16a. Is the content for PCI DSS training different or adapted for the employees specific job function? Freq Pct% Yes % No % Total % Q16b. If yes, which functions receive customized training? Please check all that apply. Freq Pct% Finance & accounting 55 10% Information technology % Senior or middle management % Internal audit or risk management % Customer facing people (Sales, support, etc.) % Other 68 13% Q17. What topics are covered in the PCI DSS training program? Please check all that apply. Freq Pct% security % Use of the Internet % Use of social media % Desktop security % Mobile device security % Password and other authentication methods % Working from home and remote locations % Classification of sensitive information % Proper handling of sensitive information % Proper handling and destruction of paper documents % Physical security measures such as securing away sensitive information and devices % Safe disposal of computing equipment % Q18. What is the primary purpose of PCI DSS or other security Choice Choice awareness training? Please check the top two choices only. 1 2 Combined Pct% Ensuring compliance with internal policies and procedures % Ensuring compliance with PCI requirements % Ensuring compliance with another regulation (please specify) % Advancing good data security practices % Preventing information loss or theft % Preventing reputation or brand damage % Changing employee behaviors % Other % Total % Q19. How does your organization measure the impact of its PCI DSS training? Freq Pct% Survey employee about their satisfaction with the training % Test or quiz employees following training % Conduct phishing tests internally or with partner % Conduct social engineering tests internally or with partner 126 9% None of the above 116 8% Other 69 5% Total % 20
The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report State of Data Centric Security
What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report
The Challenges of Cloud Information Governance: A Global Data Security Study Sponsored by SafeNet Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research
The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report
2012 Endpoint Security Best Practices Survey GLOBAL RESULTS CONTENTS Executive Summary... 4 Methodology... 6 Finding 1: Top tier organizations fare better against attacks... 8 Finding 2: Top tier organizations
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
Sybase Solutions for Healthcare Adapting to an Evolving Business and Regulatory Environment OVERVIEW Sybase Solutions for Healthcare Adapting to an Evolving Business and Regulatory Environment Rising medical
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
Understanding Security Complexity in 21 st Century IT Environments: A study of IT practitioners in the US, UK, France, Japan & Germany Sponsored by Check Point Software Technologies Independently conducted
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013
Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon
Global Insights on Document Security Sponsored by Adobe Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Global Insights on Document Security
Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,
The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA Sponsored by Zimbra Independently conducted by Ponemon Institute LLC Publication Date: November 2014 Ponemon Institute
white paper Four steps to improving cloud security and compliance Despite the widespread proliferation of cloud computing, IT decision makers still express major concerns about security, compliance, and
Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:
The SQL Injection Threat Study Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: April 2014 1 The SQL Injection Threat Study Presented by Ponemon Institute, April
latest thinking We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please Enabling enterprise mobility with Microsoft System Center and cloud Enterprise mobility is no longer the domain
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication
Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report Part 1. Introduction
The State of Data Security Intelligence Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report The State of Data Security
Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development
Achieving Security in Workplace File Sharing Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction Achieving
