Centrify State of the Corporate Perimeter Survey Research Report

Transcription

1 Centrify State of the Corporate Perimeter Survey Research Report Findings from an Online Survey of 200 IT Decision-Makers and 200 IT Decision-Makers Conducted April 2015 Copyright 2015 Centrify Corporation. All Rights Reserved. 1

2 Methodology Two surveys of IT decision-makers (or ITDMs) one of N=200 in the, one of N=200 in the were designed and conducted online by Finn Partners. The surveys were conducted between April 27 and April 30, Respondents were required to currently be working in, or to have recently worked in, information technology. They were also required to be a part of the decision-making process when it comes to enterprise-wide IT security. Both surveys have a margin of error of +/- 6.9% for the full sample. The margin of error is higher for subgroups within each sample. Copyright 2015 Centrify Corporation. All Rights Reserved. 2

3 Centrify Survey

4 In 2015, Centrify corporation surveyed more than 400 IT decision makers (ITDMs) in the and to find out one thing: Are corporations as secure as they should be? Major breaches like Sony and the Office of Personnel Management make headlines but how much are hackers costing organizations that don t make the front page? Centrify s hypothesis was that protecting identity is at the heart of protecting data. Survey results support this claim and more. Copyright 2015 Centrify Corporation. All Rights Reserved. 4

5 Sharing Access Credentials 59% of ITDMs report sharing access credentials with other employees at least somewhat often. Another 52% share access at least somewhat often with contractors. In the, the numbers are 34% and 32% respectively. It's worth noting that if those shared credentials provide access to privileged accounts, hackers essentially receive the keys to the kingdom elevated access to an organization's most critical data, applications, systems and network devices. Copyright 2015 Centrify Corporation. All Rights Reserved. 5

6 Former Employee Access 53% of ITDMs say it would be at least somewhat easy for a former employee to still log in and access data. In the, the number is 32%. Half of ITDMs say it can take up to a week or more to remove access to sensitive systems. These numbers underscore what is widely perceived as a growing gap in security, visibility and control over individual accounts, both privileged and otherwise. Copyright 2015 Centrify Corporation. All Rights Reserved. 6

7 Organization Vulnerability Organizations are far more vulnerable than they care to admit 55% of ITDMs said their organizations had been breached in the past 44% of companies had breaches that together cost millions of dollars 45% of ITDMs said their organizations had been breached in the past 35% of companies had breaches that together cost millions of dollars Copyright 2015 Centrify Corporation. All Rights Reserved. 7

8 Food for Thought Notably, happy hours, birthdays and kitchen etiquette get more airplay than security in the workplace. Separately, when we asked IT folks if they could break in anywhere and get away with it, they chose: The White House David Cameron s private Facebook Apple Bill Gates My bank Walmart Papa John s Pizza But in all fairness, most respondents replied that they would never do such a thing. Copyright 2015 Centrify Corporation. All Rights Reserved. 8

9 Sounding the Alarm IT managers are sounding the alarms to little avail. 48% of & 30% of ITDMs have had to fight their organizations for stricter protocols 42% of & 27% of ITDMs have lost the battle for stricter protocols 28% of & 40% of ITDMs say security isn't getting enough attention Copyright 2015 Centrify Corporation. All Rights Reserved. 9

10 Full Survey Results Workforces naturally expand and contract. Roles change. Rules change. And all of this is happening in an increasingly amorphous corporate perimeter. To manage this, businesses need a purpose-built solution. To learn more about how to protect your business from debilitating lapses in security, take a look at Centrify s state-of-the-art technology. Download Entire Survey Copyright 2015 Centrify Corporation. All Rights Reserved. 10

