1 For: Security & Risk Professionals Endpoint Security Trends, Q To Q by Chris Sherman, November 7, 2013 KEY TAKEAWAYS Organizations Spend 9% Of Their IT Budget On Endpoint Security SMBs and enterprises both spend around 9% of their overall IT budget on endpoint security. However, those industries with a higher percentage of mobile workers are more likely to increase spending over the next 12 months. Advanced Controls Are Hot Within SMBs And Enterprises Technologies such as full disk encryption, data loss protection, and host-based intrusion detection are all seeing increased adoption in many organizations. Proactive security controls such as white listing and patch management are also enjoying increased adoption as traditional methods of antivirus protection fail. Enterprises Take The Lead With Adoption Of Endpoint Security Software- As-A-Service Although endpoint security software-as-a-service is traditionally seen as a delivery method preferred by SMBs, enterprises now take a solid lead in its adoption. Security software-as-a-service reduces much of the operational overhead and offers the possibility of completely outsourcing the task of managing the security and operations of user endpoints. Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA USA Tel: Fax:
2 NOVEMBER 7, 2013 Endpoint Security Trends, Q To Q New Disruptors For Endpoint Security Through 2014 by Chris Sherman with Stephanie Balaouras and Dominique Thomas WHY READ THIS REPORT Every year, Forrester conducts a number of global surveys of IT security decision-makers and information workers from a wide range of organization industries and sizes. In this report, we present the relevant endpoint security data from our most recent surveys, with special attention given to those trends affecting small and medium-size businesses (SMBs) and enterprises, along with analysis that explains the data in the context of the overall security landscape. As organizations prepare for the 2014 budget cycle, security professionals should use this report to help benchmark their organization s spending patterns against their peers while keeping an eye on current trends affecting endpoint security in order to strategize their endpoint security adoption decisions. Table Of Contents Despite Data Security Concerns, Endpoint Security Spending Is Flat Endpoint Security Remains Just One-Tenth Of The Overall Security Budget S&R Pros Prefer To Source Endpoint Security From A Single Vendor S&R Pros Will Focus Their Investments On Advanced Controls Proactive Security Controls Will Continue To Gain Traction Through 2014 Endpoint Security Software-As-A-Service Adoption Skyrockets Enterprises Take The Lead In The Adoption Of Endpoint Security Software-As-A-Service WHAT IT MEANS Security Pros Must Look For Ways To Spend Smarter, Not More Notes & Resources Forrester interviewed three enterprises currently making significant endpoint security investments. Each asked to remain anonymous. We also drew from a wealth of analyst insight gathered via client inquiries, briefings, and consulting engagements. Related Research Documents Market Overview: Endpoint Encryption Technologies, Q January 16, 2013 The Forrester Wave : Endpoint Security, Q January 4, 2013 Application Control: An Essential Endpoint Security Component September 7, Supplemental Material 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please For additional information, go to
3 Endpoint Security Trends, Q To Q DESPITE DATA SECURITY CONCERNS, ENDPOINT SECURITY SPENDING IS FLAT Today s cybercriminals often target employee endpoints, such as desktops, laptops, tablets, and mobile devices, and use them as a way into the corporate infrastructure. They use social engineering, spear phishing, and other means to trick unsuspecting employees into downloading seemingly innocuous files that contain malware or redirect them to malicious websites, ultimately giving the attacker access to some of your organization s most sensitive data. According to our Forrsights Devices And Security Workforce Survey, Q2 2012, 51% of employees have access to sensitive customer data and 23% have access to nonpublic financial information whether they need that access or not (see Figure 1). Year after year, protecting data is a top priority for security decision-makers and influencers. 1 Employee endpoints are frequent targets of cybercriminals, and gaining control of the endpoint provides easy access to some of the organization s most sensitive data assets. Forrester believes that any comprehensive data security strategy must include both reducing the endpoint threat surface and limiting exposure to data loss involving these endpoints. Figure 1 Employees (And Their Endpoints) Have Access To A Multitude Of Data Types What types of information do you have access to at work, regardless of whether you need to use it for your job or not? Customer data (e.g., names, contact information, credit card data) 51% Contracts, invoices, customer orders 41% Customer service data, account numbers 40% Intellectual property belonging to the company (blueprints, designs, formulas, recipes) 30% Employee data (e.g., HR data, payroll data) 27% Nonpublic corporate financial information relating to the company Nonpublic corp marketing/strategy plans relating to the company 19% 23% None of the above 20% Base: 4,262 North American and European IT security decision-makers Source: Forrsights Devices And Security Workforce Survey, Q Source: Forrester Research, Inc.
