How New Cyber Security Federal Regulations Are Impacting Application and Network Security

Transcription

1 How New Cyber Security Federal Regulations Are Impacting Application and Network Security MARKETING RESEARCH EMPLOYEE ENGAGEMENT A WORLD OF INSIGHTS September, 2014 Research by Radware and IDG

2

3 RESPONDENT PROFILE Total Respondents Organization Size Global Annual Sales ,000+ employees 42% 1,000-9,999 employees 50% Less than 1,000 employees 8% $5 billion+ 46% $1 billion - $4.9 billion 41% $500M - $999.9M 14% Job Title Breakdown Top Represented Industries CIO/CTO 41% Financial services (banking, accounting, tax, etc.) Computer related products or services Recruit target 7% 60% CSO/CISO 8% Manufacturing, Production, Distribution 6% EVP, Senior VP, VP 13% Healthcare, Medical, Biotech, Pharmaceuticals 4% Director 18% Retail, Wholesale 4% Business services, Consulting 4% Manager/Supervisor 20% Telecommunications, Internet/Cloud Service Provider 3% * A more detailed respondent profile is appended to this report. A WORLD OF INSIGHTS 3

4 KEY FINDINGS 99% of respondents claim to be very or somewhat familiar with new federal guidelines, although a substantial number, both in financial services and other verticals, are still unaware about many specific regulations Although financial respondents had greater awareness of the specific regulations inquired in the survey, a greater percentage of those in non-financial services (77%) claim to be very familiar with new federal guidelines regarding application and network security than do those in financial services (67%) The financial services industry has felt the affects of these changes more so than have other verticals, particularly with regards to productivity loss, business disruption, and revenue loss Specific areas regulatory changes have impacted include IT CAPEX and OPEX, user experience, and personnel costs Despite these adverse consequences, 87% of respondents agree that the current regulatory changes are very important or critical to keeping their companies and industries secure In order to remain compliant with new codes, respondents have made numerous strategic changes, including investing in new or specialized technologies, changing security processes and protocols, creating new security models, and implementing alert automation Other organizations are taking a more tactical approach, allocating additional budget and hiring new resources (both internal and external) Despite the impact these regulatory changes, respondents believe more can still be done: 4 in 5 believe it is critical or very important for the federal government to impose stricter regulations around application and network security, while 84% expect those regulations to be carried out over the next 12 months A WORLD OF INSIGHTS 4

5 KEY FINDINGS In regards to future regulatory changes, respondents anticipated approaches mirror what they are doing now, which may suggest that solutions put in place today are not suited to scale or accommodate stricter regulations Just 14% of respondents indicated that they would be unwilling to adopt application and network security best practices from other industries Although financial institutions are largely more concerned about the possibility of cyberattacks than are companies from other industries, on average they feel less prepared to safeguard against them The attacks that cause the most harm to businesses are unauthorized access, theft of IP, and sabotage As a result of such attacks, organizations fear loss of revenue, loss of customers, and diminished brand reputation Nearly 80% of respondents expect the frequency of cyber-attacks to increase or remain flat over the next 12 months, while 16% anticipate a decrease (remainder did not know) Over two in five respondents have yet to fill out an SEC questionnaire for compliance in the past 12 months A WORLD OF INSIGHTS 5

6 A WORLD OF INSIGHTS 6 IMPACT OF FEDERAL REGULATORY CHANGES

7 Although the majority of respondents claim to be very familiar with new federal guidelines, a large number are still unaware about specific regulations Total Financial Services Non-Financial Services FAMILIARITY WITH NEW FEDERAL GUIDELINES (GENERAL) FAMILIARITY WITH NEW FEDERAL GUIDELINES (SPECIFIC) 71% 67% 77% National Institute of Standards and Technology (NIST) Cyber Security Framework FFEIC Joint Statement Distributed Denial-of-Service (DDoS) Cyber- Attacks, Risk Mitigation, and Additional Resources (US) Driver Securities and Exchange Commission Cyber Exams (US) Driver 62% 64% 60% 59% 63% 52% 56% 59% 51% 32% 28% 22% Office of the Controller of Currency (OCC) (US) Guidance Driver National Credit Union Administration (NCUA) Risk Alert (US) Driver 51% 58% 41% 58% 65% 46% Very familiar Somewhat familiar 0% 1% 0% Not at all familiar None of the above 3% 1% 7% Q1: Within your industry/organization, how familiar are you with new or revised federal guidelines (or industry association regulations) regarding application and network security (e.g. cyber-attack mitigation, DoS/DDOS attacks) released over the past months? Q2. More specifically, of which of the following new or revised federal guidelines (or industry association regulations) regarding application and network security (released over the past months) are you aware? Total Base: 250; Financial Services Base: 150; Non-Financial Services Base: 100 A WORLD OF INSIGHTS 7

