Privileged User Abuse & The Insider Threat

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Privileged User Abuse & The Insider Threat"

Transcription

1 Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014

2 1 Privileged User Abuse & The Insider Threat Ponemon Institute, May 2014 Part 1. Introduction Ponemon Institute is pleased to present the findings of Privileged User Abuse & The Insider Threat, commissioned by Raytheon Company. Ponemon Institute first studied this issue in Since then well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused by privileged users. In fact, 88 percent of participants in this research believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. This finding is virtually unchanged since 2011 when we conducted the first study on the insecurity of privileged users. For purposes of this research, privileged users include database administrators, network engineers, IT security practitioners and cloud custodians. According to the findings of this study, these individuals often use their rights inappropriately and put their organizations sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization s most confidential information out of curiosity. To ensure that the 693 respondents we surveyed have an in-depth knowledge of how their organizations are managing privileged users, we asked them to indicate their level of access to their organizations IT networks, enterprise systems, applications and information assets. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents. According to 75 percent of respondents, privileged access rights are required to complete their current job assignment. Of the 25 percent who say they do not need privilege access to do their job but have it anyway cited two primary reasons. First, everyone at their level has privileged access rights for no apparent reason (38 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (36 percent of respondents). Key takeaways from this research: Despite the risks posed by insiders, 49 percent of respondents do not have policies for assigning privileged user access. However, slightly more organizations do use well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). There was a slight decrease in an ad-hoc approach to assigning privileged user access. While the establishment of privileged user access policies is lacking, processes are improving. The findings show a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014 in granting user access privilege. The use of manual processes such as by phone or also increased from 22 percent of respondents in 2011 to 40 percent of respondents in Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. Fifty-one percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. The biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). 1

3 2 Part 2. Key Findings Following is an analysis of the key findings. To understand trends in organizations ability to manage privileged user access, we have included questions from the research conducted in Whenever possible we compare the findings from the 2011 study to this year s research. We have organized the findings according to the following topics: Current practices in assigning privilege user access The detection of insider privilege abuse Solutions for mitigating the risk Budgets and investment in reducing the risk of insider threats Current practices in assigning privilege user access Policies for assigning privilege user access to IT resources are often ad hoc. Despite concerns about insider threats caused by privileged users, almost half (49 percent) describe their organization s policies to assigning privileged user access as ad hoc, as shown in Figure 1. However, there is a slight increase from 2011 in the use of well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). Figure 1. The process for assigning privileged user access to IT resources An ad hoc process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 31% 35% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% 0% 10% 20% 30% 40% 50% 60% 2

4 3 While the establishment of policies lags, processes for privileged user access are improving. There is a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014, according to Figure 2. The use of manual processes such as by phone or also increased from 22 percent of respondents in 2011 to 40 percent of respondents in The third most widely used process is the IT help desk, which increased from 20 percent to 36 percent. Figure 2. Processes used for granting privileged user access to IT resources Two choices permitted Commercial off-the-shelf automated solutions Manual process IT Help Desk Homegrown access request systems Unsure Other 0% 1% 5% 6% 22% 20% 17% 16% 35% 36% 40% 57% 0% 10% 20% 30% 40% 50% 60% More organizations are using manual processes such as and spreadsheets to review and certify privileged user access. As revealed in Figure 3, this has increased from 23 percent to 46 percent and use of commercial off-the-shelf access certification system increased from 31 percent to 44 percent. Figure 3. Processes used to review and certify privileged user access Two choices permitted Manual process Commercial off-the-shelf access certification system Homegrown access certification system Unsure IT Help Desk Other 3% 10% 8% 7% 9% 17% 18% 16% 23% 31% 46% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 3

5 4 Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. As shown in Figure 4, 51 percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in Thirty-five percent of respondents say application owners are responsible and this is a decrease from 38 percent in Only 10 percent say it is the information security department that is responsible for granting access rights. Figure 4. Most responsible for granting privileged-user access to information resources Two choices permitted Business unit managers Information technology operations Application owners Human resource department Compliance department Information security department Unsure 10% 11% 7% 6% 21% 25% 17% 16% 43% 40% 40% 35% 38% 51% 0% 10% 20% 30% 40% 50% 60% Figure 5 reveals that 36 percent of respondents say business unit managers are most responsible for conducting privileged user role certification and this is an increase from 32 percent in Twenty-four percent of respondents say their IT security department handles role certification. Figure 5. Most responsible for conducting privileged user role certification Business units IT security Compliance Data center management Audit Quality assurance Other 9% 7% 5% 5% 4% 2% 3% 11% 15% 24% 23% 24% 32% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% 4

6 5 Critical success factors for governing, managing and controlling privileged user access across the enterprise is consistent from the previous study. Budget continues to be critical as well as identity and access management technologies, SIEM and network intelligence technologies and senior level executive support, as shown in Figure 6. Not considered as critical is the existence of clearly defined privileged user access policies and procedures. This is consistent with the earlier finding that 49 percent of respondents say their policies are ad hoc and not clearly defined. Figure 6. Success factors for governing, managing and controlling privileged user access Very important and important response combined Ample budget Identity and access management technologies SIEM and network intelligence technologies 88% 90% 86% 87% 75% 78% Senior level executive support Privileged access rights assigned based on job function Monitor access inactivity to determine if access should be revoked Ability to automatically remediate privileged user access policy violations Background checks before granting privileged access rights Compliance controls consistently applied across the enterprise Accountability for governing user access owned by the business Clearly defined privileged user access policies and procedures Audits by an independent third-party 65% 66% 63% 61% 61% 63% 61% 56% 56% 48% 52% 45% 51% 53% 44% 45% 36% 27% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5

7 6 Organizations struggle with delivering and enforcing privileged user access rights. The biggest problem is still keeping pace with the number of access change requests that come in on a regular basis (an increase from 53 percent to 62 percent). However, two problems have increased significantly. These are the burdensome process for dealing with business users requesting access (from 23 percent to 35 percent of respondents) and it takes too long to deliver access to privileged users (32 percent to 44 percent), as shown in Figure 7. Figure 7. Main problems faced in delivering and enforcing privileged user access rights Three choices permitted Cannot keep pace with the number of access change requests that come in Lack of a consistent approval process for access and a way to handle exceptions 53% 45% 52% 62% Takes too long to deliver access to privileged users 32% 44% Burdensome process for business users requesting access 23% 35% Too expensive to monitor and control all privileged users 30% 38% Difficult to audit and validate privileged user access changes Cannot apply access policy controls at point of change request Too much staff required to monitor and control all privileged users 29% 35% 22% 27% 16% 23% Delivery of access to privileged users is staggered No common language exists that will work for both IT and the business Other 5% 8% 4% 5% 0% 2% 0% 10% 20% 30% 40% 50% 60% 70% 6

