Data Security. Current priorities. and future focus

Transcription

1 Data Security Current priorities and future focus 2016

2 Contents Purpose and Use of this Report 3 About the Methodology 3 SECTION 1: KEY FINDINGS 4 SECTION 2: RESEARCH RESULTS 5 Demographics Current IT security priorities Threats faced Future security focus Barriers Infinigate UK & GFI Software All rights reserved 2

3 Purpose and use of this report Our inaugural survey of Data Security Current Priorities and Future Focus received complete responses from 150 organisations. As the first study, it is also designed to show trends and directions in IT security management and usage as well as providing a benchmark for IT teams and administrators to compare with their own IT function, policies and resources. About the methodology Infinigate and GFI commissioned independent technology market research specialist Vanson Bourne to undertake the research upon which this report is based. 150 IT decision makers with responsibility/involvement in IT security were interviewed in April Respondents were from organisations of between 200-1,000 employees across a range of public and private sectors. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate. Infinigate UK & GFI Software All rights reserved 3

4 Section 1: Key findings Current security priorities 81% of respondents claim that preventing data loss/breaches and increasing cloud security are among their organisation s highest priorities Average IT security spending is 9% of the total IT budget The Data Protection Act (53%) and ISO (52%) are the most common compliance drivers that respondents organisations adhere to, or are concerned about 61% of respondents organisations have a BYOD policy for remote working and access 85% say that their organisation could place more of a priority on IT security TOP THREE 1. 85% of respondents say that their organisation could place more of a priority on IT security Threats faced 58% of respondents' organisations have faced a data loss/breach in the last two years Of these respondents, 37% say it was due to an internal deliberate act, while 49% say it was an external deliberate act Only 13% of respondents say it is extremely likely for their organisation to fight off a DDoS attack within 24 hours 77% agree that cloud is compromising IT security Future security focus and barriers to improvement Both a lack of management buy-in (54%) and lack of internal resources (48%) are the most often cited challenges to IT security 53% say that the current level of IT security staff expertise is sufficient for today, but not for the future 71% of respondents believe that Internet of Things (IoT) enabled devices will represent a significant or major threat to their organisation in the future 2. 58% of respondents say their organisation has suffered a data loss incident in the last two years 3. 53% say that the current level of IT security staff expertise is sufficient for today, but not for the future Infinigate UK & GFI Software All rights reserved 4

5 Demographics Size of organisation Organisation sector Public sector 30 Healthcare 22 Manufacturing Financial services 20 Media and entertainment 17 Retail and consumer products 13 Energy and utilities employees employees Other sectors 15 Figure D1: How many employees work in your organisation in the UK?, asked to all respondents (150) Figure D2: Within which sector is your organisation?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 5

6 Current IT security priorities Insight The top five priority IT security areas for respondents organisations are preventing data loss/breaches (81%), increasing cloud security (81%), protecting mobile security (76%), detecting insider threats (74%) and authentication and identity (71%) Highest priority IT security areas currently Preventing data loss/breaches Increasing cloud security 81% 81% Protecting mobile security 76% In Detail Detecting insider threats Authentication and identity 71% 74% Larger organisations of 501-1,000 employees are more likely to place increasing cloud security as their number one priority (85%) Organisations of employees are more likely to report auditing as a high priority (41%) Tackling cybercrime Auditing 32% 60% Compliance and regulation 25% Figure 1: Which of the above IT security areas are the highest priority for your organisation currently?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 6

7 Current IT security priorities IT security as a percentage of the IT budget This year 8.79% Key finding Year on year, IT security is expected to increase on average by 2.61% as a percentage of respondents organisations overall IT budgets Next year 11.40% Figure 2: Analysis of the average percentage of respondents organisation s annual IT budget that is spent on IT security this year and planned for next year, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 7