8 Financial services is acutely impacted by new or revised federal guidelines, particularly in terms of business disruption and revenue loss CONSEQUENCES OF NEW FEDERAL GUIDELINES Total Financial Services Non Financial Services Productivity loss 41% 49% 54% Business disruption 34% 48% 57% Revenue loss 32% 48% 58% Penalties/fines 31% 36% 40% None of the above 11% 17% 26% Q3: Has your organization experienced any of the following consequences as a result of recent - new or revised - federal guidelines (or industry association regulations) regarding application and network security? Total Base: 250; Financial Services Base: 150; Non-Financial Services Base: 100 A WORLD OF INSIGHTS 8

9 In addition to revenue loss, higher OPEX and CAPEX as a result of new federal regulations are also affecting bottom line results; despite these adverse consequences, respondents largely believe these regulations are very or critically important IMPACT OF NEW FEDERAL REGULATIONS TO ASPECTS OF BUSINESS Significant Moderate Minimal No Impact IT capital expenditures (CapEx) (i.e., data center upgrades/investments) IT operational expenses (OpEx) 42% 40% 38% 41% 16% 4% 15% 4% PERCEIVED IMPORTANCE OF NEW FEDERAL REGULATIONS 69% User experience 36% 38% 20% 6% Personnel costs Application performance 36% 35% 40% 41% 20% 19% 4% 5% 18% 11% Application development costs 35% 40% 21% 4% 1% 0% Procurement cycles for third-party apps 31% 41% 22% 6% Application development cycles 30% 46% 19% 5% Hiring practices 27% 48% 16% 8% Q4: What has been the impact of these recent - new or revised - federal guidelines (or industry association regulations) on the following aspects of your business? Q5: How important do you believe recent - new or revised - federal guidelines (or industry association regulation changes) to application and network security policies/requirements are to keeping your company/industry secure? Total Base: 250 A WORLD OF INSIGHTS 9

10 Top approaches to new federal regulations are more strategic (investing in new tech, process refresh, etc.) than simply adding supplemental resources ORGANIZATIONAL APPROACH TO NEW FEDERAL REGULATIONS Invested in new or specialized technologies (hardware and/or software) Changed security processes, protocols, and mandates Created new security models 49% 47% 53% EXTRA BUDGET New monies 14% average increase (N = 78) Re-assigned budget 11% average increase (N = 30) Implemented alert automation in event of breach Revised internal external reporting requirements processes Assigned extra budget Hired new external resources (i.e., temporary IT staffing, sub-contractors, etc.) Hired new internal resources (full-time/part-time staff) None, we have not changed our approach 1% 46% 44% 43% 42% 41% HIRED RESOURCES New internal 18 new employees (mean) (N = 102) New external Temporary IT staffing (56%) Sub-contractors (44%) Consultants (68%) Short-term vendor staff assistance (55%) Short-term partner staff assistance (40%) (N = 104) Q6: During the past 12 months, how has your organization approached compliance with new or revised federal guidelines (or industry association regulations) regarding application and network security? Q6a. Did your company allocate new or additional monies to address these compliance needs or reassign monies from an existing budget? Q6b. How many new internal hires were made over the past 12 months to address these compliance needs? Q6c. What types of new external resources have you contracted with to address your compliance needs over the past 12 months? Total Base: 250; Q6a Base 108: Q6a (Increase) Base: 78; Q6a (Re-assign) Base: 30; Q6b Base: 102; Q6c Base: 104 A WORLD OF INSIGHTS 10

11 Nearly two-thirds of respondents indicated a willingness to adopt application and network security best practices from another industry, compared to just 14% who would not WILLINGNESS TO ADOPT APPLICATION AND NETWORK SECURITY BEST PRACTICES FROM OTHER INDUSTRIES 63% 23% 14% Yes Maybe No Q10: Would you be willing to adopt application and network security best practices from another industry based on its response to anticipated Federal regulatory changes? Total Base: 250 A WORLD OF INSIGHTS 11