8 7 The detection of insider privilege abuse Concern grows about insider threats. Figure 8 reveals that 89 percent of respondents (58 percent + 31 percent) either say wiki leaks and Edward Snowden have either caused a significant or some increase in the organization s level of concern about insider threats within their organization. A similar percentage (88 percent) believes the risk of privileged user abuse will increase or stay the same over the next 12 to 24 months. Figure 8. Have recent publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats? Caused a significant increase in our level of concern 58% Caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% 0% 10% 20% 30% 40% 50% 60% 70% Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. According to Figure 9, the biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). Figure 9. Challenges in establishing whether an event is an insider threat More than one choice permitted Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Security tools yield more data then can be reviewed in a timely fashion 45% Behavior involved in the incident is consistent with the individual s role and responsibilities 28% 0% 10% 20% 30% 40% 50% 60% 70% 80% 7

9 8 To determine if a malicious insider is involved in the incident, companies are most likely to monitor and review log files (63 percent of respondents), conduct manual oversight by supervisors and managers (51 percent of respondents) and deploy SIEM and other network intelligence tools (40 percent of respondents), as shown in Figure 10. More sophisticated tools such as endpoint monitoring and big data analytics are not as widely used according to 34 percent and 16 percent of respondents, respectively. Figure 10. What best describes your role in the organization s IT department? More than one choice permitted Monitor and review log files 63% Conduct manual oversight by supervisors and managers Deploy SIEM and/or other network intelligence tools 40% 51% Endpoint monitoring Deploy next generation security technologies 34% 33% Utilize big data analytics to identify suspicious insider activities 16% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% Increasingly, malicious insiders target privileged users to obtain their access rights. In 2011, only 21 percent said it would be likely that malicious insiders would use social engineering or other measures to obtain someone s access rights. This has increased significantly to 47 percent of respondents. In addition, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights (45 percent in 2014 and 30 percent in 2011). Figure 11. How likely would it be for the following events to occur? Very likely and likely response combined Malicious insiders target privileged users to obtain their access rights 21% 47% Social engineers outside the organization target privileged users to obtain their access rights 30% 45% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 8

10 9 Risks created by the human factor in privilege user access abuse continue. The most common scenarios that create the insider threat have not changed since Figure 12 reveals that 73 percent say privileged users believe they are empowered to access all the information they can view, 65 percent say privileged users access sensitive or confidential data because of curiosity and 54 percent say the organization assigns privileged access rights that go beyond the individual s role or responsibility. Figure 12. Likelihood of scenario occurring Very likely and likely response combined Privileged users believe they are empowered to access all the information they can view 73% 71% Privileged users access sensitive or confidential data because of their curiosity 65% 68% Assigned privileged access rights go beyond the individual s role or responsibilities 54% 55% According to Figure 13, two other insider threats that increased are: allowing privileged users working from a home office to have administrative or root level access rights (an increase from 35 percent to 41 percent) and not properly vetting or checking backgrounds prior to receiving access rights. Figure 13. Likelihood of insider threats occurring Very likely and likely response combined 0% 10% 20% 30% 40% 50% 60% 70% 80% Privileged users working from a home office have administrative or root level access rights 35% 41% Privileged users are not properly vetted prior to receiving their access rights 34% 38% Privileged users become disgruntled and leak data or damage equipment 27% 28% Privileged users who leave continue to have access rights for a period of time after their discharge 15% 16% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 9

11 10 Respondents are less likely to believe that access rights follow privilege users when they leave the company (15 percent of respondents) and that disgruntled employees will leak data or damage equipment (Figure 13). What s most at risk? While respondents believe general business and customer information is most at risk in their organizations due to the lack of proper access controls over privileged users (56 percent and 49 percent), fears about abuse to corporate intellectual property increased dramatically from 12 percent of respondents to 33 percent of respondents, as shown in Figure 14. Figure 14. Types of data most at risk when there is a lack of proper access controls Two choices permitted General business information Customer information Employee information Corporate intellectual property Classified information* Consumer information Financial information 12% 19% 15% 13% 35% 35% 33% 29% 26% 56% 51% 49% 54% 0% 10% 20% 30% 40% 50% 60% * This choice was not available in FY

12 11 According to Figure 15, mobile applications are considered to be most at risk in their organizations due to the lack of proper access governance and control. This is followed by social media applications (which actually declined from 51 percent to 39 percent) and cloud-based applications at 38 percent, an increase from 35 percent in Figure 15. Type of applications considered most at risk due to the lack of proper access governance and control Three choices permitted Mobile applications Social media applications Cloud-based applications Peer-to-peer database* 41% 39% 38% 35% 34% 48% 51% Business unit specific applications Knowledge applications Human resource applications CRM applications Productivity applications Supply chain management applications Finance/ERP applications Revenue generating applications 5% 21% 20% 25% 17% 20% 16% 21% 13% 15% 10% 13% 12% 33% 34% 31% 0% 10% 20% 30% 40% 50% 60% * This choice was not available in FY

13 12 Solutions for mitigating the risk Companies rely on training programs. By far, most organizations conduct regular privileged user training programs as part of their efforts to protect the organization from privileged user abuse, as shown in Figure 16. However, most respondents rate the ability of their training programs to reduce the insider threat as only average. Fifty-seven percent say their organization performs background checks before issuance of privileged credentials and 51 percent say they rely on oversight by supervisors and managers. Figure 16. How do you protect your organization from privileged user abuse? More than one choice permitted Conduct regular privileged user training programs Perform thorough background checks before issuance of privileged credentials Conduct manual oversight by supervisors and managers Monitor and review provisioning systems 62% 57% 51% 50% Deploy IAM policy monitoring tools 36% Review and act upon threat intelligence 18% Other 3% 0% 10% 20% 30% 40% 50% 60% 70% The majority of respondents believe they are agile in responding to changes in the insider threat environment. Thirty-four percent of respondents rate their organizations as very high or high in being agile in responding to insider threats. It is interesting that culture is viewed as a serious barrier to being agile followed by dispersed workforce, as shown in Figure 17. Figure 17. The biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment Culture 31% Dispersed workforce 27% Cost 16% Expertise 15% IT infrastructure 10% Other 1% 0% 5% 10% 15% 20% 25% 30% 35% 12

