What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

Transcription

1 What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report

2 Part 1. Introduction What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Ponemon Institute, May 2015 Abused application access and data misusage have been the cause of the majority of data breaches, as well as costly fines and litigation. Consider the case of the Morgan Stanley financial advisor who accessed a financial application and downloaded account data on 10 percent of their wealth management clients (~350,000 people). Or, an AT&T call center employee who accessed sensitive customer data without adequate authorization and exposed customer names and Social Security numbers (~280,000 people). Companies and their employees are becoming increasingly dependent upon applications to achieve business goals and increase productivity. However, the proliferation of applications is creating a serious security risk because identifying users risky behavior and non-compliance with policies can be nearly impossible. The typical organization now collects and stores a vast amount of customer data. In addition, the large number of employees accessing applications makes it difficult for organizations to keep track of exactly who s doing what. Historically, companies have identified these types of risks through audits and assessments of application access and usage logs. This manual process is resource intensive. It requires significant staff time to correlate and review logs due to the large volume of users and activity. In addition, each application logs user actions differently and at varying levels of granularity with many applications not producing logs at all. These logs typically contain hundreds or thousands of discrete events in obscure technical language. As a consequence, organizations that rely upon logs from applications and devices find it nearly impossible to determine what a user actually did. Ponemon Institute is pleased to present What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage, sponsored by ObserveIT. The purpose of this study is to examine application access and usage and how it has created a major security problem for organizations. In the context of this research, application access and usage includes both application admins who provide entitlements within core applications and general business users who leverage applications on a daily basis to perform key tasks for their jobs. The study surveyed 610 U.S. IT and IT security practitioners. The majority of respondents are very familiar (27 percent) or familiar (48 percent) with their organization s approach to monitoring application users. Seventy-nine percent have responsibility for detecting and/or investigating instances of suspicious user activities within the organization. The study reveals why this issue is a growing and unaddressed risk: Audits and formal assessments reveal deficiencies in monitoring application access and usage, according to 71 percent of respondents. Only eight percent of respondents say their organizations have deployed commercial auditing and monitoring solutions for application access and usage. Application users are most likely to cause a security breach because of negligence. Monitoring is mainly done by ad hoc or manual systems (36 percent of respondents) or homegrown that focuses on privileged users (20 percent of respondents). Current monitoring capabilities are unable to detect unusual behavior and 45 percent of respondents give them very low marks. Ponemon Institute : Private & Confidential Report Page 2

3 Part 2. Key Findings In this section, we provide a detailed analysis of the research findings. The complete audited findings are presented in the appendix of this report. We have organized the findings according to the following three topics: A needle in a haystack: detecting application access abuse and negligence The connection between risky application behavior and security breaches On-premise vs. the cloud environment and application user risk A needle in a haystack: detecting the abuse of application access and data misusage Is risky application access and usage being overlooked, ignored and not receiving the priority it deserves? Figure 1 shows many respondents do not agree or are unsure that it is difficult to detect user abuse and, as a result, it puts application security at risk. While 54 percent of respondents admit it is difficult to identify application user activities that are illegal or inappropriate in real time, 45 percent of respondents do not agree (19 percent of respondents) or unsure (26 percent of respondents). Similarly, the majority of respondents (54 percent) say it is difficult to separate application user abuse from external attacker activity. However, 46 percent of respondents do not agree (18 percent) or unsure (28 percent) this is the situation in their organizations. With respect to the monitoring of application usage, 49 percent of respondents do not agree (20 percent) or are unsure (29 percent) that the frontend is as secure as backend data storage infrastructures. Similarly, the majority of respondents (54 percent) say it is difficult to separate application user abuse from external attacker activity. However, 46 percent of respondents do not agree (18 percent) or unsure (28 percent) this is the situation in their organizations. Figure 1. Is it difficult to detect application user negligence and abuse? It is difficult to identify application user activities that are illegal or inappropriate in real time 19% 26% 54% It is difficult to separate application user abuse from external attacker activity 18% 28% 54% Application usage (frontend) is not as monitored or secured as backend data storage infrastructures 20% 29% 50% 0% 10% 20% 30% 40% 50% 60% Agree Disagree Unsure Ponemon Institute : Private & Confidential Report Page 3

