Privileged User Abuse & The Insider Threat
|
|
- Clifton Warren
- 8 years ago
- Views:
Transcription
1 Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014
2 1 Privileged User Abuse & The Insider Threat Ponemon Institute, May 2014 Part 1. Introduction Ponemon Institute is pleased to present the findings of Privileged User Abuse & The Insider Threat, commissioned by Raytheon Company. Ponemon Institute first studied this issue in Since then well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused by privileged users. In fact, 88 percent of participants in this research believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. This finding is virtually unchanged since 2011 when we conducted the first study on the insecurity of privileged users. For purposes of this research, privileged users include database administrators, network engineers, IT security practitioners and cloud custodians. According to the findings of this study, these individuals often use their rights inappropriately and put their organizations sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization s most confidential information out of curiosity. To ensure that the 693 respondents we surveyed have an in-depth knowledge of how their organizations are managing privileged users, we asked them to indicate their level of access to their organizations IT networks, enterprise systems, applications and information assets. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents. According to 75 percent of respondents, privileged access rights are required to complete their current job assignment. Of the 25 percent who say they do not need privilege access to do their job but have it anyway cited two primary reasons. First, everyone at their level has privileged access rights for no apparent reason (38 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (36 percent of respondents). Key takeaways from this research: Despite the risks posed by insiders, 49 percent of respondents do not have policies for assigning privileged user access. However, slightly more organizations do use well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). There was a slight decrease in an ad-hoc approach to assigning privileged user access. While the establishment of privileged user access policies is lacking, processes are improving. The findings show a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014 in granting user access privilege. The use of manual processes such as by phone or also increased from 22 percent of respondents in 2011 to 40 percent of respondents in Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. Fifty-one percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. The biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). 1
3 2 Part 2. Key Findings Following is an analysis of the key findings. To understand trends in organizations ability to manage privileged user access, we have included questions from the research conducted in Whenever possible we compare the findings from the 2011 study to this year s research. We have organized the findings according to the following topics: Current practices in assigning privilege user access The detection of insider privilege abuse Solutions for mitigating the risk Budgets and investment in reducing the risk of insider threats Current practices in assigning privilege user access Policies for assigning privilege user access to IT resources are often ad hoc. Despite concerns about insider threats caused by privileged users, almost half (49 percent) describe their organization s policies to assigning privileged user access as ad hoc, as shown in Figure 1. However, there is a slight increase from 2011 in the use of well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). Figure 1. The process for assigning privileged user access to IT resources An ad hoc process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 31% 35% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% 0% 10% 20% 30% 40% 50% 60% 2
4 3 While the establishment of policies lags, processes for privileged user access are improving. There is a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014, according to Figure 2. The use of manual processes such as by phone or also increased from 22 percent of respondents in 2011 to 40 percent of respondents in The third most widely used process is the IT help desk, which increased from 20 percent to 36 percent. Figure 2. Processes used for granting privileged user access to IT resources Two choices permitted Commercial off-the-shelf automated solutions Manual process IT Help Desk Homegrown access request systems Unsure Other 0% 1% 5% 6% 22% 20% 17% 16% 35% 36% 40% 57% 0% 10% 20% 30% 40% 50% 60% More organizations are using manual processes such as and spreadsheets to review and certify privileged user access. As revealed in Figure 3, this has increased from 23 percent to 46 percent and use of commercial off-the-shelf access certification system increased from 31 percent to 44 percent. Figure 3. Processes used to review and certify privileged user access Two choices permitted Manual process Commercial off-the-shelf access certification system Homegrown access certification system Unsure IT Help Desk Other 3% 10% 8% 7% 9% 17% 18% 16% 23% 31% 46% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 3
5 4 Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. As shown in Figure 4, 51 percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in Thirty-five percent of respondents say application owners are responsible and this is a decrease from 38 percent in Only 10 percent say it is the information security department that is responsible for granting access rights. Figure 4. Most responsible for granting privileged-user access to information resources Two choices permitted Business unit managers Information technology operations Application owners Human resource department Compliance department Information security department Unsure 10% 11% 7% 6% 21% 25% 17% 16% 43% 40% 40% 35% 38% 51% 0% 10% 20% 30% 40% 50% 60% Figure 5 reveals that 36 percent of respondents say business unit managers are most responsible for conducting privileged user role certification and this is an increase from 32 percent in Twenty-four percent of respondents say their IT security department handles role certification. Figure 5. Most responsible for conducting privileged user role certification Business units IT security Compliance Data center management Audit Quality assurance Other 9% 7% 5% 5% 4% 2% 3% 11% 15% 24% 23% 24% 32% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% 4
6 5 Critical success factors for governing, managing and controlling privileged user access across the enterprise is consistent from the previous study. Budget continues to be critical as well as identity and access management technologies, SIEM and network intelligence technologies and senior level executive support, as shown in Figure 6. Not considered as critical is the existence of clearly defined privileged user access policies and procedures. This is consistent with the earlier finding that 49 percent of respondents say their policies are ad hoc and not clearly defined. Figure 6. Success factors for governing, managing and controlling privileged user access Very important and important response combined Ample budget Identity and access management technologies SIEM and network intelligence technologies 88% 90% 86% 87% 75% 78% Senior level executive support Privileged access rights assigned based on job function Monitor access inactivity to determine if access should be revoked Ability to automatically remediate privileged user access policy violations Background checks before granting privileged access rights Compliance controls consistently applied across the enterprise Accountability for governing user access owned by the business Clearly defined privileged user access policies and procedures Audits by an independent third-party 65% 66% 63% 61% 61% 63% 61% 56% 56% 48% 52% 45% 51% 53% 44% 45% 36% 27% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5