4 Endpoint Security Trends, Q To Q Endpoint Security Remains Just One-Tenth Of The Overall Security Budget The latest Forrsights security survey found that budget for endpoint security has remained flat from 2010 to 2013 approximately 9% to 11% of the total IT security budget (see Figure 2). The same survey found that certain industries, such as the public sector, healthcare, retail, and wholesale, are less likely to increase endpoint security spending in 2014, compared with business services, utilities, and media/entertainment/leisure industries. 2 While the former include some highly regulated industries, the latter have a higher percentage of mobile workers. According to our survey, 41% of workers in business services and 28% of workers in utilities work while traveling at least a few times per month. 3 The more mobile the workforce, the more important it is for S&R pros to protect sensitive data from theft or loss or when employees connect to public Wi-Fi networks and other access points. Figure 2 Endpoint Security Spending Remains Stable Year-Over-Year What percentage of your firm s IT security budget will go to the following technology areas? (Client threat management) Enterprise SMB 9% 11% 11% 10% 10% 10% 10% 9% * Year surveyed Base: 663 SMB and 549 enterprise NA/EMEA IT security decision-makers *Base: 606 SMB and 746 enterprise NA/EMEA IT security decision-makers Base: 728 SMB and 669 enterprise NA/EMEA IT security decision-makers Base: 682 SMB and 735 enterprise NA/EMEA IT security decision-makers Source: Forrsights Security Survey, Q *Source: Forrsights Security Survey, Q Source: Forrsights Security Survey, Q Source: Forrsights Security Survey, Q Source: Forrester Research, Inc.
5 Endpoint Security Trends, Q To Q S&R PROS PREFER TO SOURCE ENDPOINT SECURITY FROM A SINGLE VENDOR While overall endpoint security spending has remained relatively consistent, many S&R pros have stretched their budget by investing in security products that integrate multiple technologies (organized into product suites offered by a single vendor). In fact, 60% of enterprises and 61% of SMBs prefer to source their endpoint security technologies through a single vendor (see Figure 3). Investing in product suites allows S&R pros to take advantage of suite discounting while acquiring a broader set of security technologies. 4 Ancillary benefits include less time spent training security staff on multiple interfaces while giving security pros integrated management and reporting for a better overall security posture. Forrester often speaks with client organizations in the midst of vendor selection projects that ultimately choose product suites over point products for these very reasons. Figure 3 S&R Orgs Prefer Single-Vendor Suites Over Multiple Point Products For Endpoint Security Endpoint (desktop/laptop) security: How does your firm prefer to source each of the following types of security technologies or managed/saas services? Single vendor portfolio/ecosystem (prefer only one vendor) 60% Enterprise 61% SMB Best-of-breed solution (prefer multiple vendors) 38% 33% Base: 1,863 North American and European IT security decision-makers Source: Forrsights Security Survey, Q Source: Forrester Research, Inc. S&R PROS WILL FOCUS THEIR INVESTMENTS ON ADVANCED CONTROLS Although antivirus (AV) has become nearly ubiquitous, it is no longer sufficient. 5 To protect against evolving threats, S&R pros are adopting controls that are more advanced (see Figure 4 and see Figure 5). While some technologies, such as host firewall and patch management, have found widespread deployment in enterprises and SMBs, others are less adopted but increasing in popularity due to a number of business technology trends. 6 Specifically, Forrester sees that: Endpoint DLP continues to gain footing as mobility increases. S&R pros concerned with internal threats turn to DLP to protect their data. However, as corporate data increasingly resides on endpoints outside the network, technologies such as endpoint DLP, which can ensure that protection travels with the data, become more appealing.