4 Business users are often not as security conscious as IT administrators and as a result put confidential and sensitive data at risk. User-based threats of most concern are users making mistakes (44 percent) or turning malicious (31 percent). Only 25 percent are concerned with users being targeted by attackers. Business users are typically less careful about using complex passwords, protecting the confidentiality of their passwords, and being aware of social engineering techniques. As a result they are an easy target for phishing scams and other attackers. Fifty-one percent of respondents say companies are facing the increasing use of phishing tactics to obtain users access credentials. Figure 2. What user-based threats concern your organization the most? User making mistakes (i.e., negligence) 44% User turning malicious 31% User being targeted by attackers 25% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute : Private & Confidential Report Page 4

5 Problems in identifying negligent behavior are putting organizations at risk. Figure 3 reveals that log collection and analysis is not effective in identifying application users who misuse sensitive or confidential information, according to 52 percent of respondents. However, there is uncertainty about the ability to use log collection and analysis (30 percent of respondents). Moreover, organizations are not able to capture the actions taken by application users from login to logout. Figure 3. Detecting negligent behavior is difficult Our organization is unable to capture the actions taken by application user from login to logout 21% 28% 52% Log collection and analysis is not effective in identifying application users who misuse sensitive or confidential information 19% 30% 49% 0% 10% 20% 30% 40% 50% 60% Agree Disagree Unsure Ponemon Institute : Private & Confidential Report Page 5

6 The connection between risky application user behavior and security breaches Companies are experiencing at least one serious security breach per month. On average, companies in this study had nine security breaches in the past year. As shown in Figure 4, most of these breaches were discovered by audit or assessment (66 percent of respondents), accidental discovery (55 percent of respondents) or notification by partner or third party. Only 33 percent of respondents say they are detected through automated monitoring or by use of forensic methods and tools (26 percent of respondents). Figure 4. How security breaches are discovered More than one response permitted Audit or assessment 66% Accidental discovery Notification by partner or other third party 50% 55% Detection through manual monitoring 39% Detection through automated monitoring 33% Use of forensic methods and tools 26% Notification by law enforcement Other 10% 15% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute : Private & Confidential Report Page 6

7 How many security incidents are linked to privileged users, application users and/or third parties because of negligence, malice or stolen credentials by outside attackers? According to the findings, application users are mostly responsible for user-based threats caused by negligence and attackers (71 percent and 42 percent of respondents, respectively) and privileged users are mostly responsible for threats involving malice (52 percent), as shown in Figure 5. Figure 5. Who caused the security breach? 80% 70% 71% 60% 52% 50% 40% 38% 34% 42% 30% 20% 10% 18% 11% 10% 24% 0% User-based threats caused by negligence User-based threats caused by malice User-based threats targeted by attackers Privileged users Application users Third parties Applications used in customer support and in the C-suite put organizations at risk. According to Figure 6, the business functions that pose the greatest user-based threats are customer support (18 percent), executive management (17 percent) and sales force operations (14 percent). The most risky are: newly hired employees (34 percent) employees rated as poor performers (23 percent) and those who work from remote locations (17 percent). Figure 6. Which business function poses the greatest user-based threats? Only one response permitted Customer support 18% Executive management 17% Sales force operations 14% Marketing & communications 11% Corporate IT 9% Finance & accounting Legal & compliance 8% 7% Logistics & procurement 6% Data center operations Research & development 4% 5% Other 1% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Ponemon Institute : Private & Confidential Report Page 7

8 Companies are more likely to have systems to measure and monitor privilege users than application users. Forty-eight percent of respondents say systems are in place to measure and monitor privilege users and 34 percent say they will be deployed in the next six months, according to Figure 7. In contrast, only 8 percent of respondents have such systems in place for application users and 36 percent plan to in the next six months. Twenty-one percent of respondents have no plan to deploy. Currently, 14 percent of respondents say systems to measure and monitor third parties are deployed and 22 percent will be deployed in the next six months. However, 40 percent of respondents say they have no plan to deploy. Figure 7. What systems are in place to monitor all users? 60% 50% 40% 48% 34% 36% 35% 40% 30% 20% 10% 10% 8% 8% 21% 14% 22% 23% 0% Systems to measure and monitor privilege users Systems to measure and monitor application users Systems to measure and monitor third parties Presently deployed Plan to deploy in more than 6 months Plan to deploy within the next 6 months No plan to deploy Ponemon Institute : Private & Confidential Report Page 8

9 Monitoring is mainly done by manual or homegrown systems and focus on privileged users. Figure 8 reveals that most monitoring is ad hoc or manual (36 percent) followed by a homegrown system that mainly focuses on privileged users (20 percent). Only 25 percent use a commercial system that focuses on privileged users (12 percent) or focuses on privileged and application users (13 percent). It is far more difficult to manually track the activities of thousands, or tens of thousands of business users, as opposed to a few dozen administrators. To be effective a comprehensive, automated monitoring system would help detect abusive or negligent behavior. Figure 8. How does your organization monitor users? Ad hoc or manual system 36% Homegrown system that mainly focuses on privileged users Homegrown system that focuses on both privileged and application users 17% 20% Commercial system that focuses on both privileged and application users Commercial system that mainly focuses on privileged users 13% 12% Other 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% Ponemon Institute : Private & Confidential Report Page 9

10 Monitoring capabilities to detect unusual behavior receive low marks. As shown in Figure 9, 45 percent of respondents say the capability to detect flag unusual employee/user behavior as very low (1 to 2 on a scale of 1 =low to 5 = high). As discussed above, only 13 percent of respondents have a commercial system that focuses not only on privileged but application users as well. Figure 9. How would you rate the ability of your organization s user monitoring capabilities and ability to pinpoint unusual or atypical employee/user behavior? On a scale of 1 = low capability to 5 = high capability, with an average rating of % 30% 30% 29% 25% 20% 15% 15% 19% 10% 6% 5% 0% 1 Low High Ponemon Institute : Private & Confidential Report Page 10

11 Audits reveal a deficiency or failure in organizations controls over application users. In the past 24 months, 42 percent of respondents say their organization conducted a compliance audit or formal assessment of its ability to identify and contain application user threats. Seventy-one percent of respondents say the audit findings revealed a deficiency in controls over application users. As shown in Figure 10, the reasons for the audit failure include such vulnerabilities in applications users practices as insufficient governance, monitoring and control processes (33 percent) and insufficient employee/user training and awareness (26 percent). As a result, most respondents (67 percent) say the auditors are putting pressure on their organization to monitor application usage. Figure 10. What are the main reasons for an audit failure? Insufficient governance, monitoring and control processes 33% Insufficient employee/user training and awareness 26% Lack of in-house security personnel 17% Insufficient resources 12% Lack of enabling security technologies 12% 0% 5% 10% 15% 20% 25% 30% 35% Ponemon Institute : Private & Confidential Report Page 11

12 On-premise vs. the cloud environment and application user risk Remote or home offices and when offices are closed are the most difficult scenarios to monitor application users activities. Twenty-eight percent of respondents, remote or home offices or when business is closed present the greatest monitoring challenges, according to Figure 11. Figure 11. Where is it most difficult to monitor user abuse? Workplace, during off hours 28% Remote or home office 28% Workplace, during normal hours 20% During travel 18% Other 5% 0% 5% 10% 15% 20% 25% 30% Another concern is the ability of users to access mission critical applications in the on-premise IT environment, as shown in Figure 12. The most accessible are: workforce productivity and management applications (66 percent), financial and accounting systems (50 percent) and enterprise resource planning applications (32 percent). Figure 12. Seven mission critical on-premise apps that cause security risks Percentage yes response given ecommerce & Internet apps 74% Workforce productivity & management apps 66% Financial & accounting systems 50% Enterprise resource planning apps Call center apps 32% 30% Customer relationship management Human resource management apps 18% 17% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute : Private & Confidential Report Page 12