7 6 Organizations struggle with delivering and enforcing privileged user access rights. The biggest problem is still keeping pace with the number of access change requests that come in on a regular basis (an increase from 53 percent to 62 percent). However, two problems have increased significantly. These are the burdensome process for dealing with business users requesting access (from 23 percent to 35 percent of respondents) and it takes too long to deliver access to privileged users (32 percent to 44 percent), as shown in Figure 7. Figure 7. Main problems faced in delivering and enforcing privileged user access rights Three choices permitted Cannot keep pace with the number of access change requests that come in Lack of a consistent approval process for access and a way to handle exceptions 53% 45% 52% 62% Takes too long to deliver access to privileged users 32% 44% Burdensome process for business users requesting access 23% 35% Too expensive to monitor and control all privileged users 30% 38% Difficult to audit and validate privileged user access changes Cannot apply access policy controls at point of change request Too much staff required to monitor and control all privileged users 29% 35% 22% 27% 16% 23% Delivery of access to privileged users is staggered No common language exists that will work for both IT and the business Other 5% 8% 4% 5% 0% 2% 0% 10% 20% 30% 40% 50% 60% 70% 6
8 7 The detection of insider privilege abuse Concern grows about insider threats. Figure 8 reveals that 89 percent of respondents (58 percent + 31 percent) either say wiki leaks and Edward Snowden have either caused a significant or some increase in the organization s level of concern about insider threats within their organization. A similar percentage (88 percent) believes the risk of privileged user abuse will increase or stay the same over the next 12 to 24 months. Figure 8. Have recent publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats? Caused a significant increase in our level of concern 58% Caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% 0% 10% 20% 30% 40% 50% 60% 70% Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. According to Figure 9, the biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). Figure 9. Challenges in establishing whether an event is an insider threat More than one choice permitted Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Security tools yield more data then can be reviewed in a timely fashion 45% Behavior involved in the incident is consistent with the individual s role and responsibilities 28% 0% 10% 20% 30% 40% 50% 60% 70% 80% 7
9 8 To determine if a malicious insider is involved in the incident, companies are most likely to monitor and review log files (63 percent of respondents), conduct manual oversight by supervisors and managers (51 percent of respondents) and deploy SIEM and other network intelligence tools (40 percent of respondents), as shown in Figure 10. More sophisticated tools such as endpoint monitoring and big data analytics are not as widely used according to 34 percent and 16 percent of respondents, respectively. Figure 10. What best describes your role in the organization s IT department? More than one choice permitted Monitor and review log files 63% Conduct manual oversight by supervisors and managers Deploy SIEM and/or other network intelligence tools 40% 51% Endpoint monitoring Deploy next generation security technologies 34% 33% Utilize big data analytics to identify suspicious insider activities 16% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% Increasingly, malicious insiders target privileged users to obtain their access rights. In 2011, only 21 percent said it would be likely that malicious insiders would use social engineering or other measures to obtain someone s access rights. This has increased significantly to 47 percent of respondents. In addition, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights (45 percent in 2014 and 30 percent in 2011). Figure 11. How likely would it be for the following events to occur? Very likely and likely response combined Malicious insiders target privileged users to obtain their access rights 21% 47% Social engineers outside the organization target privileged users to obtain their access rights 30% 45% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 8
10 9 Risks created by the human factor in privilege user access abuse continue. The most common scenarios that create the insider threat have not changed since Figure 12 reveals that 73 percent say privileged users believe they are empowered to access all the information they can view, 65 percent say privileged users access sensitive or confidential data because of curiosity and 54 percent say the organization assigns privileged access rights that go beyond the individual s role or responsibility. Figure 12. Likelihood of scenario occurring Very likely and likely response combined Privileged users believe they are empowered to access all the information they can view 73% 71% Privileged users access sensitive or confidential data because of their curiosity 65% 68% Assigned privileged access rights go beyond the individual s role or responsibilities 54% 55% According to Figure 13, two other insider threats that increased are: allowing privileged users working from a home office to have administrative or root level access rights (an increase from 35 percent to 41 percent) and not properly vetting or checking backgrounds prior to receiving access rights. Figure 13. Likelihood of insider threats occurring Very likely and likely response combined 0% 10% 20% 30% 40% 50% 60% 70% 80% Privileged users working from a home office have administrative or root level access rights 35% 41% Privileged users are not properly vetted prior to receiving their access rights 34% 38% Privileged users become disgruntled and leak data or damage equipment 27% 28% Privileged users who leave continue to have access rights for a period of time after their discharge 15% 16% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 9
11 10 Respondents are less likely to believe that access rights follow privilege users when they leave the company (15 percent of respondents) and that disgruntled employees will leak data or damage equipment (Figure 13). What s most at risk? While respondents believe general business and customer information is most at risk in their organizations due to the lack of proper access controls over privileged users (56 percent and 49 percent), fears about abuse to corporate intellectual property increased dramatically from 12 percent of respondents to 33 percent of respondents, as shown in Figure 14. Figure 14. Types of data most at risk when there is a lack of proper access controls Two choices permitted General business information Customer information Employee information Corporate intellectual property Classified information* Consumer information Financial information 12% 19% 15% 13% 35% 35% 33% 29% 26% 56% 51% 49% 54% 0% 10% 20% 30% 40% 50% 60% * This choice was not available in FY
12 11 According to Figure 15, mobile applications are considered to be most at risk in their organizations due to the lack of proper access governance and control. This is followed by social media applications (which actually declined from 51 percent to 39 percent) and cloud-based applications at 38 percent, an increase from 35 percent in Figure 15. Type of applications considered most at risk due to the lack of proper access governance and control Three choices permitted Mobile applications Social media applications Cloud-based applications Peer-to-peer database* 41% 39% 38% 35% 34% 48% 51% Business unit specific applications Knowledge applications Human resource applications CRM applications Productivity applications Supply chain management applications Finance/ERP applications Revenue generating applications 5% 21% 20% 25% 17% 20% 16% 21% 13% 15% 10% 13% 12% 33% 34% 31% 0% 10% 20% 30% 40% 50% 60% * This choice was not available in FY