14 13 Authentication and identity management tools are still number one. Seventy-two percent use authentication and identity management tools to manage privileged user access abuse, as shown in Figure 18. Other tools mostly used are log and configuration management (an increase from 56 percent to 64 percent) and user provisioning systems (a decrease from 63 percent to 60 percent). Technologies that have increased significantly in use are privileged user management and SIEM. Figure 18. Twelve enabling security technologies that are currently in use More than one choice permitted Authentication and identity management Log and configuration management User provisioning systems Security information and event management Privileged user management Endpoint monitoring* Enterprise role lifecycle management Access request system Access policy automation for the cloud Access policy automation Access review and certification system Host-based auditing* 17% 72% 68% 64% 56% 60% 63% 54% 48% 50% 43% 49% 42% 43% 38% 38% 36% 32% 35% 32% 28% 31% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice ws not available for FY

15 14 More companies are using technology-based identity and access controls. According to Figure 19, one-third of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in A combination of technology and manually-based identity and access controls is also used by one-third of organizations represented in this research but actually declined from 36 percent in Only 9 percent say access to sensitive or confidential information is not really controlled. An indication that this is getting better is that in the last study 13 percent said this was the case. Also, only 7 percent say they are unable to detect sharing of access rights. Figure 19. How does your organization detect the sharing of system administration access rights by privileged users? A combination of technology and manually-based identity and access controls Technology-based identity and access controls 20% 33% 36% 33% Manually-based identity and access controls Access to sensitive or confidential information is not really controlled We are unable to detect sharing of access rights Unsure 7% 6% 6% 9% 12% 13% 13% 12% 0% 5% 10% 15% 20% 25% 30% 35% 40% 14

16 15 In some areas, companies are getting better at enforcing privilege user access policies. The findings indicate that respondents are more positive about the ability to conduct certain activities. Figure 20 reveals these as: providing evidence of compliance with regulations and industry mandates and enforcing segregation of duties requirements. Fewer respondents believe they are excellent or good at understanding privileged user entitlements that violate policy and enforcing access policies in a consistent fashion across all information resources. Figure 20. How well does your organization ensure privileged user access policies are strictly enforced? Excellent and good response combined Providing evidence of compliance with regulations and industry mandates 70% 67% Enforcing segregation of duties requirements 55% 51% Assigning access based on job function or responsibilities Vetting privileged users through background security checks before granting access rights Changing privileged access rights when an employee s job changes or they are terminated Monitoring privileged users access when entering administrative root level access areas Understanding privileged user entitlements that are out of scope for a particular role Understanding privileged user entitlements that violate policy Enforcing access policies in a consistent fashion across all information resources 42% 40% 41% 39% 41% 45% 37% 34% 36% 35% 30% 28% 26% 23% 0% 10% 20% 30% 40% 50% 60% 70% 80% 15

17 16 Lack of visibility hinders the ability to determine if users are complying with policies. Figure 21 reveals that 42 percent of respondents are not confident that they have the enterprisewide visibility for privileged user access and can determine if users are compliant with policies. Only 16 percent are very confident that they have this visibility. Figure 21. How confident are you that your organization has enterprise-wide visibility and can determine if these users are compliant with policies? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 16% 18% 15% 15% 22% 23% Very confident Confident Somewhat confident 42% 45% Not confident 2% 2% Unsure Reasons for not being confident is the inability to create a unified view of privileged user access across the enterprise and this has increased from 44 percent to 51 percent of respondents in 2014, as shown in Figure 22. Another problem is keeping up with changes occurring in their organization s IT resources (on-boarding, off-boarding and outsourcing for management), according to 30 percent of respondents. Figure 22. Main reasons for not being confident Can t create a unified view of privileged user access across the enterprise 44% 51% Can t keep up with the changes occurring to IT resources 30% 29% Can t apply controls that need to span across information resources Privileged user account information is visible but not entitlement information 10% 15% 9% 12% 0% 10% 20% 30% 40% 50% 60% 16

18 17 Budgets and investment in reducing the risk of insider threats How are companies allocating resources to reduce insider threat? Figure 23 reveals that 40 percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (43 percent) say their organizations do not have one. Fifty-one percent of respondents say they allocate between 5 and 8 percent of their organizations overall IT budget to insider threat technology. Figure 23. Is the budget allocated for investment in technologies to reduce the insider threat? 50% 45% 40% 35% 30% 25% 40% 43% 20% 17% 15% 10% 5% 0% It is part of the overall IT budget It is not part of the IT budget No Technologies and personnel receive the most resources to stop insider threats. When asked to allocate their organization s efforts to reduce the insider threat, 43 percent say it is dedicated to technologies and 38 percent to personnel, according to Figure 24. While organizations rely on training programs (as discussed above), only 11 percent are allocated to training. Figure 24. How does your organization allocate resources to mitigate insider threats? 50% 45% 40% 35% 30% 25% 20% 43% 38% 15% 10% 11% 7% 5% 0% Technologies Personnel Training Governance Other 1% 17

19 18 New tools to reduce the risk are considered important. When it comes to technology, 41 percent say they are more likely to buy new tools specifically for mitigating insider threats or more likely to make existing tools work (33 percent), as shown in Figure 25. Figure 25. Investing in insider threat mitigation technologies versus making existing tools work More likely to buy new tools built specifically for mitigating insider threats 41% More likely to make existing tools work 33% Equally likely to buy new tools or make existing tools work 21% Cannot determine 5% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 18

20 19 Part 3. Methods A random sampling frame of 18,821 privileged users, including database administrators, network engineers, IT security practitioners and cloud custodians located in the United States were selected as participants to this survey. As shown in Table 1, 779 respondents completed the survey. Screening and failed reliability checks removed 86 surveys. The final sample was 693 surveys (or a 3.7 percent response rate). Table 1. Sample response Freq. Pct% Total sampling frame 18, % Total returns % Rejected and screened surveys % Final sample % Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 58 percent of respondents are at or above the supervisory levels. Pie Chart 1. What organizational level best describes your current position? 4% 5% 3% 16% Senior Executive/VP Director Manager 33% Supervisor 23% Technician Staff Contractor 16% 19

21 20 Pie Chart 2 reports the respondent s direct reporting channel. Fifty-six percent of respondents report to the CIO and 16 percent report to the CISO. Pie Chart 2. What best describes your direct reporting channel? 7% 2% 1% 9% Chief Information Officer Chief Information Security Officer 9% Chief Technology Officer 56% Chief Risk Officer Compliance Officer 16% Chief Financial Officer Chief Security Officer As shown in pie chart 3, 66 percent of respondents are from organizations with a worldwide headcount of 1,000 or more employees. Pie chart 3. Worldwide headcount of the organization 9% 7% 15% < to 1,000 19% 19% 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 31% 20