8 Current IT security priorities Reviewing IT security defences More frequently than monthly 1% Monthly 26% 6% Quarterly 40% 27% More frequently Bi-annually 19% Remain the same Annually 8% 67% Less frequently Less frequently than annually 0% We never review our IT security defences 2% Figure 3: How often does your organisation review its IT security defences?, asked to all respondents (150) Figure 4: In your opinion, should your organisation change the frequency in which it conducts reviews of its IT security defences?, asked to all respondents (150) Key findings The most common frequency for respondents organisations to review their IT security defences is quarterly (40%) however, on average reviews are undertaken six times per year 67% of respondents believe that IT security should be reviewed even more frequently in their organisation. 27% believe that the frequency should remain the same and only 6% believe it should decrease Infinigate UK & GFI Software All rights reserved 8

9 Current IT security priorities Compliance adherence and concerns Data Protection Act 53% Key findings The Data Protection Act (53%) and ISO (52%) are the most common compliance drivers that respondents organisations adhere to, or are concerned about ISO PSN Cyber Essentials 38% 45% 52% PCI-DSS 21% None of the above 7% Figure 5: Which of the below compliance drivers does your organisation adhere to or is concerned about?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 9

10 Current IT security priorities Insight 61% of respondents organisations allow employees to access internal resources on mobile devices. But only 19% limit this access to secure work devices only. 9% say that access takes place on personal devices with no additional security, a further 3% say that they have no way of knowing Access permissions on mobile devices Yes but only via secure work devices Yes on both work and personal devices, but we enforce additional security requirements on personal devices 19% 61% In Detail Yes on both work and personal devices, with no enforced additional security requirements on personal devices 9% Respondents from smaller organisations ( employees) are more likely to report that access to internal resources is only permitted via secure work devices (25%) No we do not permit access to internal resources on mobile devices No but we have no way of knowing whether employees do so or not 7% 3% Figure 6: Does your organisation allow employees to access internal resources (e.g. documents, , network drives) on mobile devices?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 10

11 Current IT security priorities Current approach to mobile security Endpoint device management 67% Central secure portal 59% Two-factor authentication 53% Security questions 55% Secure communications 49% Two-factor authentication Log-in via password 41% 50% Vulnerability 47% Biometrics 37% Encryption 44% Temporary pass codes 30% Figure 7: How is your organisation looking to tackle mobile security?, asked to all respondents (150) Figure 8: Which of the below types of authentication/security features does your organisation have in place for remote end users to access its applications?, asked to all respondents (150) Key findings When it comes to tackling mobile security, the most common method is endpoint device management for 67% of respondents organisations. 53% say that their organisation uses two-factor authentication Respondents report a range of security features in place for remote end users, with 59% having a central secure portal, 55% using security questions and 50% using two-factor authentication Infinigate UK & GFI Software All rights reserved 11

12 Current IT security priorities Insight Further improvement and prioritisation of IT security 85% of respondents report that their organisation could place more of a priority on IT security. 79% say that improvement could be made to their IT security. It is clear that despite the current approach and investment, that more could be done in this area My organisation could place more of a priority on IT security 85% In Detail Respondents from larger organisations ( employees) are even more likely to agree that more priority could be placed on IT security (89%) and that improvements are needed (87%) My organisation could improve its IT security 79% Figure 9: To what extent do you agree with the above statements concerning IT security in your organisation?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 12

13 Threats faced Impact of high profile data breaches on organisations own IT policies 50% 7% 4% Yes, we undertake a complete 39% review Yes, we undertake a partial review of key risk areas No, it does not impact us I don t know Key findings 89% of respondents organisations undertake a review of their IT security when a high-profile breach is reported in the press, potentially indicating a lack of complete confidence in their current readiness Figure 10: When you see high profile breaches being published in the news/press, does it drive you to review your organisation's own IT security & policies?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 13