13 12 Solutions for mitigating the risk Companies rely on training programs. By far, most organizations conduct regular privileged user training programs as part of their efforts to protect the organization from privileged user abuse, as shown in Figure 16. However, most respondents rate the ability of their training programs to reduce the insider threat as only average. Fifty-seven percent say their organization performs background checks before issuance of privileged credentials and 51 percent say they rely on oversight by supervisors and managers. Figure 16. How do you protect your organization from privileged user abuse? More than one choice permitted Conduct regular privileged user training programs Perform thorough background checks before issuance of privileged credentials Conduct manual oversight by supervisors and managers Monitor and review provisioning systems 62% 57% 51% 50% Deploy IAM policy monitoring tools 36% Review and act upon threat intelligence 18% Other 3% 0% 10% 20% 30% 40% 50% 60% 70% The majority of respondents believe they are agile in responding to changes in the insider threat environment. Thirty-four percent of respondents rate their organizations as very high or high in being agile in responding to insider threats. It is interesting that culture is viewed as a serious barrier to being agile followed by dispersed workforce, as shown in Figure 17. Figure 17. The biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment Culture 31% Dispersed workforce 27% Cost 16% Expertise 15% IT infrastructure 10% Other 1% 0% 5% 10% 15% 20% 25% 30% 35% 12
14 13 Authentication and identity management tools are still number one. Seventy-two percent use authentication and identity management tools to manage privileged user access abuse, as shown in Figure 18. Other tools mostly used are log and configuration management (an increase from 56 percent to 64 percent) and user provisioning systems (a decrease from 63 percent to 60 percent). Technologies that have increased significantly in use are privileged user management and SIEM. Figure 18. Twelve enabling security technologies that are currently in use More than one choice permitted Authentication and identity management Log and configuration management User provisioning systems Security information and event management Privileged user management Endpoint monitoring* Enterprise role lifecycle management Access request system Access policy automation for the cloud Access policy automation Access review and certification system Host-based auditing* 17% 72% 68% 64% 56% 60% 63% 54% 48% 50% 43% 49% 42% 43% 38% 38% 36% 32% 35% 32% 28% 31% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice ws not available for FY
15 14 More companies are using technology-based identity and access controls. According to Figure 19, one-third of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in A combination of technology and manually-based identity and access controls is also used by one-third of organizations represented in this research but actually declined from 36 percent in Only 9 percent say access to sensitive or confidential information is not really controlled. An indication that this is getting better is that in the last study 13 percent said this was the case. Also, only 7 percent say they are unable to detect sharing of access rights. Figure 19. How does your organization detect the sharing of system administration access rights by privileged users? A combination of technology and manually-based identity and access controls Technology-based identity and access controls 20% 33% 36% 33% Manually-based identity and access controls Access to sensitive or confidential information is not really controlled We are unable to detect sharing of access rights Unsure 7% 6% 6% 9% 12% 13% 13% 12% 0% 5% 10% 15% 20% 25% 30% 35% 40% 14
16 15 In some areas, companies are getting better at enforcing privilege user access policies. The findings indicate that respondents are more positive about the ability to conduct certain activities. Figure 20 reveals these as: providing evidence of compliance with regulations and industry mandates and enforcing segregation of duties requirements. Fewer respondents believe they are excellent or good at understanding privileged user entitlements that violate policy and enforcing access policies in a consistent fashion across all information resources. Figure 20. How well does your organization ensure privileged user access policies are strictly enforced? Excellent and good response combined Providing evidence of compliance with regulations and industry mandates 70% 67% Enforcing segregation of duties requirements 55% 51% Assigning access based on job function or responsibilities Vetting privileged users through background security checks before granting access rights Changing privileged access rights when an employee s job changes or they are terminated Monitoring privileged users access when entering administrative root level access areas Understanding privileged user entitlements that are out of scope for a particular role Understanding privileged user entitlements that violate policy Enforcing access policies in a consistent fashion across all information resources 42% 40% 41% 39% 41% 45% 37% 34% 36% 35% 30% 28% 26% 23% 0% 10% 20% 30% 40% 50% 60% 70% 80% 15
17 16 Lack of visibility hinders the ability to determine if users are complying with policies. Figure 21 reveals that 42 percent of respondents are not confident that they have the enterprisewide visibility for privileged user access and can determine if users are compliant with policies. Only 16 percent are very confident that they have this visibility. Figure 21. How confident are you that your organization has enterprise-wide visibility and can determine if these users are compliant with policies? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 16% 18% 15% 15% 22% 23% Very confident Confident Somewhat confident 42% 45% Not confident 2% 2% Unsure Reasons for not being confident is the inability to create a unified view of privileged user access across the enterprise and this has increased from 44 percent to 51 percent of respondents in 2014, as shown in Figure 22. Another problem is keeping up with changes occurring in their organization s IT resources (on-boarding, off-boarding and outsourcing for management), according to 30 percent of respondents. Figure 22. Main reasons for not being confident Can t create a unified view of privileged user access across the enterprise 44% 51% Can t keep up with the changes occurring to IT resources 30% 29% Can t apply controls that need to span across information resources Privileged user account information is visible but not entitlement information 10% 15% 9% 12% 0% 10% 20% 30% 40% 50% 60% 16
18 17 Budgets and investment in reducing the risk of insider threats How are companies allocating resources to reduce insider threat? Figure 23 reveals that 40 percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (43 percent) say their organizations do not have one. Fifty-one percent of respondents say they allocate between 5 and 8 percent of their organizations overall IT budget to insider threat technology. Figure 23. Is the budget allocated for investment in technologies to reduce the insider threat? 50% 45% 40% 35% 30% 25% 40% 43% 20% 17% 15% 10% 5% 0% It is part of the overall IT budget It is not part of the IT budget No Technologies and personnel receive the most resources to stop insider threats. When asked to allocate their organization s efforts to reduce the insider threat, 43 percent say it is dedicated to technologies and 38 percent to personnel, according to Figure 24. While organizations rely on training programs (as discussed above), only 11 percent are allocated to training. Figure 24. How does your organization allocate resources to mitigate insider threats? 50% 45% 40% 35% 30% 25% 20% 43% 38% 15% 10% 11% 7% 5% 0% Technologies Personnel Training Governance Other 1% 17
19 18 New tools to reduce the risk are considered important. When it comes to technology, 41 percent say they are more likely to buy new tools specifically for mitigating insider threats or more likely to make existing tools work (33 percent), as shown in Figure 25. Figure 25. Investing in insider threat mitigation technologies versus making existing tools work More likely to buy new tools built specifically for mitigating insider threats 41% More likely to make existing tools work 33% Equally likely to buy new tools or make existing tools work 21% Cannot determine 5% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 18