USAGE OF METRICS AND ANALYTICS IN EMEA MOVING UP THE MATURITY CURVE USAGE OF METRICS AND ANALYTICS IN EMEA MOVING UP THE MATURITY CURVE When we asked business executives about the importance of human capital
Dimension Data s offering What s on your mind? Is your infrastructure management strategy optimal? Are you achieving optimum ROI on your infrastructure management investment? Are you employing the latest
white paper Private Cloud for Every Organization Leveraging the community cloud As more organizations today seek to gain benefit from the flexibility and scalability of cloud environments, many struggle
opinion piece IT Security and Compliance: They can Live Happily Ever After Contents Pitfalls, misconceptions and mistakes 01 It s not all doom and gloom 01 Take the right steps towards compliance and IT
Data Sheet Cisco Conference Connection Cisco IP Communications a comprehensive system of powerful, enterprise-class solutions including IP telephony, unified communications, IP video/audio conferencing,
STATE OF THE DATA CENTER SURVEY GLOBAL RESULTS SEPTEMBER 2012 CONTENTS 3 METHODOLOGY 4 INTRODUCTION 5 DATA CENTER COMPLEXITY IS PERVASIVE 6 EFFECTS OF DATA CENTER COMPLEXITY ARE DIVERSE AND COSTLY 8 IT
Breaking Bad: The Risk of Insecure File Sharing Sponsored by Intralinks Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research Report Breaking Bad: The
STATE OF THE DATA CENTER SURVEY GERMANY RESULTS SEPTEMBER 2012 CONTENTS 3 METHODOLOGY 4 INTRODUCTION 5 DATA CENTER COMPLEXITY IS PERVASIVE 6 EFFECTS OF DATA CENTER COMPLEXITY ARE DIVERSE AND COSTLY 8 IT
0 Global Survey on Social Media Risks Survey of IT & IT Security Practitioners Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication Date: September 2011 1 Global Survey on
Third Annual Study: Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute
The success of your business depends on your ability to adapt to a dynamic market environment, where globalisation and economic pressures are reshaping the landscape. To remain competitive, your organisation
Dimension Data s Uptime Support Service As more technology enters the world, and is introduced into organisations, the typical IT environment increases in complexity. Businesses require higher levels of
INFORMATION GENERATION VANSON BOURNE RESEARCH FINDINGS 1 RESEARCH METHODOLOGY VANSON BOURNE QUALITATIVE: ENGAGED 40+ EXPERTS & ACADEMICS E X P E R T S 40+ influential global decision-makers, experts and
opinion piece opinion piece Application Security No Longer a Pipe Dream Application Security No Longer a Pipe Dream Security professionals who find themselves struggling to chart a course through the application
Data Breach: The Cloud Multiplier Effect Sponsored by Netskope Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Part 1. Introduction Data Breach:
A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively
Desktop Virtualisation Solutions Adapting to a new reality in client computing Adapting to a new reality Businesses today are increasingly realising not only the inevitability of consumer-owned, mobile
2013 GLOBAL PERFORMANCE MANAGEMENT SURVEY REPORT Executive Summary contents Overview Key Findings: Critical Drivers of Performance Management Success Industry Insights Regional and Country Insights Participant
Governance, Risk and Compliance Assessment Information security is a pervasive business requirement and one that no organisation can afford to get wrong. If it s not handled properly, your business could
Face Today s Threats Head-On: Best Practices for a BYOD World Chris Vernon CISSP, VTSP Security Specialist Agenda Mobile Threats Overview 2013 State of Mobility Survey Canada BYOD Best Practices 2 Mobile
Contact Centre Integration Assessment How well are your business objectives aligned with the right contact centre technologies? Knowing how the technology in your contact centre supports service delivery
white paper Service Providers Need Flexible Cloud Services to Compete Enterprise Customers Demand Flexible Cloud Solutions When the concept of cloud services first came about, there was a great deal of
The Advanced Cyber Attack Landscape FireEye, Inc. The Advanced Cyber Attack Landscape 1 Contents Executive Summary 3 Introduction 4 The Data Source for this Report 5 Finding 1 5 Malware has become a multinational
The Challenge of Preventing Browser-Borne Malware Sponsored by Spikes Security Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1.