6 Endpoint Security Trends, Q To Q Host intrusion prevention system (HIPS) picks up where network security leaves off. As the mobility trend increases, continuous protection from network-based security technologies is not always feasible. HIPS moves past traditional AV signature-based detection and uses moreadvanced systems analyses to detect and stop attacks as they occur, wherever they may occur. 7 Full disk encryption protects against device loss and compliance failures. To protect data and achieve compliance, S&R pros are increasingly turning to full disk encryption. Full disk encryption is by far the easiest to implement and presents little impact on the user experience when compared with file-level encryption. 8 Therefore, full disk encryption is often a popular choice among organizations with tough data protection requirements. Self-encrypting drives offer superior security and performance over software-based solutions. Compared with software-based full disk encryption solutions, self-encrypting drives enjoy higher adoption in the enterprise due to their superior security stance and lower impact on endpoint performance. 9 File-level encryption is especially popular in shared environments. For those files residing on the endpoint requiring an extra layer of security, file-level encryption offers a reliable way to prevent unauthorized users from accessing this information. This is especially critical in hospitals, retail locations, and schools or universities where endpoints can have multiple users. Figure 4 Enterprise 2014 Projected Spending Versus Current Deployed Base What are your firm s plans to adopt the following client security (desktop/laptop) and data security technologies? Planning to implement in the next 12 months 19% 17% 15% 13% 11% 9% 7% Application white listing Desktop DLP Full disk encryption (software-based) Device kill URL filtering File-level encryption HIPS Device/port control Full disk encryption (self-encrypting drive) Personal firewall Patch management Antivirus 50% 55% 60% 65% 70% 75% 80% 85% 90% Already implemented Base: 379 client security decision-makers at enterprises with 1,000 or more employees Source: Forrsights Security Survey, Q Source: Forrester Research, Inc.
7 Endpoint Security Trends, Q To Q Figure 5 SMB 2014 Projected Spending Versus Current Deployed Base Planning to implement in the next 12 months What are your firm s plans to adopt the following client security (desktop/laptop) and data security technologies? 16% Application white listing DLP 14% HIPS 12% 10% 8% 6% 4% Device kill File-level encryption URL filtering Device/ port control Full disk encryption (software-based) Full disk encryption (self-encrypting drive) Patch management Personal firewall Antivirus 2% 0% 30% 40% 50% 60% 70% 80% 90% Already implemented Base: 313 client security decision-makers at SMBs with 20 to 999 employees Source: Forrsights Security Survey, Q Source: Forrester Research, Inc. Proactive Security Controls Will Continue To Gain Traction Through 2014 Traditionally, S&R pros have relied on signature-based antimalware as the focal point to their endpoint protection strategy, but third-party research has shown this approach is far from perfect when protecting against zero-day malware. 10 Proactive security tools, such as application white listing and patch management technologies, help reduce the threat surface of the endpoint environment to a more manageable level without relying on signatures. Proactive controls certainly come with some management overhead, but they can offer superior protection when compared with blacklist-based techniques. 11 Case in point: A large media company with extensive software R&D demands recently told Forrester: Antimalware (signature-based) is a dead technology. We plan to phase this out in favor of application white listing and vulnerability management techniques over the next year. Data shows that organizations see the value in such techniques at preventing malware from taking hold on the endpoint. Although 23% of enterprises and 21% of SMBs plan to implement application
8 Endpoint Security Trends, Q To Q white listing in the next 12 months and beyond, only 11% of both enterprises and SMBs plan to adopt antimalware. Patch management technologies are almost equally hot today, with 17% of SMBs and 20% of enterprises planning to adopt in the next 12 months and beyond. ENDPOINT SECURITY SOFTWARE-AS-A-SERVICE ADOPTION SKYROCKETS Forrester defines endpoint security software-as-a-service (SaaS) as endpoint security services or functions hosted by a third party, billed on a pay-per-use model, and delivered via a multitenant architecture. Drivers for SaaS delivery of endpoint security technologies include scalability, lower operational overhead, and the need for a thinner client footprint. Security technologies such as host firewalls and AV software are prime candidates for security SaaS delivery given their popularity and dependence on external update services. Going forward, security pros can expect endpoint security SaaS suites with more comprehensive functionality, including file reputation feeds, application control and management, and patch management. Enterprises Take The Lead In The Adoption Of Endpoint Security Software-As-A-Service According to our Forrsights Security Survey, Q2 2013, 46% of all organizations either have deployed or are planning to upgrade their existing endpoint security SaaS implementation (see Figure 6). Another 10% of organizations plan to adopt endpoint security SaaS for the first time in We see some interesting trends when we compare SMBs versus enterprise adoption: SMBs have a healthy adoption of endpoint security SaaS... In the past, SMBs have led the way when it comes to cloud service adoption. Endpoint security SaaS delivery takes away much of the operational overhead and offers the welcome possibility of completely outsourcing the cumbersome task of managing the security and operations of user endpoints. For smaller organizations with limited staff and expertise in managing complex security tools, it s often thought that SMBs are poised to benefit the greatest from the practice of outsourcing these tasks to cloud service providers.... but enterprises are far outpacing their adoption. However, Forrester now sees enterprise adoption of endpoint security SaaS (51%) surpassing that of SMBs (41%). Furthermore, 17% of enterprises plan to upgrade their current endpoint security SaaS implementations compared with 9% within SMBs. Both enterprises and SMBs appreciate the benefits brought on by the cloud delivery of these services, but enterprises security teams often have additional responsibilities beyond traditional IT security, and they must deal with more threats and frequent attacks, so adopting endpoint security SaaS is a good way to free up internal resources to focus on more critical tasks.