20 19 Part 3. Methods A random sampling frame of 18,821 privileged users, including database administrators, network engineers, IT security practitioners and cloud custodians located in the United States were selected as participants to this survey. As shown in Table 1, 779 respondents completed the survey. Screening and failed reliability checks removed 86 surveys. The final sample was 693 surveys (or a 3.7 percent response rate). Table 1. Sample response Freq. Pct% Total sampling frame 18, % Total returns % Rejected and screened surveys % Final sample % Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 58 percent of respondents are at or above the supervisory levels. Pie Chart 1. What organizational level best describes your current position? 4% 5% 3% 16% Senior Executive/VP Director Manager 33% Supervisor 23% Technician Staff Contractor 16% 19
21 20 Pie Chart 2 reports the respondent s direct reporting channel. Fifty-six percent of respondents report to the CIO and 16 percent report to the CISO. Pie Chart 2. What best describes your direct reporting channel? 7% 2% 1% 9% Chief Information Officer Chief Information Security Officer 9% Chief Technology Officer 56% Chief Risk Officer Compliance Officer 16% Chief Financial Officer Chief Security Officer As shown in pie chart 3, 66 percent of respondents are from organizations with a worldwide headcount of 1,000 or more employees. Pie chart 3. Worldwide headcount of the organization 9% 7% 15% < to 1,000 19% 19% 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 31% 20
22 21 Pie Chart 4 reports the industry segments of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by state or local government (12 percent) and federal government (11 percent). Pie Chart 4. Industry distribution of respondents organizations 4% 3% 3% 2% 2% 3% 3% 18% Financial services State or local government Federal government Health & pharmaceutical 5% 6% 12% Services Consumer Retail Technology & software Industrial 6% 11% Energy & utilities Communications 6% 8% 8% Entertainment & media Hospitality Defense & aerospace Transportation Other Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are privileged users, database administrators, network engineers, IT security practitioners or cloud custodians. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 21
23 22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in April Sample response Sampling frame 18,821 16,579 Total returns Rejected & screened surveys Final sample Response rate 3.7% 3.4% Part 1. Background Q1. What best describes your level of access to your organization s IT networks, enterprise systems, applications and information assets? Please select only one choice. Limited (ordinary) end user access rights to IT resources (Stop) 0% 6% Expanded access rights to IT resources, but not overly broad 13% 12% Broad access rights to IT resources 53% 43% Root level access rights to IT resources 34% 33% None of the above (Stop) 0% 6% Total 100% 100% Q2. Have recent well-publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats within your organization FY 2014 Yes, caused a significant increase in our level of concern 58% Yes, caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% Total 100% *Data not available in FY2011 Q3a. Is privileged access required in order for you to complete your current job assignments or functions within the organization? Yes 75% 78% No 25% 22% Total 100% 100% Q3b. If you said no, what is the primary reason you still have privileged access rights? Please select only one choice. I needed privileged access in a previous position and it was not revoked after my role changed 36% 35% Everyone at my level has privileged access even if it is not required to perform a job assignment 38% 41% The organization assigned privileged access rights for no apparent reason 17% 15% I don t know 9% 9% Total 100% 100% Q4. Do you believe this risk will increase, decrease or stay the same over the next 12 to 24 months? Increase 45% 44% Stay the same 43% 42% Decrease 12% 14% Total 100% 100% 22
24 23 Q5. What best describes your role in the organization s IT department or related functions? Please check all that apply. Database administrator 32% 33% Systems administrator 36% 35% Network engineer 24% 21% IT security practitioner 31% 26% IT audit practitioner 11% 12% Data center manager 44% 41% Application developer 19% 15% Cloud custodian 24% 18% Other (please specify) 1% 2% Total 222% 203% Q6. How do you determine if an action taken by an insider is truly a threat? Select all that apply. FY 2014 Monitor and review log files 63% Conduct manual oversight by supervisors and managers 51% Deploy SIEM and/or other network intelligence tools 40% Utilize big data analytics to identify suspicious insider activities 16% Deploy next generation security technologies 33% Endpoint monitoring 34% Other (please specify) 2% Total 239% *Data not available in FY2011 Q7. How do you protect your organization from privileged user abuse? Select all that apply. FY 2014 Perform thorough background checks before issuance of privileged credentials 57% Conduct manual oversight by supervisors and managers 51% Monitor and review provisioning systems 50% Review and act upon threat intelligence 18% Deploy IAM policy monitoring tools 36% Conduct regular privileged user training programs 62% Other (please specify) 3% Total 277% *Data not available in FY2011 Q8. What are the biggest challenges your organization faces in establishing whether an event or incident is an insider threat? Select all that apply. FY 2014 Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Behavior involved in the incident is consistent with the individual s role and responsibilities 28% Security tools yield more data then can be reviewed in a timely fashion 45% Total 198% *Data not available in FY
25 24 Q9. Please rate your organization s level of agility in responding to changes in the insider threat environment? FY 2014 Very high 14% High 20% Moderate 35% Low 22% Very low 9% Total 100% *Data not available in FY2011 Q10. What is the biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment? Select only one. FY 2014 Cost 16% Expertise 15% Culture 31% IT infrastructure 10% Dispersed workforce 27% Other (please specify) 1% Total 100% *Data not available in FY2011 Q11. Using the following 10-point scale, please rate the ability of your training programs to reduce the insider threat risk. 1 = Low to 10 = High FY to 2 15% 3 to 4 31% 5 to 6 30% 7 to 8 16% 9 to 10 8% Total 100% *Data not available in FY2011 Q12. How does your organization allocate resources to mitigate or curtail insider threats? Please allocate 100 points to each category presented below FY 2014 Training 11 Technologies 43 Personnel 38 Governance 7 Other (please specify) 1 Total 100 *Data not available in FY2011 Q13a. Do you have a budget specifically allocated for investment in enabling technologies to reduce the insider threat? FY 2014 Yes, it is part of the overall IT budget 40% Yes, it is not part of the IT budget 17% No 43% Total 100% *Data not available in FY
26 25 Q13b. If part of the overall IT budget, what is the percentage allocated to insider threat technology investments? FY 2014 < 1% 2% 1% to 2% 5% 3% to 4% 8% 5% to 6% 21% 7% to 8% 30% 9% to 10% 15% 11% to 15% 11% 16% to 20% 5% > 20% 3% Total 100% *Data not available in FY2011 Q14. What one statement best describes your organization s preference for investing in insider threat mitigation technologies versus making existing tools work? FY 2014 We are more likely to buy new tools built specifically for mitigating insider threats 41% We are more likely to make existing tools work 33% We are equally likely to buy new tools or make existing tools work 21% Cannot determine 5% Total 100% *Data not available in FY2011 Part 2. Scenarios: How likely would it be for the following events to occur within your organization? Very likely & likely response combined Q15. The organization assigns privileged access rights that go beyond the individual s role or responsibilities. 54% 55% Q16. Privileged users are pressured to share their access rights with others in the organization. 40% 41% Q17. Social engineers outside the organization target privileged users to obtain their access rights. 45% 30% Q18. Malicious insiders target privileged users to obtain their access rights. 47% 21% Q19. Privileged users are not properly vetted or have their backgrounds checked prior to receiving their access rights. 38% 34% Q20. Privileged users become disgruntled and leak data or damage equipment. 27% 28% Q21. Privileged users access sensitive or confidential data because of their curiosity. 65% 68% Q22. Privileged users believe they are empowered to access all the information they can view. 73% 71% Q23. Privileged users who leave the organization continue to have access rights for a period of time after their discharge. 15% 16% Q24. Privileged users working from a home office have administrative or root level access rights. 41% 35% Average 45% 41% 25