11 Key Findings

12 ITDMs vs. ITDMs KEY FINDINGS Throughout the survey, there were clear and consistent differences between the attitudes of ITDMs and ITDMs. ITDMs were more likely to distribute liberal levels of access to their employees, contractors, and vendors. That said, they were also more likely to monitor that access carefully and consistently than their counterparts. ITDMs were also more likely to say they had to fight their leadership for stricter security protocols and to have had requests for stricter protocols denied. While nearly half of ITDMs expressed these opinions, fewer than 1 in 3 ITDMs said the same. ITDMs were less likely to be confident that their existing IT security was protecting all levels of data against a breach. However, they were also less likely to say that their organization had had a breach, and were less concerned about data vulnerability than the ITDMs. Copyright 2015 Centrify Corporation. All Rights Reserved. 12

13 The Online Security Landscape KEY FINDINGS Security stands out as the most important issue, with about half of ITDMs saying that security is in the top 3 of the biggest IT challenges they expect to deal with in the next 12 months (ranking first of all choices listed.) Virtually all ITDMs are at least somewhat confident (99% in, 95% in ) in their own company s IT security, software, and protocols. However, ITDMs have much more intensity behind this confidence; while 56% of ITDMs are very confident, only 35% of ITDMs are very confident. About three-quarters (74%) of ITDMs and over half (57%) of ITDMs agree that their organization needs to do a better job monitoring who is accessing their data, making the case that there is significant concern about levels of access. Close to three-in-four (72%) ITDMs are favorable to Centrify, putting it within the margin of error for overall favorability with CA Technologies, Lieberman Software, BeyondTrust, CyberArk, and Arcon. With the exception of CA Technologies, these were all within the margin of error for intense favorability (25% very favorable) as well. In the, nearly half (47%) have no opinion or have never heard of Centrify, though 38% are favorable (10% very favorable.) Copyright 2015 Centrify Corporation. All Rights Reserved. 13

14 Levels of Access KEY FINDINGS Outsiders are indeed given access to company data, which leaves that data vulnerable. In the, a majority (59%) share access with other employees at least somewhat often and 52% also say the same about sharing data with contractors. (Note that the numbers in the are smaller, 34% and 32% respectively.) Additionally, 75% of ITDMs in the say that more than 10% in their company have privileged access to data, as do 44% of ITDMs in the. Fully 53% in the say it would be at least somewhat easy for a former employee to log-in to access systems or data with old passwords, as do 32% in the. Among those who allow contractors to have access at least somewhat often, 82% in the and 68% in the say it would be at least somewhat easy for others to access old data. Though half say that employees and contractors who leave are off-boarded within the day that they leave, about half also say it could take a week or more to remove the access to sensitive systems for a person no longer affiliated with the company. Copyright 2015 Centrify Corporation. All Rights Reserved. 14

15 Company Leadership Decisions on IT Security KEY FINDINGS While IT decision makers generally think their leadership understands the issues surrounding the need for security, significant percentages of these individuals say these issues don t get enough attention (28% in, 40% in ), have had to fight within their organization for stricter protocols (48%, 30% ), and have had leadership turn them down on their requests for stricter protocols (42%, 27% ). Additionally, nearly one-in-five ITDMs say they are more likely to hear about free food in the conference room, office birthdays, or office kitchen etiquette than security protocols from their leadership. This finding could be a compelling illustration of how much more seriously IT security needs to be taken by senior managers. Copyright 2015 Centrify Corporation. All Rights Reserved. 15

16 The Threat of Data Breaches KEY FINDINGS Data breaches are a huge concern. Fully 45% of ITDMs and 55% of ITDMs say their organization has had a security breach in the past. These threats are nearly constant in some instances, as 28% of ITDMs and 14% of ITDMs believe that the last attempted security breach occurred within the last hour. Taken more broadly, 43% of ITDMs and 26% of ITDMs believe the last attempted security breach occurred within the last week (or more recently.) The consequences of a breach are non-trivial. In the, among those who believe their company had had a breach, 44% say that the breach cost thousands or more, as did 35% in the. Interestingly, 28% in the say they could be persuaded to be a hacker for $2,000 or less and 14% in the say they could be persuaded for 2,000 or less. While this is an interesting statistic, it may be prudent to take this finding with a grain of salt, as some participants simply entered 1 or 100 for this question and likely were not seriously claiming that they would become hackers for $1 or 1. Copyright 2015 Centrify Corporation. All Rights Reserved. 16