12 A WORLD OF INSIGHTS 12 FUTURE FEDERAL REGULATORY CHANGES

13 The vast majority of respondents believe it is very or critically important for the federal government to impose stricter regulations around application and network security, while more than 5 in 6 expect those regulations to be carried out over the next 12 months PERCEIVED IMPORTANCE OF STRICTER REGULATIONS Total Reported Adverse Consequences Did Not Report Adverse Consequences 66% 61% 36% 36% 19% 16% 17% 16% 24% Critical/Very important Adverse conseq.: 82% No Adverse conseq.: 72% 84% of respondents expect network and application security to be more tightly regulated by the federal government over the next 12 months 5% 2% 1% 1% 1% 0% Critical Very important Somewhat important Not very important Not at all important Q7: In terms of keeping your company/industry secure, how important do you believe it is for the federal government to impose stricter regulations around application and network security? Q8: With respect to application and network security, do you expect your industry will be more tightly regulated by the federal government over the next 12 months? Total Base: 250; Reported Adverse Consequences Base: 208; Did Not Report Adverse Consequences Base: 42 A WORLD OF INSIGHTS 13

14 Respondent organizations anticipated responses to future federal regulation changes mirror what organizations are doing today ANTICIPATED APPROACH TO FUTURE FEDERAL REGULATIONS CHANGES Total Financial Services Non Financial Services Implement new technologies (hardware and/or software) Create new security models Assign extra budget Change security processes, protocols, and mandates Implement aleart automation in event of breach Hire new external resources Hire new internal resources Revise internal/external reporting requirements/processes 56% 46% 51% 50% 53% 47% 52% 40% 47% 53% 39% 46% 47% 44% 43% 46% 38% 42% 45% 37% 38% 41% 35% 62% Q9: How do you anticipate your organization will approach compliance with future new or revised federal guidelines (or industry association regulations) regarding application and network security? Total Base: 250; Financial Services Base: 150; Non-Financial Services Base: 100 A WORLD OF INSIGHTS 14

15 A WORLD OF INSIGHTS 15 ATTACKS ON THE BUSINESS AND MITIGATION STRATEGIES

16 Although financial institutions are more concerned about the possibility of cyber-attacks than are respondent organizations from other industries, they believe their businesses are less prepared to safeguard against them Total Financial Services Non-Financial Services CONCERN ABOUT POSSIBILITY OF CYBER-ATTACKS Extremely concerned Very concerned Somewhat concerned Not very concerned Not at all concerned 13% 10% 18% 5% 3% 8% 0% 1% 0% 30% 28% 33% 41% 51% 58% Extremely/Very Concerned TITLE Financial: 86% Non-Financial: 74% PERCEIVED PREPAREDNESS TO SAFEGUARD AGAINST CYBER-ATTACKS Extremely well prepared Very well prepared Somewhat prepared Not very prepared Not at all prepared 0% 0% 1% 0% 0% 0% 26% 22% 31% 30% 33% 24% 44% 45% 44% Extremely/Very Well Prepared Financial: 67% Non-Financial: 75% Q11: How concerned are you about the possibility of cyber-attacks to your organization Q12. In your opinion, how prepared is your organization to safeguard itself from cyber-attacks? Total Base: 250; Financial Services Base: 150; Non-Financial Services Base: 100 A WORLD OF INSIGHTS 16

17 Unauthorized access, theft of IP, sabotage, and worm and virus damage are the most harmful attacks to the business ATTACKS CAUSING MOST HARM TO BUSINESS Unauthorized Access Theft of proprietary information/intellectual property Sabotage: deliberate disruption, deletion or destruction of information, systems, or networks Worm & Virus Damage 48% 47% 47% 46% Fraud 43% Criminal SPAM 38% Advanced persistent threat (APT) 37% Phishing 33% Distrubuted denial-of-service 32% Q13: Which of the following attacks would cause the most significant harm to your business? Total Base: 250 A WORLD OF INSIGHTS 17

18 Unsurprisingly, loss of revenue tops the list of negative outcomes resulting from a cyber-attack, followed by loss of customers, which was cited at a higher clip by non-financial industry respondents than by financial respondents CONCERN OVER OUTCOMES Loss of revenue 39% Loss of customers 38% Diminished brand value/reputation 31% Inability to conduct business for extended periods of time 28% Increased operational costs (customer service, engineering) 25% Delay of other important initiatives 25% Q14: Which of the following potential negative outcomes from an attack is your organization most concerned about? Total Base: 250 A WORLD OF INSIGHTS 18