27 26 Part 3. Privileged user access governance Q25. Please check all 12 of the enabling security technologies below that are used by your organization. Enterprise role lifecycle management 42% 43% Access request system 38% 38% Access policy automation 35% 32% Access review and certification system 28% 31% Privileged user management 50% 43% Security information and event management (SIEM) 54% 48% Access policy automation for the cloud 36% 32% Log and configuration management 64% 56% User provisioning systems 60% 63% Authentication and identity management 72% 68% Host-based auditing* 17% Endpoint monitoring* 49% Average 45% 45% Q26. What types of data do you consider to be most at risk in your organization due to the lack of proper access controls over privileged users? Top two choices. Customer information 49% 54% Consumer information 26% 19% Employee information 35% 35% Financial information 15% 13% General business information 56% 51% Corporate intellectual property 33% 12% Classified information* 29% Total 35% 184% Q27. What type of applications do you consider to be most at risk in your organization due to the lack of proper access governance and control? Please select the top three. Finance/ERP applications 10% 13% CRM applications 17% 20% Supply chain management applications 13% 15% Revenue generating applications 5% 12% Business unit specific applications 33% 34% Human resource applications 20% 25% Productivity applications 16% 21% Knowledge applications 21% 31% Cloud-based applications 38% 35% Social media applications 39% 51% Peer-to-peer database* 34% Mobile applications 48% 41% Total 294% 298% Q28. What best describes the process for assigning privileged user access to IT resources in your organization today? Please select one best choice. An ad hoc process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 35% 31% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% Total 100% 100% 26
28 27 Q29. Who in your organization is most responsible for granting privilegeduser access to information resources? Top two choices. Information technology operations 40% 40% Information security department 10% 11% Compliance department 17% 16% Business unit managers 51% 43% Application owners 35% 38% Human resource department 21% 25% Unsure 7% 6% Total 181% 179% Q30. What processes are used for granting privileged user access to IT resources: Please select the top two. Manual process (i.e. or phone) 40% 22% Homegrown access request systems 17% 16% Commercial off- the-shelf automated solutions 57% 35% IT Help Desk 36% 20% Unsure 0% 1% Other 5% 6% Total 155% 100% Q31. What processes are used to review and certify privileged user access? Please select the top two. Manual process (i.e. , spreadsheets) 46% 23% Homegrown access certification system 17% 18% Commercial off-the-shelf access certification system 44% 31% IT Help Desk 8% 3% Unsure 10% 16% Other 7% 9% Total 132% 100% Q32. Who within your organization is most responsible for conducting privileged user role certification? IT security 24% 23% Business units 36% 32% Audit 5% 4% Compliance 15% 9% Quality assurance 2% 3% Data center management 7% 5% Other 11% 24% Total 100% 100% Q33. How does your organization detect the sharing of system administration access rights or root level access rights by privileged users? Please select the top two. Technology-based identity and access controls 33% 20% Manually-based identity and access controls 12% 13% A combination of technology and manually-based identity and access controls 33% 36% Access to sensitive or confidential information is not really controlled 9% 13% We are unable to detect sharing of access rights 7% 6% Unsure 6% 12% Total 100% 100% 27
29 28 Q34. How well does your organization ensure privileged user access policies for the following tasks are strictly enforced? Combined excellent and good response. Assigning access based on job function or responsibilities 42% 40% Revoking or changing privileged access rights as needed when an employee s job or function changes or their relationship with the organization is terminated 41% 45% Enforcing access policies in a consistent fashion across all information resources in the organization 26% 23% Monitoring privileged users access when entering administrative root level access areas 37% 34% Enforcing segregation of duties requirements 55% 51% Providing evidence of compliance with regulations and industry mandates 70% 67% Understanding privileged user entitlements that are out of scope for a particular role 36% 35% Understanding privileged user entitlements that violate policy 30% 28% Vetting privileged users through background security checks before granting access rights 41% 39% Average 42% 40% Q35a. How confident are you that your organization has enterprise-wide visibility for privileged user access and can determine if these users are compliant with policies? Very confident 16% 15% Confident 18% 15% Somewhat confident 22% 23% Not confident 42% 45% Unsure 2% 2% Total 100% 100% Q35b. If not confident, please select one main reason. We can t create a unified view of privileged user access across the enterprise 51% 44% We only have visibility into privileged user account information but not entitlement information 9% 12% We can t apply controls that need to span across information resources 10% 15% We can t keep up with the changes occurring to our organization s IT resources (on-boarding, off- boarding and outsourcing for management) 30% 29% Total 100% 100% Q36. What are the critical success factors for governing, managing and controlling privileged user access across the enterprise? Very important and important response combined. Senior level executive support 65% 66% Ample budget 88% 90% Identity and access management technologies 86% 87% SIEM and network intelligence technologies 75% 78% Clearly defined privileged user access policies and procedures 44% 45% Accountability for governing user access owned by the business 51% 53% Privileged access rights assigned based on job function and responsibilities 63% 61% Compliance controls consistently applied across the enterprise 52% 45% Ability to automatically remediate privileged user access policy violations 61% 56% Monitor access inactivity to determine if access should be revoked 61% 63% Audits by an independent third-party 36% 27% Background checks before granting privileged access rights 56% 48% Average 62% 60% 28
30 29 Q37. What are the main problems your organization faces in delivering and enforcing privileged user access rights? Please select only your top three choices. Takes too long to deliver access to privileged users (not meeting our SLAs with the business) 44% 32% Too expensive to monitor and control all privileged users 30% 38% Too much staff required to monitor and control all privileged users 16% 23% Cannot apply access policy controls at point of change request 22% 27% Delivery of access to privileged users is staggered (not delivered at the same time) 5% 8% Cannot keep pace with the number of access change requests that come in on a regular basis 62% 53% Lack of a consistent approval process for access and a way to handle exceptions 45% 52% Difficult to audit and validate privileged user access changes 29% 35% Burdensome process for business users requesting access 35% 23% No common language exists for how access is requested that will work for both IT and the business 4% 5% Other (please specify) 0% 2% Total 292% 298% Part 4. More scenarios. In your opinion, how will each of the following situations affect your organization s access governance process, especially concerning privileged users? Please use the scale from very significant impact to no affect. Q38. Increasing number of regulations or industry mandates 62% 60% Q39. Adoption of cloud-based applications enables the business or endusers to circumvent existing access policies 71% 65% Q40. Outsourcing of applications and data for management 36% 45% Q41. The constant turnover (ebb and flow) of employees, contractors, consultants and partners 41% 43% Q42. Availability of SIEM and other network intelligence technologies 56% 57% Q43. Constant changes to the organization as a result of corporate reorganizations, downsizing and financial distress 27% 32% Q44. Adoption of virtualization technologies 48% 56% Q45. Expanded use of mobile devices in the workplace 76% 48% Q46. Change in the nature and scope of cyber crime 71% 65% Q47. The level of risk caused by privileged users abuse or misuse of IT resources 26% 19% Average 51% 49% Part 5. Your role D1. What organizational level best describes your current position? FY 2014 Senior Executive/VP 3% Director 16% Manager 23% Supervisor 16% Technician 33% Staff 4% Contractor 5% Other 0% Total 100% 29