22 21 Pie Chart 4 reports the industry segments of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by state or local government (12 percent) and federal government (11 percent). Pie Chart 4. Industry distribution of respondents organizations 4% 3% 3% 2% 2% 3% 3% 18% Financial services State or local government Federal government Health & pharmaceutical 5% 6% 12% Services Consumer Retail Technology & software Industrial 6% 11% Energy & utilities Communications 6% 8% 8% Entertainment & media Hospitality Defense & aerospace Transportation Other Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are privileged users, database administrators, network engineers, IT security practitioners or cloud custodians. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 21

23 22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in April Sample response Sampling frame 18,821 16,579 Total returns Rejected & screened surveys Final sample Response rate 3.7% 3.4% Part 1. Background Q1. What best describes your level of access to your organization s IT networks, enterprise systems, applications and information assets? Please select only one choice. Limited (ordinary) end user access rights to IT resources (Stop) 0% 6% Expanded access rights to IT resources, but not overly broad 13% 12% Broad access rights to IT resources 53% 43% Root level access rights to IT resources 34% 33% None of the above (Stop) 0% 6% Total 100% 100% Q2. Have recent well-publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats within your organization FY 2014 Yes, caused a significant increase in our level of concern 58% Yes, caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% Total 100% *Data not available in FY2011 Q3a. Is privileged access required in order for you to complete your current job assignments or functions within the organization? Yes 75% 78% No 25% 22% Total 100% 100% Q3b. If you said no, what is the primary reason you still have privileged access rights? Please select only one choice. I needed privileged access in a previous position and it was not revoked after my role changed 36% 35% Everyone at my level has privileged access even if it is not required to perform a job assignment 38% 41% The organization assigned privileged access rights for no apparent reason 17% 15% I don t know 9% 9% Total 100% 100% Q4. Do you believe this risk will increase, decrease or stay the same over the next 12 to 24 months? Increase 45% 44% Stay the same 43% 42% Decrease 12% 14% Total 100% 100% 22

24 23 Q5. What best describes your role in the organization s IT department or related functions? Please check all that apply. Database administrator 32% 33% Systems administrator 36% 35% Network engineer 24% 21% IT security practitioner 31% 26% IT audit practitioner 11% 12% Data center manager 44% 41% Application developer 19% 15% Cloud custodian 24% 18% Other (please specify) 1% 2% Total 222% 203% Q6. How do you determine if an action taken by an insider is truly a threat? Select all that apply. FY 2014 Monitor and review log files 63% Conduct manual oversight by supervisors and managers 51% Deploy SIEM and/or other network intelligence tools 40% Utilize big data analytics to identify suspicious insider activities 16% Deploy next generation security technologies 33% Endpoint monitoring 34% Other (please specify) 2% Total 239% *Data not available in FY2011 Q7. How do you protect your organization from privileged user abuse? Select all that apply. FY 2014 Perform thorough background checks before issuance of privileged credentials 57% Conduct manual oversight by supervisors and managers 51% Monitor and review provisioning systems 50% Review and act upon threat intelligence 18% Deploy IAM policy monitoring tools 36% Conduct regular privileged user training programs 62% Other (please specify) 3% Total 277% *Data not available in FY2011 Q8. What are the biggest challenges your organization faces in establishing whether an event or incident is an insider threat? Select all that apply. FY 2014 Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Behavior involved in the incident is consistent with the individual s role and responsibilities 28% Security tools yield more data then can be reviewed in a timely fashion 45% Total 198% *Data not available in FY

25 24 Q9. Please rate your organization s level of agility in responding to changes in the insider threat environment? FY 2014 Very high 14% High 20% Moderate 35% Low 22% Very low 9% Total 100% *Data not available in FY2011 Q10. What is the biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment? Select only one. FY 2014 Cost 16% Expertise 15% Culture 31% IT infrastructure 10% Dispersed workforce 27% Other (please specify) 1% Total 100% *Data not available in FY2011 Q11. Using the following 10-point scale, please rate the ability of your training programs to reduce the insider threat risk. 1 = Low to 10 = High FY to 2 15% 3 to 4 31% 5 to 6 30% 7 to 8 16% 9 to 10 8% Total 100% *Data not available in FY2011 Q12. How does your organization allocate resources to mitigate or curtail insider threats? Please allocate 100 points to each category presented below FY 2014 Training 11 Technologies 43 Personnel 38 Governance 7 Other (please specify) 1 Total 100 *Data not available in FY2011 Q13a. Do you have a budget specifically allocated for investment in enabling technologies to reduce the insider threat? FY 2014 Yes, it is part of the overall IT budget 40% Yes, it is not part of the IT budget 17% No 43% Total 100% *Data not available in FY

26 25 Q13b. If part of the overall IT budget, what is the percentage allocated to insider threat technology investments? FY 2014 < 1% 2% 1% to 2% 5% 3% to 4% 8% 5% to 6% 21% 7% to 8% 30% 9% to 10% 15% 11% to 15% 11% 16% to 20% 5% > 20% 3% Total 100% *Data not available in FY2011 Q14. What one statement best describes your organization s preference for investing in insider threat mitigation technologies versus making existing tools work? FY 2014 We are more likely to buy new tools built specifically for mitigating insider threats 41% We are more likely to make existing tools work 33% We are equally likely to buy new tools or make existing tools work 21% Cannot determine 5% Total 100% *Data not available in FY2011 Part 2. Scenarios: How likely would it be for the following events to occur within your organization? Very likely & likely response combined Q15. The organization assigns privileged access rights that go beyond the individual s role or responsibilities. 54% 55% Q16. Privileged users are pressured to share their access rights with others in the organization. 40% 41% Q17. Social engineers outside the organization target privileged users to obtain their access rights. 45% 30% Q18. Malicious insiders target privileged users to obtain their access rights. 47% 21% Q19. Privileged users are not properly vetted or have their backgrounds checked prior to receiving their access rights. 38% 34% Q20. Privileged users become disgruntled and leak data or damage equipment. 27% 28% Q21. Privileged users access sensitive or confidential data because of their curiosity. 65% 68% Q22. Privileged users believe they are empowered to access all the information they can view. 73% 71% Q23. Privileged users who leave the organization continue to have access rights for a period of time after their discharge. 15% 16% Q24. Privileged users working from a home office have administrative or root level access rights. 41% 35% Average 45% 41% 25