13 In the cloud environment, respondents are concerned that application users have access to workforce productivity and management applications (68 percent) and financial and accounting systems (48 percent), according to Figure 13. Figure 13. Seven mission critical apps in the cloud that cause security risks Percentage yes response given ecommerce & Internet apps Workforce productivity & management apps 68% 75% Financial & accounting systems 48% Call center apps Enterprise resource planning apps 28% 32% Customer relationship management Human resource management apps 18% 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% Where are companies most effective in identifying and containing application-based threats for mission critical applications? According to Figure 14, respondents have the most confidence in detecting and containing threats in financial and accounting systems applications (72 percent), enterprise resource planning applications (69 percent) and human resource management applications (56 percent). The apps that end users have greatest access to are those that respondents have the least confidence in identifying and containing threats. Figure 14. Can your organization identify and contain threats in the following mission critical applications? Financial & accounting systems Enterprise resource planning apps 72% 69% Human resource management apps Customer relationship management Call center apps 45% 50% 56% ecommerce & Internet apps 38% Workforce productivity & management apps 30% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute : Private & Confidential Report Page 13

14 Can companies identify and contain risky behavior through existing infrastructure monitoring? Organizations are most confident about identifying security risks in the following practices: viewing, copying, pasting or printing data from business critical applications (74 percent), visiting websites prohibited by company policy (68 percent), negligence with thumb drives and ing sensitive and confidential information (Figure 15). Figure 15. What risky behavior can your company identify and contain through monitoring? Viewing, copying, pasting or printing data from business critical applications Visiting websites prohibited by company policy Negligence with thumb drives ing sensitive and confidential information Visiting WiFi hotspots 74% 68% 63% 59% 56% Shadow IT: cloud storage/backing-up, screen capture, transferring files Remote access (leapfrogging) Copying files to public cloud Social engineering Using uncommon applications 49% 45% 42% 41% 36% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute : Private & Confidential Report Page 14

15 Risky user behavior in the cloud is difficult to detect. As shown in Figure 16, in the cloud (SaaS) environment, companies are not confident they can identify the following risky behaviors: shadow IT: cloud storage/back-u, screen capture, transferring files (18 percent); viewing, copying, pasting or printing data from business critical applications (17 percent); negligence thumb drives (17 percent); remote access (leapfrogging) (17 percent); and using uncommon applications (17 percent). Figure 16. What risky behavior can your company identify and contain in the cloud? Shadow IT: cloud storage/backing-up, screen capture, transferring files Viewing, copying, pasting or printing data from business critical applications Remote access (leapfrogging) Using uncommon applications Negligence with thumb drives ing sensitive and confidential information Visiting websites prohibited by company policy Visiting WiFi hotspots Social engineering Copying files to public cloud 18% 17% 17% 17% 17% 16% 16% 15% 15% 15% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Despite a lack of confidence in detecting risky behavior, more mission critical applications will be moved to the cloud. On average, 36 percent of their organization s mission critical applications are in the cloud today and 46 percent of their organization s mission critical applications will be located in the cloud in the next 12 months, as shown in Figure 17. Figure 17. Mission critical applications in the cloud today and in 12 months 35% 30% 27% 28% 27% 26% 30% 25% 20% 15% 10% 16% 10% 18% 15% 5% 3% 0% Less than 10% 10% to 25% 26% to 50% 51% to 75% 76% to 100% Mission critical applications located in the cloud (SaaS) Mission critical applications located in the cloud (SaaS) 12 months from now Ponemon Institute : Private & Confidential Report Page 15

16 Part 3. Methods The sampling frame is composed of 18,520 IT and IT security practitioners located in the United States. As shown in Table 1, 664 respondents completed the survey. Screening removed 54 surveys. The final sample was 610 surveys (or a 3.3 percent response rate). Table 1. Sample response Freq Total sampling frame 18, % Total returns % Rejected or screened surveys % Final sample % Pie Chart 1 reports the current position or organizational level of the respondents. Half of respondents reported their current position as supervisory or above. Pie Chart 1. Current position or organizational level 3% 1% 2% 2% 7% 11% 17% 39% 18% Senior Executive Vice President Director Manager Supervisor Technician/analyst Staff Contractor Other Pie Chart 2 identifies the primary person the respondent or their supervisor reports to. Twenty-six percent of respondents report to the chief information officer and 20 percent report to the chief information security officer. Pie Chart 2. The primary person you or your supervisor reports to 6% 7% 7% 9% 5% 3% 3% 26% Chief Information Officer Chief Information Security Officer Chief Technology Officer Chief Risk Officer General Counsel Compliance Officer Chief Security Officer Chief Financial Officer CEO/Executive Committee 20% Other 13% Ponemon Institute : Private & Confidential Report Page 16