31 30 D2. Check the Primary Person you or your IT security leader reports to within the organization. FY 2014 CEO/Executive Committee 0% Chief Financial Officer 2% General Counsel 0% Chief Information Officer 56% Chief Technology Officer 9% Compliance Officer 7% Human Resources VP 0% Chief Security Officer 1% Chief Information Security Officer 16% Chief Risk Officer 9% Other 0% Total 100% D3. What is the worldwide headcount of your organization? FY 2014 < % 500 to 1,000 19% 1,001 to 5,000 31% 5,001 to 25,000 19% 25,001 to 75,000 9% > 75,000 7% Total 100% D4. What industry best describes your organization s industry focus? FY 2014 Agriculture & food services 0% Communications 3% Consumer 6% Defense & aerospace 2% Education & research 1% Energy & utilities 4% Entertainment & media 3% Federal government 11% Financial services 18% Health & pharmaceutical 8% Hospitality 3% Industrial 5% Retail 6% Services 8% State or local government 12% Technology & software 6% Transportation 2% Other 2% Total 100% 30
32 31 About Raytheon Raytheon Company, with 2013 sales of $24 billion and 63,000 employees worldwide, is a technology and innovation leader specializing in defense, security and civil markets throughout the world. With a history of innovation spanning 92 years, Raytheon provides state-of-the-art electronics, mission systems integration and other capabilities in the areas of sensing; effects; and command, control, communications and intelligence systems, as well as cyber security and a broad range of mission support services. Raytheon is headquartered in Waltham, Mass. For more about Raytheon, visit us at and follow us on Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. 31
The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015
The State of Data Security Intelligence Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report The State of Data Security
More informationIs Your Company Ready for a Big Data Breach?
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationAchieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014
Achieving Security in Workplace File Sharing Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction Achieving
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationGlobal Insights on Document Security
Global Insights on Document Security Sponsored by Adobe Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Global Insights on Document Security
More informationWhat You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage
What You Don t Know Will Hurt You: A Study of the Risk from Application Access and Usage Sponsored by ObserveIT Independently conducted by Ponemon Institute LLC June 2015 Ponemon Institute Research Report
More informationData Breach: The Cloud Multiplier Effect
Data Breach: The Cloud Multiplier Effect Sponsored by Netskope Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report Part 1. Introduction Data Breach:
More informationExposing the Cybersecurity Cracks: A Global Perspective
Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April
More informationManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013
More informationThe Importance of Cyber Threat Intelligence to a Strong Security Posture
The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report
More informationUnderstaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security
Understaffed and at Risk: Today s IT Security Department Sponsored by HP Enterprise Security Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute Research
More informationSecurity of Cloud Computing Users Study
Security of Cloud Computing Users Study Sponsored by CA Technologies Independently conducted by Ponemon Institute, LLC Publication Date: March 2013 Security of Cloud Computing Users Study March 2013 Part
More informationThe Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T
The Cost of Insecure Mobile Devices in the Workplace! Sponsored by AT&T Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Part 1. Introduction The Cost of Insecure Mobile Devices
More informationThe State of Data Centric Security
The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report State of Data Centric Security
More informationThe Unintentional Insider Risk in United States and German Organizations
The Unintentional Insider Risk in United States and German Organizations Sponsored by Raytheon Websense Independently conducted by Ponemon Institute LLC Publication Date: July 2015 2 Part 1. Introduction
More informationSecurity of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014
Security of Paper Records & Document Shredding Sponsored by Cintas Independently conducted by Ponemon Institute LLC Publication Date: January 2014 Ponemon Institute Research Report Part 1. Introduction
More information2012 Application Security Gap Study: A Survey of IT Security & Developers
2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part
More informationThe SQL Injection Threat Study
The SQL Injection Threat Study Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: April 2014 1 The SQL Injection Threat Study Presented by Ponemon Institute, April
More informationThe Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners
The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners Sponsored by Vormetric Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon Institute
More informationUnderstanding Security Complexity in 21 st Century IT Environments:
Understanding Security Complexity in 21 st Century IT Environments: A study of IT practitioners in the US, UK, France, Japan & Germany Sponsored by Check Point Software Technologies Independently conducted
More informationA Study of Retail Banks & DDoS Attacks
A Study of Retail Banks & DDoS Attacks Sponsored by Corero Network Security Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report A Study of
More informationElectronic Health Information at Risk: A Study of IT Practitioners
Electronic Health Information at Risk: A Study of IT Practitioners Sponsored by LogLogic Conducted by Ponemon Institute LLC October 15, 2009 Ponemon Institute Research Report Executive summary Electronic
More informationPerceptions About Network Security Survey of IT & IT security practitioners in the U.S.
Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2011 Ponemon
More informationRisk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin
Risk & Innovation in Cybersecurity Investments Sponsored by Lockheed Martin Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report Part 1. Introduction
More informationThe Impact of Cybercrime on Business
The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted
More information2010 Access Governance Trends Survey
2010 Access Governance Trends Survey Sponsored by Aveksa Independently conducted by Ponemon Institute LLC Publication Date: April 19, 2010 Ponemon Institute Research Report I. Executive Summary 2010 Access
More informationCloud Security: Getting It Right
Cloud Security: Getting It Right Sponsored by Armor Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute Research Report Cloud Security: Getting It Right Ponemon
More informationThird Annual Study: Is Your Company Ready for a Big Data Breach?
Third Annual Study: Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute
More informationReputation Impact of a Data Breach U.S. Study of Executives & Managers
Reputation Impact of a Data Breach U.S. Study of Executives & Managers Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: November 2011 Ponemon
More informationSecurity Metrics to Manage Change: Which Matter, Which Can Be Measured?