17 The Online Security Landscape

18 ONLINE SECURITY LANDSCAPE Security is clearly thought of as one of the most important IT challenges today. About half of ITDMs select security as one of the top three IT challenges emerging in the next 12 months. What are the biggest IT challenges you expect in the next 12 months? SELECT UP TO 3. Security 46% 50% Cloud computing 40% 41% Data management Big data 26% 24% 22% 24% Network administration 14% 22% Mobile applications and management 16% 19% Application development Business intelligence Database analysis and development 10% 18% 16% 18% 17% 17% Help desk/it support 15% 19% Windows administration Web design and development 9% 15% 13% 13% *15% or higher charted Copyright 2015 Centrify Corporation. All Rights Reserved. 18

19 ONLINE SECURITY LANDSCAPE The importance of security is especially salient among those who have been in the IT industry for 10 years or more. What are the biggest IT challenges you expect in the next 12 months? SELECT UP TO 3. Security In Top 3 All 46% 50% 10+ Years in IT 56% 60% Copyright 2015 Centrify Corporation. All Rights Reserved. 19

20 ONLINE SECURITY LANDSCAPE Protecting big data is the #1 priority for over 1 in 3 ITDMs and 1 in 5 ITDMs. Fully 86% in the and 64% in the list this at least as a top priority, if not #1 overall. When it comes to your IT security, how much of a priority is protecting big data? #1 priority 20% 36% A top priority 44% 50% In the top 10 14% 28% Not much of a priority 8% Copyright 2015 Centrify Corporation. All Rights Reserved. 20

21 ONLINE SECURITY LANDSCAPE While both and ITDMs are at least somewhat confident in their company s IT security protocols (99% in, 95% in ), the intensity is much greater on the American side. While 56% of ITDMs are very confident, just 35% of ITDMs say the same. Overall, how confident are you in your company s IT security, software and protocols? 56% 60% 35% 43% 21-point disparity between and 2% 4% 0% 1% 0% 0% Very confident Somewhat confident Not too confident Not at all confident Don't know Copyright 2015 Centrify Corporation. All Rights Reserved. 21

22 ONLINE SECURITY LANDSCAPE Those who have been in the industry longer are less likely to be very confident in their company s IT security, software, and protocols. Overall, how confident are you in your company s IT security, software and protocols? 56% 60% 35% 39% 45% 32% Very confident - all Very confident - <10 years in IT Very confident years in IT Copyright 2015 Centrify Corporation. All Rights Reserved. 22

23 ONLINE SECURITY LANDSCAPE ITDMs use a host of security mechanisms within their organizations. Regularly updating passwords is the most common. While multi-factor authentication is used among half of ITDMs, single sign-on is more common in the. Which of the following do you use as part of IT security within your organization? SELECT ALL THAT APPLY. Updating passwords on a regular basis 58% 63% Privileged identity management an individual account per privileged user 51% 56% Multi-factor authentication (requiring 2 or more forms of identification) 37% 49% Single sign-on (individual user password across multiple apps) 45% 50% Shared account password management a shared account accessed by multiple users Biometrics (fingerprint, heartbeat, etc.) 14% 24% 29% 36% Copyright 2015 Centrify Corporation. All Rights Reserved. 23

24 ONLINE SECURITY LANDSCAPE Nearly three-in-four ITDMs in the agree that their organization should do a better job monitoring who is accessing data (though just one-in-three agree strongly.) Additionally, 84% agree at least somewhat that data breaches are 100% preventable. Below is a list of statements about the state of current IT security. Please indicate how much you agree or disagree with each. Data breaches are 100% preventable with the right protocols % Strongly agree / Somewhat agree 40% 84% Our organization should do a better job monitoring who is accessing data 36% 74% I am concerned about all the ways someone could access the keys to the kingdom in our organization 33% 75% Our organization has too little control over the mobiles, home tablets and out of office devices Our organization has too many privileged users 29% 29% 62% 66% I can t get our leadership to take security seriously enough 29% 57% Our organization is behind the curve on identity management 28% 64% In today s environment, data breaches basically cannot be prevented 26% 63% Ranked by % Strongly agree Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 24