14 Threats faced Confidence levels in tackling IT security incidents Data loss/breach 37% Authentication/log-in details stolen 29% Insider theft Mobile security hack 26% 26% Cloud breach 25% Social engineering 21% Cybercrime 16% Figure 11: Analysis of respondents who feel completely confident in their organisation s current ability to successfully tackle the above IT security incidents should they occur, asked to all respondents (150) Key findings When it comes to confidence levels in being able to deal with potential IT security incidents, only the minority (16%-37%) of respondents feel completely confident in their organisation s abilities At most, only 37% feel completely confident that a data loss/breach could be successfully tackled and only 29% feel the same were authentication/log-in details stolen Infinigate UK & GFI Software All rights reserved 14

15 Threats faced Insight IT security threats faced in the last two years 58% of respondents say that their organisation has experienced a data loss/breach in the last two years. 45% say that their organisation has faced a cloud breach and 43% say this of an insider theft Data loss/breach Cloud breach 45% 58% Insider theft 43% In Detail Mobile security hack 37% Respondents from larger organisations ( employees) are even more likely (68%) to have faced a data loss/breach than smaller organisations (48%) Authentication/log-in details stolen - credentials Cybercrime 31% 30% Social engineering 22% None 15% Figure 12: Which of the above security threats has your organisation experienced in the last two years?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 15

16 Threats faced Causes of data loss/breaches Key findings 9% 5% External deliberate actor Of those respondents who say that their organisation has experienced a data loss/breach (fig.12), 49% say it was an external deliberate act however, 37% say the action came from within 37% 49% Internal deliberate actor Physical loss/theft Employee error Figure 13: How did the data loss/breach that your organisation experienced occur?, only asked to respondents whose organisation has suffered a data loss/ breach at figure 12 (87) Infinigate UK & GFI Software All rights reserved 16

17 Threats faced Ability to fend off a DDoS attack within 24 hours 1% 28% 2% 4% 13% Extremely likely Very likely Quite likely Not particularly likely Not at all likely Key findings Only 13% of respondents believe that their organisation would be extremely likely to be able to fend off a DDoS attack within 24 hours I don t know 52% Figure 14: In your opinion, how likely is your organisation able to fend off a distributed denial of service (DDoS) attack within 24 hours?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 17

18 Threats faced Impact of cybercrime on the overall IT security strategy It is the key area 11% Key findings It is an important area It is one of a number of areas 23% 53% 65% of respondents state that cybercrime is the main or an important area impacting on their organisation s IT security strategy It does not really impact it 7% It does not impact upon it at all 2% I don t know 2% We do not have an IT security strategy 1% Figure 15: What impact does cybercrime have on the overall IT security strategy of your organisation?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 18

19 Threats faced Risk of cloud services compromising security levels 9% 14% Key findings Agree Neither agree nor disagree Disagree 77% of respondents agree that the drive to cloud services is compromising the IT security of their organisation 77% Figure 16: To what extent do you agree that the drive to cloud services is compromising your organisation s level of security?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 19

20 Threats faced Insight Over the next 12 months, mobility (87%) is the area in which most respondents feel more focused is needed, although at least 77% of respondents believe that more focus is needed across a range of areas in this timeframe Areas of greater focus within the next 12 months Mobility Core infrastructure 79% 87% In Detail Cloud services 78% Respondents from organisations of 501-1,000 employees are also more likely to report that core infrastructure (87%) and cloud services (83%) are areas in which more focus is needed in the next 12 months End point devices (e.g. PCs, laptops etc.) Boundary (e.g. , web, managed file transfer) 77% 77% Servers 77% Figure 17: Analysis of the percentage of respondents who say that more focus is needed within the next 12 months in the above IT security areas, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 20

21 Future security focus Adequacy of IT security strategies to respond to evolving future threats 11% 2% 3% 17% It s completely adequate It s mostly adequate It s partially adequate there are significant gaps It s not at all adequate 67% I don t know Figure 18: Do you feel that your current IT security strategy is adequate to respond to evolving future threats?, asked to all respondents (150) Key findings Just 17% of respondents believe that their organisation s current IT security strategy is completely adequate to respond to evolving future threats for many, gaps remain Respondents from smaller organisations ( employees) are more likely to say that their IT security strategy is completely adequate (23%) than those from organisations of 500-1,000 employees (12%) Infinigate UK & GFI Software All rights reserved 21

22 Future security focus Insight Highest priority IT security areas over the next two years Over the next two years, compared to currently, preventing data loss/breaches will become a high priority for more respondents (87% compared to 81%). Detecting insider threats will also increase slightly from 74% of respondents to 76% Preventing data loss/breaches Increasing cloud security Detecting insider threats 81% 87% 81% 81% 74% 76% Protecting mobile security Authentication and identity Tackling cybercrime 76% 76% 71% 65% 60% 60% Highest priorities (currently) Highest priorities (next two years) Auditing Compliance and regulation 32% 33% 25% 22% Figure 19: Analysis of current versus future IT security highest priority areas, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 22

23 Future security focus Budget plans for highest IT security priority areas over the coming year Preventing data loss/breaches 60% 34% 2% 5% Increasing cloud security 55% 36% 6% 3% Key findings Detecting insider threats 44% 44% 9% 4% In line with it being the highest priority at fig 19, preventing data loss/breaches (60%) is also the area where most respondents believe that budget will increase over the coming year Tackling cybercrime Authentication and identity Protecting mobile security 41% 41% 35% 49% 51% 54% 7% 3% 3% 5% 5% 6% Increasing cloud security is also another area where the majority of respondents organisations are likely to increase budget Compliance and regulation Auditing 33% 33% 48% 41% 12% 6% 16% 10% Increase Remain the same Decrease I don t know Figure 20: Of the top five IT security areas identified, how do you envisage the proportion of budget allocated to each changing in the next year?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 23

24 Future security focus Potential threats faced as a result of major IT trends Internet of Things (IoT) enabled devices 71% Identity and access management 65% Cloud services Digital customer experience (optimised, cross-channel interaction mobile, web, social media etc.) Bring-your-own-device (BYOD) Shadow IT Analytics Privileged access management Big Data 60% 59% 59% 55% 54% 54% 50% Figure 21: Analysis of respondents who say that the above IT trends will represent a major or significant security threat, asked to all respondents (150) Key findings When considering wider IT trends that may impact upon their organisation, 71% of respondents believe that IoT represents the biggest potential threat to IT security. 50% of respondents see all of these areas as a threat Infinigate UK & GFI Software All rights reserved 24

25 Barriers Insight Challenges to improving IT security 93% of respondents organisations face challenges to improving their IT security. The most likely are a lack of senior management buy-in (54%) and limited internal skills or resources (48%). For 29%, there is a lack of suitable solutions available Lack of senior management buy-in Limited internal skills or resources to dedicate to it 48% 54% In Detail Budget limitations Insider threats employees exposing organisation to risk 41% 43% Larger organisations (500-1,000 employees) are most likely to face a lack of senior management buy-in, with organisations of employees more likely to be held back by limited internal skills and resources Competitive landscape moving too quickly Lack of a suitable solution 29% 35% Limited real-time data/insight 23% There are no challenges to improving our IT security 7% Figure 22: What are the main challenges faced by your organisation with regards to improving its IT security?, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 25

26 Barriers Insight Business impacts of challenges to improving IT security 97% of respondents whose organisation faces challenges improving IT security say that there are wider business impacts as a result. 56% report financial burden and 52% report reduced customer satisfaction. 41% say that it limits keeping up with competition and 39% say that it even damages their organisation s reputation Additional financial burden Reduced customer satisfaction Lower employee morale Failure to keep up with competitors 42% 41% 52% 56% Damage to organisation reputation 39% In Detail Lost market share 24% Respondents from organisations of employees are more likely to report additional financial burden (64%) or reduced customer satisfaction (63%) Limiting capacity to develop new products/services There is no business impact 3% 14% Figure 23: What are the business impacts of the barriers to improving your organisation s IT security?, only asked to respondents who say that their organisation faces challenges at figure 22 (139) Infinigate UK & GFI Software All rights reserved 26

27 Barriers Adequacy of current IT security staff expertise Insight 59% of respondents say that the current IT security staff expertise in their organisation is not adequate for the future. Only 51% of respondents believe that current skills levels are excellent for preventing data loss/breaches. While only 33% say this of increasing cloud security This skills gap is a major hurdle for many organisations to improving their security and capabilities to react to threats It is adequate both currently and for the future It is adequate currently but not for the future It is not adequate currently nor for the future I don t know 5% 4% Figure 24: In your opinion, is the current level of IT security staff expertise in your organisation adequate for today and the future shape of your business?, asked to all respondents (150) Level of IT security staff expertise Preventing data loss/breaches Authentication and identity Auditing Increasing cloud security Protecting mobile security Compliance and regulation Tackling cybercrime Detecting insider threats 36% 33% 31% 30% 27% 23% 37% 41% 51% 53% Figure 25: Analysis of respondents who say that their organisation s current staff have excellent knowledge and expertise, asked to all respondents (150) Infinigate UK & GFI Software All rights reserved 27

28 About Infinigate UK Infinigate was founded in 1996 as the first Distributor of internet technology solutions in Europe. Since 2002 Infinigate s sole focus has been on the distribution of sustainable IT security solutions to protect and defend IT networks, data and applications. As a true Value Added Distributor, Infinigate concentrates on and supports innovative, best of breed security solutions that require a level of expertise and knowledge. Infinigate offers a complete service to its partners and vendors to complement its product portfolio with dedicated technical, marketing, sales and professional services. Following acquisitions in Scandinavia and the UK, the Infinigate Group today has operations in 8 European countries including Germany, France, Switzerland, Austria, Sweden, Norway, Denmark and the United Kingdom. It covers 70% of the Western European IT Market establishing itself as a leading European Value Added Distributor for IT Security. Commercial in Confidence This document and its contents, including all concepts implicit or inferred remain the intellectual property of Infinigate UK Ltd, at all times. Therefore, in accordance with all accepted and recognised International Conventions concerning Copyright on intellectual property, this document and its contents, including all concepts implicit or inferred are deemed to be under Copyright. Conveyance in whole or in part, to any other party, by any means including photocopying or word of mouth, without the expressed written permission of Infinigate UK Ltd, will be deemed to be a breach of Copyright. In such an event, Infinigate UK Ltd reserves the right to commence the appropriate legal proceedings without further notice. For further information, please contact Infinigate UK on (0) info@infinigate.co.uk Disclaimer Infinigate UK & GFI Software. All other names are for information only and m a y be trademarks of their respective owners. All rights reserved. E&OE 28

29 About GFI Software GFI Software develops easier, smarter and affordable enterprise-class IT solutions for businesses. Our solutions enable IT administrators to easily and efficiently discover, manage and secure their business networks, systems, applications and communications wherever they exist. GFI is committed to its customers worldwide to deliver the trusted expertise, right-sized and smartly engineered IT solutions with a strong focus on security excellence. GFI is a channel-focused company with a network of thousands of partners worldwide. The company has received numerous awards and industry accolades, and is a longtime Microsoft Gold ISV Partner. Commercial in Confidence This document and its contents, including all concepts implicit or inferred remain the intellectual property of Infinigate UK Ltd, at all times. Therefore, in accordance with all accepted and recognised International Conventions concerning Copyright on intellectual property, this document and its contents, including all concepts implicit or inferred are deemed to be under Copyright. Conveyance in whole or in part, to any other party, by any means including photocopying or word of mouth, without the expressed written permission of Infinigate UK Ltd, will be deemed to be a breach of Copyright. In such an event, Infinigate UK Ltd reserves the right to commence the appropriate legal proceedings without further notice. For further information, please contact Infinigate UK on (0) Disclaimer sales@gfi.co.uk Infinigate UK & GFI Software. All other names are for information only and m a y be trademarks of their respective owners. All rights reserved. E&OE 2 9