27 26 Part 3. Privileged user access governance Q25. Please check all 12 of the enabling security technologies below that are used by your organization. Enterprise role lifecycle management 42% 43% Access request system 38% 38% Access policy automation 35% 32% Access review and certification system 28% 31% Privileged user management 50% 43% Security information and event management (SIEM) 54% 48% Access policy automation for the cloud 36% 32% Log and configuration management 64% 56% User provisioning systems 60% 63% Authentication and identity management 72% 68% Host-based auditing* 17% Endpoint monitoring* 49% Average 45% 45% Q26. What types of data do you consider to be most at risk in your organization due to the lack of proper access controls over privileged users? Top two choices. Customer information 49% 54% Consumer information 26% 19% Employee information 35% 35% Financial information 15% 13% General business information 56% 51% Corporate intellectual property 33% 12% Classified information* 29% Total 35% 184% Q27. What type of applications do you consider to be most at risk in your organization due to the lack of proper access governance and control? Please select the top three. Finance/ERP applications 10% 13% CRM applications 17% 20% Supply chain management applications 13% 15% Revenue generating applications 5% 12% Business unit specific applications 33% 34% Human resource applications 20% 25% Productivity applications 16% 21% Knowledge applications 21% 31% Cloud-based applications 38% 35% Social media applications 39% 51% Peer-to-peer database* 34% Mobile applications 48% 41% Total 294% 298% Q28. What best describes the process for assigning privileged user access to IT resources in your organization today? Please select one best choice. An ad hoc process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 35% 31% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% Total 100% 100% 26

28 27 Q29. Who in your organization is most responsible for granting privilegeduser access to information resources? Top two choices. Information technology operations 40% 40% Information security department 10% 11% Compliance department 17% 16% Business unit managers 51% 43% Application owners 35% 38% Human resource department 21% 25% Unsure 7% 6% Total 181% 179% Q30. What processes are used for granting privileged user access to IT resources: Please select the top two. Manual process (i.e. or phone) 40% 22% Homegrown access request systems 17% 16% Commercial off- the-shelf automated solutions 57% 35% IT Help Desk 36% 20% Unsure 0% 1% Other 5% 6% Total 155% 100% Q31. What processes are used to review and certify privileged user access? Please select the top two. Manual process (i.e. , spreadsheets) 46% 23% Homegrown access certification system 17% 18% Commercial off-the-shelf access certification system 44% 31% IT Help Desk 8% 3% Unsure 10% 16% Other 7% 9% Total 132% 100% Q32. Who within your organization is most responsible for conducting privileged user role certification? IT security 24% 23% Business units 36% 32% Audit 5% 4% Compliance 15% 9% Quality assurance 2% 3% Data center management 7% 5% Other 11% 24% Total 100% 100% Q33. How does your organization detect the sharing of system administration access rights or root level access rights by privileged users? Please select the top two. Technology-based identity and access controls 33% 20% Manually-based identity and access controls 12% 13% A combination of technology and manually-based identity and access controls 33% 36% Access to sensitive or confidential information is not really controlled 9% 13% We are unable to detect sharing of access rights 7% 6% Unsure 6% 12% Total 100% 100% 27

29 28 Q34. How well does your organization ensure privileged user access policies for the following tasks are strictly enforced? Combined excellent and good response. Assigning access based on job function or responsibilities 42% 40% Revoking or changing privileged access rights as needed when an employee s job or function changes or their relationship with the organization is terminated 41% 45% Enforcing access policies in a consistent fashion across all information resources in the organization 26% 23% Monitoring privileged users access when entering administrative root level access areas 37% 34% Enforcing segregation of duties requirements 55% 51% Providing evidence of compliance with regulations and industry mandates 70% 67% Understanding privileged user entitlements that are out of scope for a particular role 36% 35% Understanding privileged user entitlements that violate policy 30% 28% Vetting privileged users through background security checks before granting access rights 41% 39% Average 42% 40% Q35a. How confident are you that your organization has enterprise-wide visibility for privileged user access and can determine if these users are compliant with policies? Very confident 16% 15% Confident 18% 15% Somewhat confident 22% 23% Not confident 42% 45% Unsure 2% 2% Total 100% 100% Q35b. If not confident, please select one main reason. We can t create a unified view of privileged user access across the enterprise 51% 44% We only have visibility into privileged user account information but not entitlement information 9% 12% We can t apply controls that need to span across information resources 10% 15% We can t keep up with the changes occurring to our organization s IT resources (on-boarding, off- boarding and outsourcing for management) 30% 29% Total 100% 100% Q36. What are the critical success factors for governing, managing and controlling privileged user access across the enterprise? Very important and important response combined. Senior level executive support 65% 66% Ample budget 88% 90% Identity and access management technologies 86% 87% SIEM and network intelligence technologies 75% 78% Clearly defined privileged user access policies and procedures 44% 45% Accountability for governing user access owned by the business 51% 53% Privileged access rights assigned based on job function and responsibilities 63% 61% Compliance controls consistently applied across the enterprise 52% 45% Ability to automatically remediate privileged user access policy violations 61% 56% Monitor access inactivity to determine if access should be revoked 61% 63% Audits by an independent third-party 36% 27% Background checks before granting privileged access rights 56% 48% Average 62% 60% 28

30 29 Q37. What are the main problems your organization faces in delivering and enforcing privileged user access rights? Please select only your top three choices. Takes too long to deliver access to privileged users (not meeting our SLAs with the business) 44% 32% Too expensive to monitor and control all privileged users 30% 38% Too much staff required to monitor and control all privileged users 16% 23% Cannot apply access policy controls at point of change request 22% 27% Delivery of access to privileged users is staggered (not delivered at the same time) 5% 8% Cannot keep pace with the number of access change requests that come in on a regular basis 62% 53% Lack of a consistent approval process for access and a way to handle exceptions 45% 52% Difficult to audit and validate privileged user access changes 29% 35% Burdensome process for business users requesting access 35% 23% No common language exists for how access is requested that will work for both IT and the business 4% 5% Other (please specify) 0% 2% Total 292% 298% Part 4. More scenarios. In your opinion, how will each of the following situations affect your organization s access governance process, especially concerning privileged users? Please use the scale from very significant impact to no affect. Q38. Increasing number of regulations or industry mandates 62% 60% Q39. Adoption of cloud-based applications enables the business or endusers to circumvent existing access policies 71% 65% Q40. Outsourcing of applications and data for management 36% 45% Q41. The constant turnover (ebb and flow) of employees, contractors, consultants and partners 41% 43% Q42. Availability of SIEM and other network intelligence technologies 56% 57% Q43. Constant changes to the organization as a result of corporate reorganizations, downsizing and financial distress 27% 32% Q44. Adoption of virtualization technologies 48% 56% Q45. Expanded use of mobile devices in the workplace 76% 48% Q46. Change in the nature and scope of cyber crime 71% 65% Q47. The level of risk caused by privileged users abuse or misuse of IT resources 26% 19% Average 51% 49% Part 5. Your role D1. What organizational level best describes your current position? FY 2014 Senior Executive/VP 3% Director 16% Manager 23% Supervisor 16% Technician 33% Staff 4% Contractor 5% Other 0% Total 100% 29

31 30 D2. Check the Primary Person you or your IT security leader reports to within the organization. FY 2014 CEO/Executive Committee 0% Chief Financial Officer 2% General Counsel 0% Chief Information Officer 56% Chief Technology Officer 9% Compliance Officer 7% Human Resources VP 0% Chief Security Officer 1% Chief Information Security Officer 16% Chief Risk Officer 9% Other 0% Total 100% D3. What is the worldwide headcount of your organization? FY 2014 < % 500 to 1,000 19% 1,001 to 5,000 31% 5,001 to 25,000 19% 25,001 to 75,000 9% > 75,000 7% Total 100% D4. What industry best describes your organization s industry focus? FY 2014 Agriculture & food services 0% Communications 3% Consumer 6% Defense & aerospace 2% Education & research 1% Energy & utilities 4% Entertainment & media 3% Federal government 11% Financial services 18% Health & pharmaceutical 8% Hospitality 3% Industrial 5% Retail 6% Services 8% State or local government 12% Technology & software 6% Transportation 2% Other 2% Total 100% 30

32 31 About Raytheon Raytheon Company, with 2013 sales of $24 billion and 63,000 employees worldwide, is a technology and innovation leader specializing in defense, security and civil markets throughout the world. With a history of innovation spanning 92 years, Raytheon provides state-of-the-art electronics, mission systems integration and other capabilities in the areas of sensing; effects; and command, control, communications and intelligence systems, as well as cyber security and a broad range of mission support services. Raytheon is headquartered in Waltham, Mass. For more about Raytheon, visit us at and follow us on Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. 31

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015 The State of Data Security Intelligence Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report The State of Data Security

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report

More information

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Achieving Security in Workplace File Sharing Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction Achieving

More information

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report

More information

Is Your Company Ready for a Big Data Breach?

Is Your Company Ready for a Big Data Breach? Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication

More information

Data Breach: The Cloud Multiplier Effect

Data Breach: The Cloud Multiplier Effect Data Breach: The Cloud Multiplier Effect Sponsored by Netskope Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Part 1. Introduction Data Breach:

More information

Exposing the Cybersecurity Cracks: A Global Perspective

Exposing the Cybersecurity Cracks: A Global Perspective Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April

More information

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage

What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report

More information

The Importance of Cyber Threat Intelligence to a Strong Security Posture

The Importance of Cyber Threat Intelligence to a Strong Security Posture The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security Understaffed and at Risk: Today s IT Security Department Sponsored by HP Enterprise Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute Research

More information

Global Insights on Document Security

Global Insights on Document Security Global Insights on Document Security Sponsored by Adobe Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Global Insights on Document Security

More information

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013

More information

The Unintentional Insider Risk in United States and German Organizations

The Unintentional Insider Risk in United States and German Organizations The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction

More information

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Security of Paper Records & Document Shredding Sponsored by Cintas Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction

More information

The SQL Injection Threat Study

The SQL Injection Threat Study The SQL Injection Threat Study Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: April 2014 1 The SQL Injection Threat Study Presented by Ponemon Institute, April

More information

A Study of Retail Banks & DDoS Attacks

A Study of Retail Banks & DDoS Attacks A Study of Retail Banks & DDoS Attacks Sponsored by Corero Network Security Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report A Study of

More information

The Cost of Malware Containment

The Cost of Malware Containment The Cost of Malware Containment Sponsored by Damballa Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report The Cost of Malware Containment Ponemon

More information

The State of Data Centric Security

The State of Data Centric Security The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report State of Data Centric Security

More information

Security of Cloud Computing Users Study

Security of Cloud Computing Users Study Security of Cloud Computing Users Study Sponsored by CA Technologies Independently conducted by Ponemon Institute, LLC Publication Date: March 2013 Security of Cloud Computing Users Study March 2013 Part

More information

Understanding Security Complexity in 21 st Century IT Environments:

Understanding Security Complexity in 21 st Century IT Environments: Understanding Security Complexity in 21 st Century IT Environments: A study of IT practitioners in the US, UK, France, Japan & Germany Sponsored by Check Point Software Technologies Independently conducted

More information

2012 Application Security Gap Study: A Survey of IT Security & Developers

2012 Application Security Gap Study: A Survey of IT Security & Developers 2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part

More information

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S.

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon

More information

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T The Cost of Insecure Mobile Devices in the Workplace! Sponsored by AT&T Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Part 1. Introduction The Cost of Insecure Mobile Devices

More information

2010 Access Governance Trends Survey

2010 Access Governance Trends Survey 2010 Access Governance Trends Survey Sponsored by Aveksa Independently conducted by Ponemon Institute LLC Publication Date: April 19, 2010 Ponemon Institute Research Report I. Executive Summary 2010 Access

More information

The Cost of Web Application Attacks

The Cost of Web Application Attacks The Cost of Web Application Attacks Sponsored by Akamai Technologies Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report Part 1. Introduction The

More information

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners Sponsored by Vormetric Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon Institute

More information

Reputation Impact of a Data Breach U.S. Study of Executives & Managers

Reputation Impact of a Data Breach U.S. Study of Executives & Managers Reputation Impact of a Data Breach U.S. Study of Executives & Managers Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon

More information

Aftermath of a Data Breach Study

Aftermath of a Data Breach Study Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath

More information

Third Annual Study: Is Your Company Ready for a Big Data Breach?

Third Annual Study: Is Your Company Ready for a Big Data Breach? Third Annual Study: Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute

More information

Cloud Security: Getting It Right

Cloud Security: Getting It Right Cloud Security: Getting It Right Sponsored by Armor Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute Research Report Cloud Security: Getting It Right Ponemon

More information

The Security Impact of Mobile Device Use by Employees

The Security Impact of Mobile Device Use by Employees The Security Impact of Mobile Device Use by Employees Sponsored by Accellion Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report The Security

More information

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report Part 1. Introduction

More information

The Impact of Cybercrime on Business

The Impact of Cybercrime on Business The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted

More information

The Challenge of Preventing Browser-Borne Malware

The Challenge of Preventing Browser-Borne Malware The Challenge of Preventing Browser-Borne Malware Sponsored by Spikes Security Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1.

More information

The SQL Injection Threat & Recent Retail Breaches

The SQL Injection Threat & Recent Retail Breaches The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &

More information

Security Metrics to Manage Change: Which Matter, Which Can Be Measured?

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:

More information

Data Security in Development & Testing

Data Security in Development & Testing Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development

More information

Achieving Data Privacy in the Cloud

Achieving Data Privacy in the Cloud Achieving Data Privacy in the Cloud Study of Information Technology Privacy and Compliance of Small to Medium-Sized Organizations in germany Sponsored by microsoft Independently Conducted by Ponemon Institute

More information

Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA)

Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Sponsored by Property Casualty Insurers Association of America Independently conducted by Ponemon Institute LLC Publication

More information

2014: A Year of Mega Breaches

2014: A Year of Mega Breaches 2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A

More information

Data Security in the Evolving Payments Ecosystem

Data Security in the Evolving Payments Ecosystem Data Security in the Evolving Payments Ecosystem Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report

More information

Electronic Health Information at Risk: A Study of IT Practitioners

Electronic Health Information at Risk: A Study of IT Practitioners Electronic Health Information at Risk: A Study of IT Practitioners Sponsored by LogLogic Conducted by Ponemon Institute LLC October 15, 2009 Ponemon Institute Research Report Executive summary Electronic

More information

The State of Mobile Application Insecurity

The State of Mobile Application Insecurity The State of Mobile Application Insecurity Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1. Introduction The State

More information

Security of Cloud Computing Providers Study

Security of Cloud Computing Providers Study Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary

More information

Challenges of Cloud Information

Challenges of Cloud Information The Challenges of Cloud Information Governance: A Global Data Security Study Sponsored by SafeNet Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research

More information

Security of Cloud Computing Providers Study

Security of Cloud Computing Providers Study Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary

More information

Cyber Security on the Offense: A Study of IT Security Experts

Cyber Security on the Offense: A Study of IT Security Experts Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report

More information

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Sponsored by AccessData Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute

More information

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Sponsored by McAfee Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research.

More information

Corporate Data: A Protected Asset or a Ticking Time Bomb?

Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb? Sponsored by Varonis Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report Corporate

More information

The State of USB Drive Security

The State of USB Drive Security The State of USB Drive Security U.S. survey of IT and IT security practitioners Sponsored by Kingston Independently conducted by Ponemon Institute LLC Publication Date: July 2011 Ponemon Institute Research

More information

Exposing the Cybersecurity Cracks: A Global Perspective

Exposing the Cybersecurity Cracks: A Global Perspective Exposing the Cybersecurity Cracks: A Global Perspective Part 2: Roadblocks, Refresh and Raising the Human Security IQ Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication

More information

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners 0 Global Survey on Social Media Risks Survey of IT & IT Security Practitioners Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication Date: September 2011 1 Global Survey on

More information

Breaking Bad: The Risk of Insecure File Sharing

Breaking Bad: The Risk of Insecure File Sharing Breaking Bad: The Risk of Insecure File Sharing Sponsored by Intralinks Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research Report Breaking Bad: The

More information

National Survey on Data Center Outages

National Survey on Data Center Outages National Survey on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Part 1. Executive Summary National Survey on Data Center Outages Ponemon Institute,

More information

APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE

APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE APPLICATION SECURITY IN THE CHANGING RISK LANDSCAPE INDEPENDENTLY CONDUCTED BY PONEMON INSTITUTE LLC, JULY 2016 Part 1. Introduction Ponemon Institute is pleased to present the results of Application Security

More information

2015 Global Study on IT Security Spending & Investments

2015 Global Study on IT Security Spending & Investments 2015 Study on IT Security Spending & Investments Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Sponsored by Part 1. Introduction Security risks are pervasive and becoming

More information

2015 Global Megatrends in Cybersecurity

2015 Global Megatrends in Cybersecurity 2015 Global Megatrends in Cybersecurity Sponsored by Raytheon Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report 2015 Global Megatrends in

More information

Efficacy of Emerging Network Security Technologies

Efficacy of Emerging Network Security Technologies Efficacy of Emerging Network Security Technologies Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part

More information

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season Sponsored by RSA Security Independently conducted by Ponemon Institute, LLC Publication Date: October 2013 Ponemon

More information

Defining the Gap: The Cybersecurity Governance Study

Defining the Gap: The Cybersecurity Governance Study Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining

More information

Advanced Threats in Retail Companies: A Study of North America & EMEA

Advanced Threats in Retail Companies: A Study of North America & EMEA Advanced Threats in Companies: A Study of North America & EMEA Sponsored by Arbor Networks Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report

More information

2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition

2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Sponsored by Silver Tail Systems Independently conducted by Ponemon Institute, LLC Publication Date: October 2012 Ponemon Institute

More information

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Independently Conducted by Ponemon Institute LLC February 2012 Leading Practices in Behavioral

More information

Encryption in the Cloud

Encryption in the Cloud Encryption in the Cloud Who is responsible for data protection in the cloud? Sponsored by Thales e-security Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute

More information

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date:

More information

The Importance of Senior Executive Involvement in Breach Response

The Importance of Senior Executive Involvement in Breach Response The Importance of Senior Executive Involvement in Breach Response Sponsored by HP Enterprise Security Services Independently conducted by Ponemon Institute LLC Publication Date: October 2014 The Importance

More information

The Role of Governance, Risk Management & Compliance in Organizations

The Role of Governance, Risk Management & Compliance in Organizations The Role of Governance, Risk Management & Compliance in Organizations Study of GRC practitioners Sponsored by RSA, The Security Division of EMC Independently conducted by Ponemon Institute LLC Publication

More information

The Economic and Productivity Impact of IT Security on Healthcare

The Economic and Productivity Impact of IT Security on Healthcare The Economic and Productivity Impact of IT Security on Healthcare Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date: May 2013 Ponemon Institute Research Report The

More information

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013 2014 State of Endpoint Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Ponemon Institute Research Report 2014 State of Endpoint Risk Ponemon

More information

2015 Global Cyber Impact Report

2015 Global Cyber Impact Report 2015 Global Cyber Impact Report Sponsored by Aon Risk Services Independently conducted by Ponemon Institute LLC Publication Date: April 2015 2015 Global Cyber Impact Report Ponemon Institute, April 2015