25 ONLINE SECURITY LANDSCAPE Though the ITDMs prioritize the same top two statements, they are much less likely than their American counterparts to agree strongly. Below is a list of statements about the state of current IT security. Please indicate how much you agree or disagree with each. Our organization should do a better job monitoring who is accessing data Data breaches are 100% preventable with the right protocols % Strongly agree / Somewhat agree 19% 57% 18% 65% Our organization has too little control over the mobiles, home tablets and out of office devices 17% 54% Our organization is behind the curve on identity management 16% 47% I am concerned about all the ways someone could access the keys to the kingdom in our organization 14% 59% In today s environment, data breaches basically cannot be prevented 13% 50% Our organization has too many privileged users 13% 41% I can t get our leadership to take security seriously enough 10% 40% Ranked by % Strongly agree Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 25

26 ONLINE SECURITY LANDSCAPE Those who have had a data breach are especially likely to strongly agree that their organizations need to do a better job monitoring who is accessing data. Over half in the who have had a data breach believe this strongly. Below is a list of statements about the state of current IT security. Please indicate how much you agree or disagree with each. Our organization should do a better job monitoring who is accessing data. % Strongly agree / Somewhat agree - All 36% - Had Data Breach 52% - All 19% - Had Data Breach 24% Copyright 2015 Centrify Corporation. All Rights Reserved. 26

27 ONLINE SECURITY LANDSCAPE Though Centrify falls near the bottom of the list in terms of those who are very favorable, it is within the margin of error when compared to Lieberman Software, BeyondTrust, CyberArk, Thycotic, and Arcon. Additionally, more are favorable overall to Centrify than they are to these other companies. Please indicate your opinion of the following companies that provide security-based software. If you have never heard of the company, please say so. % Very favorable / Somewhat favorable IBM 56% 91% Oracle 54% 91% Dell 47% 85% CA Technologies 33% 75% Lieberman Software BeyondTrust CyberArk 29% 28% 27% 70% 69% 71% 19% No opinion / Never heard Thycotic 27% 64% Centrify 25% 72% Arcon 25% 66% Ranked by % Strongly agree Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 27

28 ONLINE SECURITY LANDSCAPE Favorability for all of these companies is significantly lower in the. Nearly half of ITDMs in the have no opinion of Centrify or have never heard of the company. Please indicate your opinion of the following companies that provide security-based software. If you have never heard of the company, please say so. % Very favorable / Somewhat favorable IBM 32% 75% Oracle 31% 70% Dell 26% 70% CA Technologies 13% 50% BeyondTrust CyberArk 13% 13% 41% 39% 47% No opinion / Never heard Arcon 10% 39% Centrify 10% 38% Lieberman Software 9% 39% Thycotic 9% 34% Ranked by % Strongly agree Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 28

29 Levels of Access

30 LEVELS OF ACCESS ITDMs are far more liberal with granting privileged access. Fully 75% of ITDMs in the say that more than 10% in their company have privileged access, compared to 44% in the. Approximately what percent of people in your company have privileged access that is, an ability to access, control or view higher-level information that others do not have? Your best estimate is fine. 13% 25% 10 or fewer 5% 5% % 19% % 25% % 19% Copyright 2015 Centrify Corporation. All Rights Reserved. 30

31 LEVELS OF ACCESS Sharing privileged access with other employees is more common in the, as 59% of ITDMs share privileged access at least somewhat often (28% very) compared to 34% of ITDMs (10% very). How often do you share either root or privileged level access to systems or data with other employees? 28% 31% 24% 18-point disparity between and 23% 26% 19% 19% 10% 13% 11% Very often Somewhat often Not too often Rarely Never Copyright 2015 Centrify Corporation. All Rights Reserved. 31

32 LEVELS OF ACCESS Similarly, sharing access with contractors or third parties is more common in the, with 52% in the sharing this at least somewhat often and 32% in the sharing this at least somewhat often. And how often does your company allow contractors or third parties to have root or privileged level access to systems or data? 33% 24% 8% 28% 24% 16-point disparity between and 16% 18% 21% 11% 18% Very often Somewhat often Not too often Rarely Never Copyright 2015 Centrify Corporation. All Rights Reserved. 32

33 LEVELS OF ACCESS Those in the are more likely to change levels of access very often (29% to 11%) and at least somewhat often (66% to 46%). And how often does your company change root or privileged levels of access to accounts? 29% 37% 35% 30% 18-point disparity between and 11% 18% 13% 19% 3% 4% Very often Somewhat often Not too often Rarely Never Copyright 2015 Centrify Corporation. All Rights Reserved. 33

34 LEVELS OF ACCESS Tools that monitor employee access and usage are near universal in the, and are used by three-in-four in the. Does your organization have tools in place to monitor how and where employees are performing privileged access to systems or data within your organization? 7% 2% 9% Yes No 16% Not sure 75% 92% Copyright 2015 Centrify Corporation. All Rights Reserved. 34

35 LEVELS OF ACCESS ITDMs in the audit employee usage more frequently, with two-thirds analyzing this at least every week. In the, 44% analyze this at least every week. How often does someone in your company formally analyze or audit how and when employees and/or contractors are performing privileged access to systems or data within your organization? Daily 30% Daily 22% Weekly 34% Weekly 22% Monthly 21% Monthly 22% Quarterly or more 12% Quarterly or more 21% Never Never 10% Don't know Don't know 5% Copyright 2015 Centrify Corporation. All Rights Reserved. 35

36 LEVELS OF ACCESS Those who allow contractors to have access most often (very or somewhat often) are more likely to monitor their usage on a daily or weekly basis. How often does someone in your company formally analyze or audit how and when employees and/or contractors are performing privileged access to systems or data within your organization? Daily - All 30% Daily - All 22% Daily - Allow contractors more often 37% Daily - Allow contractors more often 29% Weekly - All 34% Weekly - All 22% Weekly - Allow contractors more often 45% Weekly - Allow contractors more often 29% Copyright 2015 Centrify Corporation. All Rights Reserved. 36

37 LEVELS OF ACCESS Though half say that employees and contractors are off-boarded within the day, about half say it might be within the week or more when access to sensitive systems for a person no longer affiliated from the company is finally removed. When an employee and/or contractor leaves or stops working with your company, how long does it usually take for your company to completely cut off their access to sensitive systems and data after they leave? Within the day 52% 50% Within the week 30% 38% Within the month 10% 15% Within the year or more 0% 4% Copyright 2015 Centrify Corporation. All Rights Reserved. 37

38 LEVELS OF ACCESS To that point, half in the say it would be at least somewhat easy for a former employee to access systems with an old password. One-in-three say this in the. How easy would it be for a former employee in your organization to access systems or data with old passwords or log-in information after they have left the organization? 68% 53% 47% 32% 28% 33% 48% 9% Very/Somewhat easy Very/Somewhat difficult Very/Somewhat easy Very/Somewhat difficult Copyright 2015 Centrify Corporation. All Rights Reserved. 38 Darker colors indicate intensity

39 LEVELS OF ACCESS Among those who say that they allow contractors to have access at least some of the time, the perception of ease for them to access systems skyrockets from 53% to 82% in the, and from 32% to 68% in the. How easy would it be for a former employee in your organization to access systems or data with old passwords or log-in information after they have left the organization? Very/Somewhat Easy 82% Very/Somewhat Easy 68% 53% 32% 50% 28% 9% 23% All Allow Contractors Access All Allow Contractors Access Copyright 2015 Centrify Corporation. All Rights Reserved. 39

40 Company Leadership Decisions on IT Security

41 COMPANY LEADERSHIP DECISIONS One-in-three ITDMs in the, and 42% in the, say that their companies data would be vulnerable if their CEOs did not take their advice. That said, there is little intensity to this opinion. Which of the following best completes this sentence: If my CEO didn t take my advice on security, our company s data would be: 65% 53% 42% 32% 37% 11% 14% 6% Secure Vulnerable Secure Vulnerable Copyright 2015 Centrify Corporation. All Rights Reserved. 41 Darker colors indicate intensity

42 COMPANY LEADERSHIP DECISIONS A significant 28% of ITDMs and 40% of ITDMs believe that IT security gets too little attention from their leadership. Around half of each say it gets the right amount of attention. Do you feel IT security is getting too much or too little attention from your leadership/senior management team? 47% 51% 40% 24% 28% 8% 2% 2% Too much attention Not enough attention Right amount of attention Not sure Copyright 2015 Centrify Corporation. All Rights Reserved. 42

43 COMPANY LEADERSHIP DECISIONS Those who have spent 10 years or more in IT are even more likely to say security measures receive too little attention from their leadership/senior management team. Do you feel IT security is getting too much or too little attention from your leadership/senior management team? Not Enough Attention 40% 42% 35% 28% All 10+ Years in IT Copyright 2015 Centrify Corporation. All Rights Reserved. 43

44 COMPANY LEADERSHIP DECISIONS The leadership of these companies do seem to have a strong understanding of the potential impact of security breaches in the opinions of ITDMs. How well does your leadership/senior management team understand the potential impact of security breaches? 92% 80% 53% 19% 8% 28% 0% 4% Very well/somewhat well Not too well/no clue Very well/somewhat well Not too well/no clue Copyright 2015 Centrify Corporation. All Rights Reserved. 44 Darker colors indicate intensity

45 COMPANY LEADERSHIP DECISIONS Nearly half in the have had to fight their leadership for stricter protocols, and 42% have had security measures they requested denied. These numbers are not as high in the. Have you had to fight or argue with leadership/your senior management team at your organization to have stricter security protocols? And have you ever had leadership/your senior management team deny one of your requests for stricter security protocols? Experienced the following... Had to fight to have stricter security protocols 48% Had request for stricter protocols denied 42% Had to fight to have stricter security protocols 30% Had request for stricter protocols denied 27% Copyright 2015 Centrify Corporation. All Rights Reserved. 45

46 COMPANY LEADERSHIP DECISIONS Around one-in-five ITDMs are more likely to hear about free food in the conference room, office birthdays, or office kitchen etiquette than security protocols. Which of the following do you receive more communication about from your leadership/senior management team than you do about security protocols? SELECT ALL THAT APPLY. Announcements of new policies Financial reports on the state of the company Employees who are leaving or joining 30% 38% 40% 36% 34% 37% Communication recognizing the work of employees 26% 28% Weather-related emergencies 14% 25% Work social outings like happy hours or picnics 17% 24% Free food in the conference room 22% 20% Celebrating holidays or birthdays in the office 18% 22% Office kitchen etiquette Announcements of employee marriages or births None of the above 12% 18% 17% 18% 18% 17% Copyright 2015 Centrify Corporation. All Rights Reserved. 46

47 The Threat of Organization-wide Data Breaches

48 ORGANIZATION-WIDE BREACHES There is a lack of strong confidence in data breach protection. While nearly half of ITDMs are very confident that their existing IT security is protecting all levels of data against a potential breach, just one-in-four ITDMs say they same. How confident are you that your existing IT security is protecting all levels of data against a potential breach? 63% 44% 51% 18-point disparity between and 26% 6% 11% 0% 1% 0% 0% Very confident Somewhat confident Not too confident Not at all confident Don't know Copyright 2015 Centrify Corporation. All Rights Reserved. 48

49 ORGANIZATION-WIDE BREACHES Having their organization hacked by outsiders is the top concern for both and ITDMs. All concerns resonate much more strongly among ITDMs. How concerned are you about each of the following scenarios? % Very concerned / Somewhat concerned Organization is hacked by outsiders 42% 79% Organization is hacked by outsiders 23% 65% Lost or stolen device (other than computer/phone) makes our data vulnerable 38% 71% Inside job and intentional sharing of privileged information 23% 65% Information accidentally published by someone internally 36% 70% Poor security breaches will lead to a breach 23% 65% Inside job and intentional sharing of privileged information 35% 72% Lost or stolen computer makes our data vulnerable 23% 62% Poor security breaches will lead to a breach 34% 72% Information accidentally published by someone internally 19% 62% Lost or stolen computer makes our data vulnerable 33% 73% Lost or stolen device (other than computer/phone) makes our data vulnerable 18% 60% Lost or stolen smartphone makes our data vulnerable 32% 73% Lost or stolen smartphone makes our data vulnerable 16% 55% Ranked by % 10 Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 49

50 ORGANIZATION-WIDE BREACHES Slightly more than half of ITDMs and fewer than half of ITDMs believe their organizations have had a security breach in the past. Do you think your organization has ever had a security breach in the past? Yes 45% No 45% 55% 55% Copyright 2015 Centrify Corporation. All Rights Reserved. 50

51 ORGANIZATION-WIDE BREACHES Most believe the data breaches did a non-trivial amount of economic damage. In the, 44% believe the data breach cost their organization thousands or more; 35% say the same in the. If you had to put a dollar figure on it, what do you think that data breach cost the organization? AMONG THOSE WHO HAVE HAD A BREACH Minimal cost 23% Minimal cost 29% Hundreds 33% Hundreds 23% Thousands 30% Thousands 21% Hundreds of thousands 8% Hundreds of thousands 8% Millions 6% Millions 6% Don't know Don't know 13% Copyright 2015 Centrify Corporation. All Rights Reserved. 51

52 ORGANIZATION-WIDE BREACHES Many perceive attempted security breaches to be frequent threats, with 43% in the and 26% in the saying their system likely faced an attempted breach in the last week or more recently. If you had to guess, when was the last time your system faced an attempted security breach? In the last hour or sooner 28% In the last hour or sooner 14% In the last week 15% In the last week 12% In the last month 15% In the last month 17% In the last year 25% In the last year 26% None of the above 19% None of the above 32% Copyright 2015 Centrify Corporation. All Rights Reserved. 52

53 ORGANIZATION-WIDE BREACHES ITDMs are growing even more concerned; half of them say their concern has grown in the past 12 months (23% are much more concerned.) In the, 39% say their concern has increased. How concerned are you about your organization facing security breaches compared to 12 months ago? 56% 39% 49% 31% 23% 13% 12% 5% 7% 4% Much/Somewhat more concerned The same Much/Somewhat less concerned Much/somewhat more concerned The same Much/somewhat less concerned Copyright 2015 Centrify Corporation. All Rights Reserved. 53

54 ORGANIZATION-WIDE BREACHES In the, a plurality believe root access or admin users are the most concerning with regards to a security breach. In the, other privileged access users and contractors/vendors give more concern than root access or admin users. Which users concern you most as vulnerable to a security breach? 41% 35% 28% 26% 22% 18% 11% 14% Root access or admin users Other privileged access users Contractors or vendors Former employees Copyright 2015 Centrify Corporation. All Rights Reserved. 54

55 ORGANIZATION-WIDE BREACHES In the, nearly half are most concerned about mobile devices being vulnerable to a security breach. In the, nearly half believe that on-site data centers are the most vulnerable. Which environment concerns you most as vulnerable to a security breach? 45% 47% 32% 26% 26% 22% 2% 3% A data center on the premises Mobile devices Cloud computing or storage Other Copyright 2015 Centrify Corporation. All Rights Reserved. 55

56 ORGANIZATION-WIDE BREACHES Customer financial information, legal documents and classified information are the types of data perceived to be most damaging if they were to be breached. That said, all of these types of data breaches would be considered damaging to a strong majority of ITDMs. Now please rate each of the following on how DAMAGING it would be if that data were breached. Using a scale of 0 to 10, where 0 is not at all damaging and 10 is extremely damaging. Rank 10 / Rank 8-10 Customer financial information Legal documents 31% 29% 69% 70% Classified information 29% 68% Financial reports 29% 63% Customer information 28% 69% Employee information 27% 68% HR and personnel files 27% 67% Records of sales or transactions Copyrighted material Creative works or intellectual property Medical records 26% 25% 23% 22% 58% 62% 67% 65% Note: There was not much variation on how likely each of these were to be breached. Salary information 20% 57% Ranked by % 10 Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 56

57 ORGANIZATION-WIDE BREACHES ITDMs are less likely to rank any of these as particularly damaging; only customer information is ranked as an 8-10 by a majority. Customer information, customer financial information, and classified information are considered the most damaging if breached. Now please rate each of the following on how DAMAGING it would be if that data were breached. Using a scale of 0 to 10, where 0 is not at all damaging and 10 is extremely damaging. Customer information Customer financial information Classified information Legal documents 22% 21% 19% 17% Rank 10 / Rank % 48% 48% 52% Note: There was not much variation on how likely each of these were to be breached. Employee information 17% 41% HR and personnel files Medical records Creative works or intellectual property Records of sales or transactions Financial reports Copyrighted material Salary information 16% 16% 15% 15% 15% 14% 11% 47% 44% 44% 44% 42% 43% 34% Ranked by % 10 Darker colors indicate intensity Copyright 2015 Centrify Corporation. All Rights Reserved. 57

58 ORGANIZATION-WIDE BREACHES In the, the JP Morgan Chase breach and the Target breach were considered most alarming by 18% of ITDMs. In the, 18% mentioned the Sony Pictures breach, followed by EBay at 17%. Which of these recent data breaches do you think was the most alarming? JP Morgan Target Dept of Veteran Affairs Sony Pictures Ebay Home Depot Anthem TJ Maxx Deutsche Bank Moonpig app for Android Don't know Other 4% 4% 4% 8% 9% 9% 10% 14% 18% 18% Sony Pictures Ebay Deutsche Bank JP Morgan Tesco.com Target Morrisons Mumsnet Anthem Moonpig app for Android Home Depot TJ Maxx Don't know Other 1% 1% 1% 2% 2% 6% 11% 11% 13% 14% 17% 18% Copyright 2015 Centrify Corporation. All Rights Reserved. 58

59 ORGANIZATION-WIDE BREACHES When given a hypothetical opportunity to break into someone else s data, many mentioned familiar websites (Amazon, EBay, Facebook), financial entities, and governmental organizations as their preferred targets. That said, most ITDMs were emphatically clear that they would decline such an opportunity. Let s say the tables were turned and you had the chance to break into someone else s data what person, place or organization would you try to break into? Large percentages selected don t know (43%, 55% ) Even among those who gave a response, many said things along the lines of I would NEVER consider breaching another organization and It goes against my principles and professional ethics. For those who played along with the hypothetical scenario, some entities that were mentioned multiple times included: Amazon, Apple, banks, Bill Gates, EBay, Facebook, Google, the government, HSBC, Microsoft, NASA, and the Presidency/White House. Other interesting responses included: Goldman Sachs, Disney, Forbes, Papa John s pizza, and Oreo cookies to get away with over a billion chocolate chip cookies. Copyright 2015 Centrify Corporation. All Rights Reserved. 59

60 ORGANIZATION-WIDE BREACHES Shockingly, 28% of ITDMs and 14% of ITDMs claim they could be persuaded to become a hacker for less than $2,000 / 2,000. Finally, let s say you are 18 again how much money would persuade you to go to the dark side and become a hacker? $2,000 or less 28% 2,000 or less 14% $2,001 to $100,000 8% 2,001 to 100,000 14% $100,001 to $1,000,000 10% 100,001 to 1,000,000 7% $1,000, % 1,000, % Refused 43% Refused 55% Copyright 2015 Centrify Corporation. All Rights Reserved. 60

61 Appendix

62 Contact Information Christopher Lawrence (202) Matt Price (202) Copyright 2015 Centrify Corporation. All Rights Reserved. 62

63 Thank You Copyright 2015 Centrify Corporation. All Rights Reserved. 63