Security Metrics to Manage Change: Which Matter, Which Can Be Measured? Sponsored by FireMon Independently conducted by Ponemon Institute LLC Publication Date: April 2014 2 Security Metrics to Manage Change:
More informationThe SQL Injection Threat & Recent Retail Breaches
The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &
More informationThe Cost of Web Application Attacks
The Cost of Web Application Attacks Sponsored by Akamai Technologies Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report Part 1. Introduction The
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationData Security in the Evolving Payments Ecosystem
Data Security in the Evolving Payments Ecosystem Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2015 Ponemon Institute Research Report
More informationThe Security Impact of Mobile Device Use by Employees
The Security Impact of Mobile Device Use by Employees Sponsored by Accellion Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report The Security
More informationData Security in Development & Testing
Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development
More informationPerceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA)
Perceptions about the Potential Expiration of The Terrorism Risk Insurance Act (TRIA) Sponsored by Property Casualty Insurers Association of America Independently conducted by Ponemon Institute LLC Publication
More informationAchieving Data Privacy in the Cloud
Achieving Data Privacy in the Cloud Study of Information Technology Privacy and Compliance of Small to Medium-Sized Organizations in germany Sponsored by microsoft Independently Conducted by Ponemon Institute
More information2014: A Year of Mega Breaches
2014: A Year of Mega Breaches Sponsored by Identity Finder Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report Part 1. Introduction 2014: A
More informationChallenges of Cloud Information
The Challenges of Cloud Information Governance: A Global Data Security Study Sponsored by SafeNet Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research
More informationThe State of Mobile Application Insecurity
The State of Mobile Application Insecurity Sponsored by IBM Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report Part 1. Introduction The State
More informationSecurity of Cloud Computing Providers Study
Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary
More informationCyber Security on the Offense: A Study of IT Security Experts
Cyber Security on the Offense: A Study of IT Security Experts Co-authored with Radware Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report
More informationSecurity of Cloud Computing Providers Study
Security of Cloud Computing Providers Study Sponsored by CA Technologies Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report I. Executive Summary
More informationThreat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations
Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations Sponsored by AccessData Independently conducted by Ponemon Institute LLC Publication Date: February 2014 Ponemon Institute
More informationCorporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Sponsored by Varonis Independently conducted by Ponemon Institute LLC Publication Date: December 2014 Ponemon Institute Research Report Corporate
More informationGlobal Survey on Social Media Risks Survey of IT & IT Security Practitioners
0 Global Survey on Social Media Risks Survey of IT & IT Security Practitioners Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication Date: September 2011 1 Global Survey on
More informationNational Survey on Data Center Outages
National Survey on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Part 1. Executive Summary National Survey on Data Center Outages Ponemon Institute,
More informationThe State of USB Drive Security
The State of USB Drive Security U.S. survey of IT and IT security practitioners Sponsored by Kingston Independently conducted by Ponemon Institute LLC Publication Date: July 2011 Ponemon Institute Research
More informationBreaking Bad: The Risk of Insecure File Sharing
Breaking Bad: The Risk of Insecure File Sharing Sponsored by Intralinks Independently conducted by Ponemon Institute LLC Publication Date: October 2014 Ponemon Institute Research Report Breaking Bad: The
More informationExposing the Cybersecurity Cracks: A Global Perspective
Exposing the Cybersecurity Cracks: A Global Perspective Part 2: Roadblocks, Refresh and Raising the Human Security IQ Sponsored by Websense Independently conducted by Ponemon Institute LLC Publication
More informationThe 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season
The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season Sponsored by RSA Security Independently conducted by Ponemon Institute, LLC Publication Date: October 2013 Ponemon
More information2015 Global Megatrends in Cybersecurity
2015 Global Megatrends in Cybersecurity Sponsored by Raytheon Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report 2015 Global Megatrends in
More informationBest Practices in Data Protection Survey of U.S. IT & IT Security Practitioners
Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners Sponsored by McAfee Independently conducted by Ponemon Institute LLC Publication Date: October 2011 Ponemon Institute Research.
More information2015 Global Study on IT Security Spending & Investments
2015 Study on IT Security Spending & Investments Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Sponsored by Part 1. Introduction Security risks are pervasive and becoming
More informationEfficacy of Emerging Network Security Technologies
Efficacy of Emerging Network Security Technologies Sponsored by Juniper Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part
More informationDefining the Gap: The Cybersecurity Governance Study
Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining
More informationAdvanced Threats in Retail Companies: A Study of North America & EMEA
Advanced Threats in Companies: A Study of North America & EMEA Sponsored by Arbor Networks Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report
More informationThe Importance of Senior Executive Involvement in Breach Response
The Importance of Senior Executive Involvement in Breach Response Sponsored by HP Enterprise Security Services Independently conducted by Ponemon Institute LLC Publication Date: October 2014 The Importance
More information2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition
2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Sponsored by Silver Tail Systems Independently conducted by Ponemon Institute, LLC Publication Date: October 2012 Ponemon Institute
More information2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013
2014 State of Endpoint Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Ponemon Institute Research Report 2014 State of Endpoint Risk Ponemon
More informationThe Role of Governance, Risk Management & Compliance in Organizations
The Role of Governance, Risk Management & Compliance in Organizations Study of GRC practitioners Sponsored by RSA, The Security Division of EMC Independently conducted by Ponemon Institute LLC Publication
More informationThe Economic and Productivity Impact of IT Security on Healthcare
The Economic and Productivity Impact of IT Security on Healthcare Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date: May 2013 Ponemon Institute Research Report The
More informationEncryption in the Cloud
Encryption in the Cloud Who is responsible for data protection in the cloud? Sponsored by Thales e-security Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute
More information2015 Global Cyber Impact Report
2015 Global Cyber Impact Report Sponsored by Aon Risk Services Independently conducted by Ponemon Institute LLC Publication Date: April 2015 2015 Global Cyber Impact Report Ponemon Institute, April 2015
More information2013 Study on Data Center Outages
2013 Study on Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: September 2013 2013 Study on Data Center Outages Ponemon Institute, September 2013 Part 1. Introduction
More informationHow Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States
How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States Sponsored by Imprivata Independently conducted by Ponemon Institute LLC Publication Date:
More informationLeading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers
Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers Independently Conducted by Ponemon Institute LLC February 2012 Leading Practices in Behavioral
More informationSurvey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc.