17 Pie Chart 3 reports the primary industry sector of respondents organizations. This chart identifies financial services (22 percent) as the largest segment, followed by health & pharmaceuticals (11 percent) and public sector (11 percent). Pie Chart 3. Primary industry sector 5% 3% 5% 22% 5% 6% 6% 6% 9% 11% 10% 11% Financial services Health & pharmaceuticals Public sector Services Retail Technology & software Energy & utilities Industrial Hospitality Consumer products Entertainment & media Other According to Pie Chart 4, the majority of respondents (73 percent) are from organizations with a global headcount of 1,000 or more employees. Pie Chart 4. Worldwide headcount of the organization 8% 13% 15% 17% 14% Less than to 1,000 1,001 to 5,000 5,001 to 10,000 10,001 to 50,000 50, % Ponemon Institute : Private & Confidential Report Page 17

18 Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute : Private & Confidential Report Page 18

19 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in March Survey response Sampling frame 100% Total returns 3.6% Rejected or screened surveys 0.3% Final sample 3.3% S1. How familiar are you with your organization s approach to monitoring application users? Very familiar 27% Familiar 48% Somewhat familiar 24% No knowledge (Stop) 0% S2. Do you have any responsibility for detecting and/or investigating instances of suspicious user activities within your organization? Yes, full responsibility 27% Yes, some responsibility 52% Yes, minimum responsibility 22% No responsibility (Stop) 0% S3. What best describes your role in your organization? Please check only one choice. IT operations 19% IT security operations 19% Data center management 14% Incident response team 10% Systems administration 8% Forensics 7% Application development 7% Database administration 4% IT compliance 3% IT audit 2% Cloud administrator 2% Network engineering 2% Identity & access management 1% Other (please specify) 1% None of the above (Stop) 0% Part 1. Attributions The following statements relate to application user-based risks. Please rate each statement using the scale provided below each item. Q1. Application users represent an increasing security risk for my organization. Strongly agree 18% Agree 33% Unsure 28% Disagree 19% Strongly disagree 2% Ponemon Institute : Private & Confidential Report Page 19

20 Q2. It is difficult to separate application user abuse from external attacker activity. Strongly agree 17% Agree 37% Unsure 28% Disagree 15% Strongly disagree 3% Q3. It is difficult to identify application user activities that are illegal or inappropriate in real time. Strongly agree 19% Agree 35% Unsure 26% Disagree 15% Strongly disagree 4% Q4. Our security operations team recognizes that application users present a greater risk to the organization than privileged users. Strongly agree 17% Agree 33% Unsure 30% Disagree 17% Strongly disagree 2% Q5. Our C-level executives recognize that application users present a greater risk to the organization than privileged users. Strongly agree 5% Agree 12% Unsure 61% Disagree 18% Strongly disagree 3% Q6. Attackers are increasing the use of phishing tactics to obtain application users access credentials. Strongly agree 19% Agree 32% Unsure 28% Disagree 17% Strongly disagree 4% Q7. Log collection and analysis is not effective in identifying application users who misuse sensitive or confidential information. Strongly agree 16% Agree 36% Unsure 30% Disagree 16% Strongly disagree 3% Ponemon Institute : Private & Confidential Report Page 20

21 Q8. Our organization is unable to capture the actions taken by application user from login to logout. Strongly agree 17% Agree 35% Unsure 28% Disagree 17% Strongly disagree 4% Q9. Application usage (frontend) is not as monitored or secured as backend data storage infrastructures. Strongly agree 17% Agree 33% Unsure 29% Disagree 17% Strongly disagree 3% Part 2. Risky user behavior Q10. How many separate security breaches did your organization experience over the past 12 months? None (skip to Q14) 11% 1 to 2 15% 3 to 5 18% 6 to 10 17% 11 to 15 18% 16 to 25 19% More than 25 3% Extrapolated value 9.32 Q11. How many of the above-mentioned security breaches were caused by privileged users, application users and/or third parties because of negligence, malice or stolen credentials by outside attacker (e.g., from phishing, social engineering or malware infection)? Q11a. User-based threats caused by negligence Privileged users 18% Application users 71% Third parties 11% Q11b. User-based threats caused by malice Privileged users 52% Application users 38% Third parties 10% Q11c. User-based threats targeted by attackers Privileged users 34% Application users 42% Third parties 24% Ponemon Institute : Private & Confidential Report Page 21