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
Enabling organisations to focus on core revenue generating activities Your business needs reliable, flexible and secure communication tools to enable better connectivity and collaboration with your employees,
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
best practice guide The Three Pillars of a Secure Hybrid Cloud Environment best practice guide The Three Pillars of a Secure Hybrid Cloud Environment Introduction How sound risk management, transparency
2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A
The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
WHITE PAPER MARCH 2014 TechInsights Report: The Changing Role of IT and What to Do About It 2 WHITE PAPER: THE CHANGING ROLE OF IT AND WHAT TO DO ABOUT IT ca.com Executive Summary Today s challenging and
Global Study on the State of Payment Data Security 3 Introduction We are pleased to present the findings of The Global Study on the State of Payment Data Security Study conducted on behalf of Gemalto by
The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &
Avoiding The Hidden Costs of the Cloud 2013 CONTENTS 4 5 6 7 8 9 10 INTRODUCTION ROGUE CLOUD IMPLEMENTATIONS CLOUD BACK UP AND RECOVERY INEFFICIENT CLOUD STORAGE COMPLIANCE AND ediscovery SSL CERTIFICATE
Kiosks are Here Are You Ready? What You Need to Know to Get Started with Kiosks executive summary For several years running there have been an average of more than 125 new self-service kiosks installed
Data Security in the Evolving Payments Ecosystem Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report
2012 Country RepTrak Topline Report The World s View on Countries: An Online Study of the Reputation of 50 Countries RepTrak is a registered trademark of Reputation Institute. Global Reputation Knowledge
www.wipro.com HR - A STRATEGIC PARTNER Evolution in the adoption of Human Capital Management systems FUTURE READY SYSTEM FOR AN INSPIRED WORKFORCE Anand Gupta, Director, Oracle Cloud Services, Wipro Table
Data Sheet Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features Introduction to Public Key Infrastructure Public Key Infrastructure (PKI) offers a scalable method of securing networks,
opinion piece Understanding the 12 Requirements of PCI DSS Practical steps to achieve and maintain compliance Regardless of whether you are a retailer, service provider or a bank, if you process any form
Symantec Control Compliance Suite Overview Addressing IT Risk and Compliance Challenges Only 1 in 8 best performing organizations feel their Information Security teams can effectively influence business
Exploring the Landscape of Philippine Cybersecurity Understanding the Risk and Taking Appropriate Steps to Mitigate Cybersecurity Threats Freddy Tan, CISSP Chairperson, (ISC)² Board of Directors Copyright
white paper Software-as-a-service Delivery: The Build vs. Buy Decision Introduction In order to deliver software on-demand, companies must either build and manage an infrastructure capable of supporting
Security Solutions Today, your business doesn t just rely on IT, it s dependent on secure IT. Against the backdrop of a constantly evolving security threat landscape, increased demands around compliance
2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
SERVICES OVERIVEW CISCO METRO ETHERNET SERVICES AND SUPPORT In the ever-changing communications market, incumbent service providers are looking for ways to grow revenue. One method is to deploy service
Global Insights on Succeeding in the Customer Experience Era 1 Contents Introduction 3 Methodology 4 Executive Summary 6 Findings 7 Our Take 16 Industry & Regional Appendix 18 2 Introduction Today s consumers
Income INTECH Global Income Managed Volatility Fund Australia 0.0066 0.0375 Austria 0.0045 0.0014 Belgium 0.0461 0.0138 Bermuda 0.0000 0.0059 Canada 0.0919 0.0275 Cayman Islands 0.0000 0.0044 China 0.0000
Crisis and issues management Your reputation is everything. It is who you are, how you are perceived and your licence to operate. You ve worked hard to build and protect the reputation of your organisation,
A Nielsen Report Global Trust in Advertising and Brand Messages April 2012 CONSUMER TRUST IN EARNED ADVERTISING GROWS IN IMPORTANCE Earned media sources remain most credible Trust in traditional paid advertising
opinion piece Cloud Computing The journey begins Many CIOs view cloud computing as their salvation in the current economic downturn, as it promises to deliver IT services to subscribers at a lower cost.
Reputation Impact of a Data Breach U.S. Study of Executives & Managers Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon
SECURITY OF VIRTUAL INFRASTRUCTURE IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks survey details: More than 5500 companies in 25+ countries around the world Top managers
In many mature financial organisations, middle-and back-office functions already collaborate via high-quality, well-integrated voice and video traffic. Their trading floors, on the other hand, still operate
Avoiding The Hidden Costs of the Cloud Germany Enterprise Results 2013 CONTENTS 4 5 6 7 8 9 10 INTRODUCTION ROGUE CLOUD IMPLEMENTATIONS CLOUD BACK UP AND RECOVERY INEFFICIENT CLOUD STORAGE COMPLIANCE AND
BT Managed Event and BT Self-Managed Event (also referred to as Express, Plus and Premium) Conference Bridge and Call for Booked Audio Conferencing Services will comprise the following for each phone-conference:
DATA SHEET Cisco Blended Agent: Bringing Call Blending Capability to Your Enterprise Cisco ICM software has traditionally enabled companies to distribute inbound service volume to a variety of termination
Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Sponsored by McAfee Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research.
3D Workspace: a new dimension to your desktop The desktop management landscape has changed As the world of work changes, so do the mechanics of IT management and delivery. Technology advances like virtualised
2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York
The Post Breach Boom Sponsored by Solera Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part 1. Introduction The Post Breach