19 Nearly 80% of respondents expect the frequency of cyber-attacks to their organization to increase or remain flat over the next 12 months FREQUENCY OF ATTACKS OVER NEXT 12 MONTHS On average, respondents anticipate a 3.5% increase in cyber-attacks over the next 12 months INCREASE 19% 44% 35% DECREASE 21% 16% Increase Remain flat Decrease Q15a: Over the next 12 months, do you anticipate the frequency of cyber-attacks directed at your organization to: Q15b: By what percent do you anticipate the number of cyber-attacks to [increase/decrease] over the next 12 months? Total Base: 250 A WORLD OF INSIGHTS 19

20 Nearly half of all respondents are leveraging the cloud to some capacity to mitigate DDoS attacks; a substantial percentage of respondents have yet to fill out an SEC questionnaire for compliance in the last 12 months DDOS MITIGATION STRATEGIES We are using a hybrid (mix of hardware and cloud) approach We leverage on-premise hardware/software (e.g. firewalls, routers, switches, and intrusion prevention systems) 28% 26% 58% of survey respondents have filled out a Security and Exchange Commission questionnaire for compliance in the past 12 months We leverage a cloud-based solution 21% We are using our ISP s/hosting provider s solution 17% 79% of respondents view their organization as critical infrastructure We are not protecting against DDoS attacks 8% Q16: In the past 12 months, have you filled out a Security and Exchange Commission (SEC) questionnaire for compliance? Q17. Based on your company s role and industry, do you view your organization as critical infrastructure (i.e. do you view your organization as an asset essential for the functioning of a society and/or economy)? Q18. Upon which of the following does your organization primarily rely to protect itself against and mitigate DDoS attacks? Total Base: 250 A WORLD OF INSIGHTS 20

21 A WORLD OF INSIGHTS 21 RESPONDENT PROFILE

22 Number of Employees Company Industry 100,000 or more 50,000-99,999 12% 6% Financial services (banking, accounting, tax, etc.) Computer related products or services Recruit target Manufacturing, Production, Distribution 7% 6% 60% 30,000-49,999 7% Healthcare, Medical, Biotech, Pharmaceuticals 4% 20,000-29,999 7% Retail, Wholesale 4% 10,000-19,999 7,500-9,999 10% 12% Business services, Consulting Telecommunications, Internet/Cloud Service Provider Architecture, Building, Construction, Engineering 4% 3% 2% 5,000-7,499 16% Media, Entertainment 2% 2,500-4,999 14% Energy and Utilities Advertising, Marketing, Public relations 1% 1% 1,000-2,499 7% Arts, Recreation 1% % Government (Federal, State & Local) 1% Fewer than 250 employees 3% 1% Mean number of employees: 25,151 Insurance Transportation Other 1% 1% 2% Q19: Approximately how many people are employed in your entire company or enterprise? (Please include all plants, divisions, branches, parents and subsidiaries worldwide) S5: Which of the following best describes your organization s industry or function? Total Base: 250 A WORLD OF INSIGHTS 22

23 Job Title Global Annual Sales Revenue CIO/CTO 41% $10 billion or more 19% CSO/CISO 8% $5 billion - $9.9 billion 27% EVP, Senior VP, VP 13% $3 billion - $4.9 billion 20% Director 18% $1 billion - $2.9 billion 20% Manager/Supervisor 20% $500 million - $999.9 million 14% Mean (billions): $5.18 S3: Which of the following best describes your title within your organization? S4: Please indicate your organization s total global annual sales revenue for the most recent fiscal year. Total Base: 250 A WORLD OF INSIGHTS 23

24 IDG Research Services specializes in marketing and media-related research for technology marketers. As a division of International Data Group (IDG), the world's leading technology media, research, and event company, IDG Research Services brings the resources and experience of a large, global company to its clients in the form of a small, customer-focused business. For more information please visit our website. Radware (NASDAQ: RDWR), is a global leader of application delivery and application security solutions for virtual and cloud data centers. Its award-winning solutions portfolio delivers full resilience for business-critical applications, maximum IT efficiency, and complete business agility. Radware's solutions empower more than 10,000 enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit A WORLD OF INSIGHTS 24