22 Q12a. Do you have systems to measure and monitor privilege users? Presently deployed 48% Plan to deploy within the next 6 months 34% Plan to deploy in more than 6 months 10% No plan to deploy 8% Q12b. Do you have systems to measure and monitor application users? Presently deployed 8% Plan to deploy within the next 6 months 36% Plan to deploy in more than 6 months 35% No plan to deploy 21% Q12c. Do you have systems to measure and monitor third parties? Presently deployed 14% Plan to deploy within the next 6 months 22% Plan to deploy in more than 6 months 23% No plan to deploy 40% Q13. How were the security breaches discovered? Please select all that apply. Accidental discovery 55% Audit or assessment 66% Notification by partner or other third party 50% Detection through manual monitoring 39% Use of forensic methods and tools 26% Detection through automated monitoring 33% Notification by law enforcement 15% Other 10% Total Q14. What user-based threat concerns your organization the most? User making mistakes (i.e., negligence) 44% User turning malicious 31% User being targeted by attackers 25% Q15a. In the past 24 months, did your organization conduct a compliance audit or formal assessment of its ability to identify and contain application user threats? Yes 42% No 58% Q15b. If yes, did audit findings reveal a deficiency (failure) in your organization s controls over application users? Yes 71% No 29% Q15c. If yes, are auditors putting pressure on your organization to monitor application usage? Yes 67% No 33% Ponemon Institute : Private & Confidential Report Page 22

23 Q15d. If yes, what was the main reason for the audit failure? Insufficient governance, monitoring and control processes 33% Insufficient employee/user training and awareness 26% Lack of in-house security personnel 17% Lack of enabling security technologies 12% Insufficient resources 12% Other 0% Q16. Which business function poses the greatest user-based threats within your organization? Please select only 1. Customer support 18% Executive management 17% Sales force operations 14% Marketing & communications 11% Corporate IT 9% Finance & accounting 8% Legal & compliance 7% Logistics & procurement 6% Data center operations 5% Research & development 4% Other 1% Q17. From a security risk perspective, what employee status are you most concerned about? Newly hired employees 34% Employees who are rated as poor performers 23% Employees who work from remote locations 17% Employees who gave two weeks notice of termination 12% Employees who work irregular shifts 10% Employees who are pending a layoff 4% Q18. What best describes your organization s current user monitoring capabilities? Ad hoc or manual system 36% Homegrown system that mainly focuses on privileged users 20% Homegrown system that focuses on both privileged and application users 17% Commercial system that mainly focuses on privileged users 12% Commercial system that focuses on both privileged and application users 13% Other 2% Q19. Using the following 5-point scale, please rate your organization s user monitoring capabilities and ability to pinpoint unusual or atypical employee/user behavior? 1 low 15% 2 30% 3 29% 4 19% 5 high 6% Extrapolated value 2.70 Ponemon Institute : Private & Confidential Report Page 23

24 Q20. Where is it most difficult to monitor application users activities? Remote or home office 28% Workplace, during off hours 28% Workplace, during normal hours 20% During travel 18% Other 5% Q21. Following are employee behaviors that may give rise to security risks within your organization. Is your organization s existing infrastructure monitoring able to identify and mostly contain each risky behavior in the on-premise IT environment? Percentage Yes response given. Viewing, copying, pasting or printing data from business critical applications 74% Visiting websites prohibited by company policy 68% Negligence with thumb drives 63% ing sensitive and confidential information 59% Visiting WiFi hotspots 56% Shadow IT: cloud storage/backing-up, screen capture, transferring files 49% Remote access (leapfrogging) 45% Social engineering 41% Copying files to public cloud 42% Using uncommon applications 36% Q22. Following are employee behaviors that may give rise to security risks within your organization. Is your organization s existing infrastructure monitoring able to identify and mostly contain each risky behavior in the cloud (SaaS) environment? Percentage Yes response given. Viewing, copying, pasting or printing data from business critical applications 17% Visiting websites prohibited by company policy 16% Negligence with thumb drives 17% ing sensitive and confidential information 16% Visiting WiFi hotspots 15% Shadow IT: cloud storage/backing-up, screen capture, transferring files 18% Remote access (leapfrogging) 17% Social engineering 15% Copying files to public cloud 15% Using uncommon applications 17% Q23. Following are 7 mission critical applications located on-premise that may give rise to security risks within your organization because of application-based threats. Please select whether most ordinary users in your organization are able to access each mission critical application in the on-premise IT environment. Percentage Yes response given. Financial & accounting systems 50% Workforce productivity & management apps 66% Call center apps 30% Customer relationship management 18% Enterprise resource planning apps 32% Human resource management apps 17% ecommerce & Internet apps 74% Ponemon Institute : Private & Confidential Report Page 24