Survey on the Governance of Unstructured Data Independently Conducted and Published by Ponemon Institute LLC Sponsored by Varonis Systems, Inc. June 30, 2008 Please Do Not Quote Without Express Permission.
More informationCompliance Cost Associated with the Storage of Unstructured Information
Compliance Cost Associated with the Storage of Unstructured Information Sponsored by Novell Independently conducted by Ponemon Institute LLC Publication Date: May 2011 Ponemon Institute Research Report
More informationCyber Threat Intelligence: Has to Be a Better Way
Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Sponsored by IID Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research Report Exchanging
More informationThe End Endorsed Devices pose a Large Security Risk to Your Organization
2013 State of the Endpoint Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: December 2012 Ponemon Institute Research Report 2013 State of the Endpoint Ponemon Institute:
More informationSecurity of Cloud Computing Users A Study of Practitioners in the US & Europe
Security of Cloud Computing Users A Study of Practitioners in the US & Europe Sponsored by CA Independently conducted by Ponemon Institute LLC Publication Date: 12 May 2010 Ponemon Institute Research Report
More informationEnhancing Cybersecurity with Big Data: Challenges & Opportunities
Enhancing Cybersecurity with Big Data: Challenges & Opportunities Independently Conducted by Ponemon Institute LLC Sponsored by Microsoft Corporation November 2014 CONTENTS 2 3 6 9 10 Introduction The
More informationState of SMB Cyber Security Readiness: UK Study
State of SMB Cyber Security Readiness: UK Study Sponsored by Faronics Independently conducted by Ponemon Institute LLC Publication Date: November 2012 Ponemon Institute Research Report Part 1. Introduction
More informationSponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA
The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA Sponsored by Zimbra Independently conducted by Ponemon Institute LLC Publication Date: November 2014 Ponemon Institute
More informationData Loss Risks During Downsizing As Employees Exit, so does Corporate Data
Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data Independently conducted by Ponemon Institute LLC Publication Date: February 23, 2009 Sponsored by Symantec Corporation Ponemon
More informationBig Data Analytics in Cyber Defense
Big Data Analytics in Cyber Defense Sponsored by Teradata Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Big Data Analytics in Cyber
More informationState of Web Application Security U.S. Survey of IT & IT security practitioners
State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon
More informationThird Annual Survey on Medical Identity Theft
Third Annual Survey on Medical Identity Theft Sponsored by Experian s ProtectMyID Independently conducted by Ponemon Institute LLC Publication Date: June 2012 Ponemon Institute Research Report Part 1:
More information2015 State of the Endpoint Report: User-Centric Risk
2015 State of the Endpoint Report: User-Centric Risk Sponsored by Lumension Independently conducted by Ponemon Institute LLC Publication Date: January 2015 Ponemon Institute Research Report 2015 State
More informationThe Human Factor in Data Protection
The Human Factor in Data Protection Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report The Human Factor in Data Protection
More informationThe Fraud Report: How Fake Users Are Impacting Business
The Fraud Report: How Fake Users Are Impacting Business Sponsored by TeleSign Independently conducted by Ponemon Institute LLC Publication Date: November 2015 Ponemon Institute Research Report The Fraud
More informationThe economics of IT risk and reputation
Global Technology Services Research Report Risk Management The economics of IT risk and reputation What business continuity and IT security really mean to your organization Findings from the IBM Global
More informationState of IT Security Study of Utilities & Energy Companies
State of IT Security Study of Utilities & Energy Companies Sponsored by Q1 Labs Independently conducted by Ponemon Institute LLC Publication Date: April 2011 Ponemon Institute Research Report State of
More informationThe TCO of Software vs. Hardware-based Full Disk Encryption Summary
The TCO of vs. -based Full Disk Encryption Summary Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Industry Co-Sponsors Ponemon Institute Research Report
More informationThe Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013
The Post Breach Boom Sponsored by Solera Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2013 Ponemon Institute Research Report Part 1. Introduction The Post Breach
More information2012 Business Banking Trust Trends Study
2012 Business Banking Trust Trends Study Sponsored by Guardian Analytics Independently conducted by Ponemon Institute LLC Publication Date: August 2012 Ponemon Institute Research Report Part 1. Introduction
More informationFourth Annual Benchmark Study on Patient Privacy & Data Security
Fourth Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: March 2014 Ponemon Institute Research Report
More informationIBM QRadar Security Intelligence: Evidence of Value
IBM QRadar Security Intelligence: Evidence of Value Independently conducted by Ponemon Institute LLC February 2014 Ponemon Institute Research Report Background IBM QRadar: Evidence of Value Ponemon Institute:
More informationThe Aftermath of a Data Breach: Consumer Sentiment
The Aftermath of a Data Breach: Consumer Sentiment Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research
More information2013 Cost of Data Center Outages
2013 Cost of Data Center Outages Independently conducted by Ponemon Institute LLC Publication Date: December 2013 Part 1. Executive Summary 2013 Cost of Data Center Outages Ponemon Institute, December
More informationPrivacy and Security in a Connected Life: A Study of European Consumers
Privacy and Security in a Connected Life: A Study of European Consumers Sponsored by Trend Micro Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research
More informationSecond Annual Benchmark Study on Patient Privacy & Data Security
Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report
More informationThe Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations
The Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations Independently conducted by Ponemon Institute LLC Publication Date: 30 September 2010 Ponemon Institute Research Report Part
More informationThe TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan
The TCO for Full Disk Encryption Studies in the US, UK, Germany & Japan Sponsored by WinMagic Independently conducted by Ponemon Institute LLC Publication Date: July 2012 Ponemon Institute Research Report
More informationEconomic impact of privacy on online behavioral advertising
Benchmark study of Internet marketers and advertisers Independently Conducted by Ponemon Institute LLC April 30, 2010 Ponemon Institute Research Report Economic impact of privacy on online behavioral advertising
More informationThe Cloud Balancing Act for IT: Between Promise and Peril
The Cloud Balancing Act for IT: Between Promise and Peril Table of Contents EXECUTIVE SUMMARY...2 ONBOARDING CLOUD SERVICES...3 SYSTEMS OF RECORD: THE NEXT WAVE OF CLOUD ADOPTION...6 A CULTURE OF COMPLIANCE
More informationCritical Infrastructure: Security Preparedness and Maturity Sponsored by Unisys
Critical Infrastructure: Security Preparedness and Maturity Sponsored by Unisys Independently conducted by Ponemon Institute LLC Publication Date: July 2014 31 Part 1. Introduction Ponemon Institute is
More information