More information

Security of Cloud Computing Users A Study of Practitioners in the US & Europe

Security of Cloud Computing Users A Study of Practitioners in the US & Europe Security of Cloud Computing Users A Study of Practitioners in the US & Europe Sponsored by CA Independently conducted by Ponemon Institute LLC Publication Date: 12 May 2010 Ponemon Institute Research Report

More information

Compliance Cost Associated with the Storage of Unstructured Information

Compliance Cost Associated with the Storage of Unstructured Information Compliance Cost Associated with the Storage of Unstructured Information Sponsored by Novell Independently conducted by Ponemon Institute LLC Publication Date: May 2011 Ponemon Institute Research Report

More information

Cyber Threat Intelligence: Has to Be a Better Way

Cyber Threat Intelligence: Has to Be a Better Way Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Sponsored by IID Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research Report Exchanging

More information

2013 Study on Data Center Outages

2013 Study on Data Center Outages 2013 Study on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: September 2013 2013 Study on Data Center Outages Ponemon Institute, September 2013 Part 1. Introduction

More information

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc.

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc. Survey on the Governance of Unstructured Data Independently Conducted and Published by Ponemon Institute LLC Sponsored by Varonis Systems, Inc. June 30, 2008 Please Do Not Quote Without Express Permission.

More information

Big Data Analytics in Cyber Defense

Big Data Analytics in Cyber Defense Big Data Analytics in Cyber Defense Sponsored by Teradata Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Big Data Analytics in Cyber

More information

Enhancing Cybersecurity with Big Data: Challenges & Opportunities

Enhancing Cybersecurity with Big Data: Challenges & Opportunities Enhancing Cybersecurity with Big Data: Challenges & Opportunities Independently Conducted by Ponemon Institute LLC Sponsored by Microsoft Corporation November 2014 CONTENTS 2 3 6 9 10 Introduction The

More information

State of Web Application Security U.S. Survey of IT & IT security practitioners

State of Web Application Security U.S. Survey of IT & IT security practitioners State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon

More information

2013 State of the Endpoint

2013 State of the Endpoint 2013 State of the Endpoint Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report 2013 State of the Endpoint Ponemon Institute:

More information

Third Annual Survey on Medical Identity Theft

Third Annual Survey on Medical Identity Theft Third Annual Survey on Medical Identity Theft Sponsored by Experian s ProtectMyID Independently conducted by Ponemon Institute LLC Publication Date: June 2012 Ponemon Institute Research Report Part 1:

More information

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA Sponsored by Zimbra Independently conducted by Ponemon Institute LLC Publication Date: November 2014 Ponemon Institute

More information

The Fraud Report: How Fake Users Are Impacting Business

The Fraud Report: How Fake Users Are Impacting Business The Fraud Report: How Fake Users Are Impacting Business Sponsored by TeleSign Independently conducted by Ponemon Institute LLC Publication Date: November 2015 Ponemon Institute Research Report The Fraud

More information

2015 State of the Endpoint Report: User-Centric Risk

2015 State of the Endpoint Report: User-Centric Risk 2015 State of the Endpoint Report: User-Centric Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report 2015 State

More information

State of SMB Cyber Security Readiness: UK Study

State of SMB Cyber Security Readiness: UK Study State of SMB Cyber Security Readiness: UK Study Sponsored by Faronics Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report Part 1. Introduction

More information

The Human Factor in Data Protection

The Human Factor in Data Protection The Human Factor in Data Protection Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report The Human Factor in Data Protection

More information

The TCO of Software vs. Hardware-based Full Disk Encryption Summary

The TCO of Software vs. Hardware-based Full Disk Encryption Summary The TCO of vs. -based Full Disk Encryption Summary Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research Report

More information

State of IT Security Study of Utilities & Energy Companies

State of IT Security Study of Utilities & Energy Companies State of IT Security Study of Utilities & Energy Companies Sponsored by Q1 Labs Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report State of

More information

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data Independently conducted by Ponemon Institute LLC Publication Date: February 23, 2009 Sponsored by Symantec Corporation Ponemon

More information

The economics of IT risk and reputation

The economics of IT risk and reputation Global Technology Services Research Report Risk Management The economics of IT risk and reputation What business continuity and IT security really mean to your organization Findings from the IBM Global

More information

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013 The Post Breach Boom Sponsored by Solera Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part 1. Introduction The Post Breach

More information

Ed Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.

Ed Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved. 2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights

More information

IBM QRadar Security Intelligence: Evidence of Value

IBM QRadar Security Intelligence: Evidence of Value IBM QRadar Security Intelligence: Evidence of Value Independently conducted by Ponemon Institute LLC February 2014 Ponemon Institute Research Report Background IBM QRadar: Evidence of Value Ponemon Institute:

More information

Intelligence Driven Cyber Defense

Intelligence Driven Cyber Defense Intelligence Driven Cyber Defense Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Intelligence Driven Cyber

More information

The Billion Euro Lost Laptop Problem Benchmark study of European organizations

The Billion Euro Lost Laptop Problem Benchmark study of European organizations The Billion Euro Lost Laptop Problem Benchmark study of European organizations Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report Part 1. Executive

More information

Fourth Annual Benchmark Study on Patient Privacy & Data Security

Fourth Annual Benchmark Study on Patient Privacy & Data Security Fourth Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Ponemon Institute Research Report

More information

2013 Cost of Data Center Outages

2013 Cost of Data Center Outages 2013 Cost of Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Part 1. Executive Summary 2013 Cost of Data Center Outages Ponemon Institute, December

More information

2012 Business Banking Trust Trends Study

2012 Business Banking Trust Trends Study 2012 Business Banking Trust Trends Study Sponsored by Guardian Analytics Independently conducted by Ponemon Institute LLC Publication Date: August 2012 Ponemon Institute Research Report Part 1. Introduction

More information

The Cloud Balancing Act for IT: Between Promise and Peril

The Cloud Balancing Act for IT: Between Promise and Peril The Cloud Balancing Act for IT: Between Promise and Peril Table of Contents EXECUTIVE SUMMARY...2 ONBOARDING CLOUD SERVICES...3 SYSTEMS OF RECORD: THE NEXT WAVE OF CLOUD ADOPTION...6 A CULTURE OF COMPLIANCE

More information

Privacy and Security in a Connected Life: A Study of US Consumers

Privacy and Security in a Connected Life: A Study of US Consumers Privacy and Security in a Connected Life: A Study of US Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information