25 Q24. Following are 7 mission critical applications located in the cloud that may give rise to security risks within your organization because of application-based threats. Please select whether most ordinary users in your organization are able to access each mission critical application in the cloud environment. Percentage Yes response given. Financial & accounting systems 48% Workforce productivity & management apps 68% Call center apps 32% Customer relationship management 18% Enterprise resource planning apps 28% Human resource management apps 16% ecommerce & Internet apps 75% Q25. What applications listed below does your organization plan to move from onpremises to the cloud? Financial & accounting systems 49% Workforce productivity & management apps 64% Call center apps 36% Customer relationship management 65% Enterprise resource planning apps 18% Human resource management apps 47% ecommerce & Internet apps 68% Q26. What applications listed below does your organization plan to move from the cloud to on-premise? Financial & accounting systems 18% Workforce productivity & management apps 16% Call center apps 15% Customer relationship management 16% Enterprise resource planning apps 18% Human resource management apps 18% ecommerce & Internet apps 17% Q27a. Today, what percent of your organization s mission critical applications are located in the cloud (SaaS)? Less than 10% 16% 10% to 25% 27% 26% to 50% 28% 51% to 75% 26% 76% to 100% 3% Extrapolated value 36% Q27b. Looking ahead 12 months from now, what percent of your organization s mission critical applications will be located in the cloud (SaaS)? Less than 10% 10% 10% to 25% 18% 26% to 50% 27% 51% to 75% 30% 76% to 100% 15% Extrapolated value 46% Ponemon Institute : Private & Confidential Report Page 25

26 Q28. Is your organization s existing infrastructure monitoring effective at identifying and containing application-based threats for each mission critical application listed below? Percentage Yes response given. Financial & accounting systems 72% Workforce productivity & management apps 30% Call center apps 45% Customer relationship management 50% Enterprise resource planning apps 69% Human resource management apps 56% ecommerce & Internet apps 38% Part 4. Respondents characteristics D1. What organizational level best describes your current position? Senior Executive 2% Vice President 2% Director 11% Manager 17% Supervisor 18% Technician/analyst 39% Staff 7% Contractor 3% Other 1% D2. Check the primary person or office you or your leader reports to within the organization. Chief Information Officer 26% Chief Information Security Officer 20% Chief Technology Officer 13% Chief Risk Officer 9% General Counsel 7% Compliance Officer 7% Chief Security Officer 6% Chief Financial Officer 5% CEO/Executive Committee 3% Human Resources VP 2% Other 1% Ponemon Institute : Private & Confidential Report Page 26

27 D3. What best describes the respondent company s industry sector? Financial services 22% Health & pharmaceuticals 11% Public sector 11% Retail 9% Services 10% Industrial 6% Technology & software 6% Consumer products 5% Energy & utilities 6% Hospitality 5% Entertainment & media 3% Education & research 1% Communications 1% Transportation 1% Agriculture & food services 1% Defense & aerospace 1% Other 0% D4. What is the worldwide headcount of your organization? Less than % 500 to 1,000 14% 1,001 to 5,000 33% 5,001 to 10,000 17% 10,001 to 50,000 15% 50,000+ 8% Extrapolated value 11,198 Please contact research@ponemon.org or call us at if you have any questions. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute : Private & Confidential Report Page 27