9 Endpoint Security Trends, Q To Q Figure 6 Endpoint Security Software-As-A-Service Heats Up Within Enterprises And SMBs What are your firm s plans to adopt the following as-a-service security offerings/approaches? (Endpoint security) 60% Already implemented and/or expanding 48% 36% 24% SMB Enterprise 12% 0% * Year surveyed Base: 950 SMB and 1,009 enterprise NA/EMEA IT security decision-makers *Base: 1,009 SMB and 1,049 enterprise NA/EMEA IT security decision-makers Base: 856 SMB and 1,267 enterprise NA/EMEA IT security decision-makers Base: 1,030 SMB and 1,124 enterprise NA/EMEA IT security decision-makers Base: 313 SMB and 379 enterprise NA/EMEA IT security decision-makers Source: Forrsights Security Survey, Q *Source: Forrsights Security Survey, Q Source: Forrsights Security Survey, Q Source: Forrsights Security Survey, Q Source: Forrsights Security Survey, Q Source: Forrester Research, Inc. WHAT IT MEANS SECURITY PROS MUST LOOK FOR WAYS TO SPEND SMARTER, NOT MORE With the explosion of endpoint form factors as a visible attack vector to your network, S&R pros at organizations, regardless of size, must take a renewed interest in endpoint security. Considering that your budget for endpoint security will likely remain the same during the next 12 months, S&R pros must look for ways to maximize their current and planned investments. This means: Invest in proactive security controls rather than (more) reactive technologies. Threat protection is a critical component to any organization s endpoint security strategy. Rather than adopting new or expanding currently implemented signature-based measures (think antivirus and antimalware), consider more proactive techniques such as application white listing combined with targeted patch management.
10 Endpoint Security Trends, Q To Q Choose an endpoint encryption solution based on user experience and flexibility. Avoid point products that don t provide good integration with enterprise identity management and endpoint management in general. Consider native OS options when appropriate. For an endpoint encryption implementation to be successful, it must be secure by default and provide a transparent user experience. Keep an eye toward future endpoint security delivery methods. As endpoints become increasingly mobile and the infrastructure needed to protect them more complex, endpoint security SaaS will become more attractive to SMBs and enterprises alike. Move more of your core endpoint security controls into the cloud as opportunity and technology maturity allow. SUPPLEMENTAL MATERIAL Methodology Forrester s Forrsights Security Survey, Q2 2013, was fielded to 2,134 IT executives and technology decision-makers located in Canada, France, Germany, the UK, and the US from SMB and enterprise companies with two or more employees. This survey is part of Forrester s Forrsights for Business Technology and was fielded from March 2013 to June ResearchNow fielded this survey online on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates. We have provided exact sample sizes in this report on a question-by-question basis. Each calendar year, Forrester s Forrsights for Business Technology fields business-to-business technology studies in more than 17 countries spanning North America, Latin America, Europe, and developed and emerging Asia. For quality control, we carefully screen respondents according to job title and function. Forrester s Forrsights for Business Technology ensures that the final survey population contains only those with significant involvement in the planning, funding, and purchasing of IT products and services. Additionally, we set quotas for company size (number of employees) and industry as a means of controlling the data distribution and establishing alignment with IT spend calculated by Forrester analysts. Forrsights uses only superior data sources and advanced data-cleaning techniques to ensure the highest data quality. Companies Interviewed For This Report Three end user organizations that asked to remain anonymous.
11 Endpoint Security Trends, Q To Q ENDNOTES 1 For more information on what constitutes sensitive data and the value in protecting such data, see the April 5, 2013, Strategy Deep Dive: Define Your Data report. 2 According to Forrsights Security Survey, Q2 2013, certain industries anticipate higher endpoint security spending in the following year (2014) based on responses to our question, How do you expect your firm s security spending in the following technology areas will change from 2013 to 2014? Results show that 39% of organizations in the media, entertainment, and leisure industries, 31% of those in utilities and communications, and 28% of those in business services plan to spend 5% or more on client threat management in This contrasts with 19% in the public sector/healthcare and 23% in retail and wholesale. Source: Forrsights Security Survey, Q According to the Forrsights Workforce Employee Survey, Q2 2012, there are significant industry differences in the percentage of employees who report working outside of the office in a given month. For instance, 41% of those in business services and 28% in utilities work while traveling at least a few times per month. This contrasts with 25% in retail and 23% in the healthcare industries. These same highly mobile industries also anticipate higher endpoint security spending in 2014, according to the Forrsights Security Survey, Q For more information on the benefits of investing in an endpoint security product suite, as well as an evaluation of existing solutions, see the January 4, 2013, The Forrester Wave : Endpoint Security, Q report. 5 Antivirus is software that is used to prevent, detect, and remove malware from the endpoint. Malware can be any form of computer virus, spyware, worm, Trojan horse, or any executable that causes harm to the endpoint or connected network. AV-Test and AV-Comparatives.org both report low detection rates (between 65% and 98%, depending on tools used) when using antimalware engines to detect previously unknown malware resident on Windows machines. Visit the following for more information. Source: Microsoft: Security Essentials, AV-Test, May-June 2013 (http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5breport_ no%5d=132335) and Retrospective/Proactive test, AV-Comparatives.org, August 2013 (http://www.avcomparatives.org/wp-content/uploads/2013/08/avc_beh_201303_en.pdf). 6 Host firewall is software installed on the endpoint that is designed to permit or deny network transmissions based on a set of rules defined by the system administrator, the intended outcome being to let good traffic pass while blocking malicious traffic. Patch management is a centrally managed software agent that continually checks for the existence of the latest patches for all software installed on the endpoint. When critical patches are released, the agent verifies that these are installed in a timely fashion 7 HIPS is a centrally managed software tool installed on the endpoint that uses various methods to detect, prevent, and log malicious activity. Methods used might include code analysis, network traffic analysis, file system analysis, log analysis, and network configuration monitoring.
12 Endpoint Security Trends, Q To Q For more information on the pros and cons of different types of full disk encryption technologies, see the January 16, 2013, Market Overview: Endpoint Encryption Technologies, Q report. 9 Self-encrypting hard drives, such as Opal-compliant self-encrypting drives (SEDs) and Windows 8 Encrypted Hard Drive, leverage hardware capabilities built into the disk drive itself to perform encryption and decryption. In each case, the disk drive itself performs crypto instructions. This frees the CPU for other parallel tasks without impacting endpoint performance. Self-encrypting drives operate independently of the operating system, which means even an OS compromise may not necessarily lead to the compromise of encrypted data. In comparison, software-based solutions often leverage the endpoint s CPU for encryption/ decryption functions, which may negatively impact overall performance. 10 AV-Test and AV-Comparatives.org both report low detection rates (between 65% and 98%, depending on tools used) when using antimalware engines to detect previously unknown malware resident on Windows machines. Visit the following for more information. Source: Microsoft: Security Essentials, AV-Test, May-June 2013 (http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5breport_ no%5d=132335) and Retrospective/Proactive test, AV-Comparatives.org, August 2013 (http://www.avcomparatives.org/wp-content/uploads/2013/08/avc_beh_201303_en.pdf). 11 For more information on the pros and cons of leveraging proactive security technologies such as application control and patch management when combating malware on the endpoint, see the September 7, 2012, Application Control: An Essential Endpoint Security Component report.
13 About Forrester A global research and advisory firm, Forrester inspires leaders, informs better decisions, and helps the world s top companies turn the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to lead more successfully within IT and extend their impact beyond the traditional IT organization. Tailored to your individual role, our resources allow you to focus on important business issues margin, speed, growth first, technology second. FOR MORE INFORMATION To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at For a complete list of worldwide locations, visit CLIENT SUPPORT For information on hard-copy or electronic reprints, please contact Client Support at , , or We offer quantity discounts and special pricing for academic and nonprofit institutions. Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance. «SEAN RHODES, client persona representing Security & Risk Professionals Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. Forrester works with professionals in 13 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 29 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit