Exposing the Cybersecurity Cracks: A Global Perspective

Transcription

1 Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Sponsored by Websense, Inc. Independently conducted by Ponemon Institute LLC Publication Date: April 2014

2 2 Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark Ponemon Institute, April 2014 Ponemon Institute is pleased to present the findings of its two-part study, Exposing the Cybersecurity Cracks: A Global Perspective sponsored by Websense, Inc. This first report uncovers the deficient, disconnected and in-the-dark conditions that challenge IT security professionals. Areas of focus include a deficit in security solution effectiveness; a disconnect regarding the perceived value of confidential data; and limited visibility into cybercriminal activity. The study surveyed 4,881 IT and IT security practitioners in 15 countries Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Italy, Mexico, the Netherlands, Singapore, Sweden, United Kingdom and the United States with an average of 10 years experience in the field. This report covers the consolidated global findings. DEFICIENT Findings reveal that security professionals have systems that fall short in terms of protection from cyber attacks and data leakage. They need access to heightened threat intelligence and defenses. Because the security threat landscape is more challenging and dynamic than ever, having the intelligence to anticipate, identify and reduce the threats is critical. Fifty-seven percent of respondents do not think their organization is protected from advanced cyber attacks and 63 percent doubt they can stop the exfiltration of confidential information. Most respondents (69 percent) believe cybersecurity threats sometimes fall through the cracks of their companies existing security systems. Forty-four percent of companies represented in this research experienced one or more substantial cyber attacks in the past year. (We define a substantial attack as one that infiltrated networks or enterprise systems.) Fifty-nine percent of companies do not have adequate intelligence or are unsure about attempted attacks and their impact. Further, 51 percent say their security solutions do not inform them or they are unsure if their solution can inform them about the root causes of an attack. DISCONNECTED There is a disconnect regarding the perceived value of confidential data. Eighty percent of respondents say their company s leaders do not equate losing confidential data with a potential loss of revenue, despite Ponemon Institute research indicating the average cost of an organizational data breach is $5.4 million. Forty-eight percent say their board-level executives have a sub-par understanding of security issues. This figure has not been measured in previous surveys, but it is presumed that cybersecurity awareness has most likely increased over the last few years. IN THE DARK Many security professionals find it hard to keep track of the threat landscape and are not sure if they had been a victim of an attack. 2

3 3 Less than half of the respondents (41 percent) believe they have a good understanding about the threat landscape facing their company. Only 37 percent of respondents could say with certainty that their organization lost sensitive or confidential information as a result of a cyber attack. Thirty-five percent of those who had lost sensitive or confidential information did not know exactly what data had been stolen. Key Findings: Deficient, Disconnected & in the Dark The following is an analysis of key findings and global differences based on the consolidated responses from the 15 countries represented in this research. The audited global results are presented in the appendix of the report. DEFICIENT There is a deficiency in an organization s ability to protect against cyber attacks and have the right technology to stop data loss and theft. Results show a worrisome cybersecurity trend. When asked about the state of cybersecurity today, 57 percent of respondents do not think (100 percent 43 percent) that their organization is protected from advanced cyber attacks, as shown in Figure 1. Sixty-three percent (100 percent 37 percent) do not have security that can stop cybercriminals from stealing corporate information. Only 26 percent agree that it is possible to create a security program that can withstand all targeted attacks. It is not surprising, therefore, that most respondents (69 percent) believe that cybersecurity threats sometimes fall through the cracks of their companies existing security systems. Figure 1: Perceptions About the State of Cyberdefense in Organizations Cybersecurity threats sometimes fall through the cracks of existing security systems. 36% 33% 11% My company is protected from advanced cyber attacks. 23% 19% 12% 26% My company s security can stop cybercriminals from stealing corporate information. 15% 22% 12% 18% 33% It is possible to create a security program that can withstand all targeted attacks. 12% 14% 29% 15% Strongly agree Agree Unsure Disagree Strongly disagree 3

4 4 While there are differences among the countries, the majority of respondents in all countries believe this to be the case. As shown in Figure 2, respondents in France (82 percent), Italy (82 percent), Singapore (79 percent) and Germany (78 percent) are most likely to agree that there is a deficit in security effectiveness and visibility. Least likely to believe this is the case, and more optimistic that they can catch threats, are respondents from Canada (56 percent), Sweden (57 percent) and Australia (58 percent). Figure 2: Cybersecurity Threats Sometimes Fall Through the Cracks of Existing Security Systems (Strongly agree and agree response combined.) % 77% 78% 82% 82% 69% 67% 63% 66% 69% 64% 56% 58% 57% 59% US CA AU CH HK SG ID UK DE FR NL SW IT MX BZ Strongly agree and agree Many security professionals struggle to keep pace. With high-profile attacks hitting the headlines week in and week out, cybersecurity professionals struggle to keep pace with the threat landscape. According to Figure 3, 44 percent of companies represented in this study experienced one or more substantial cyber attacks during the previous 12 months. (A substantial attack is defined as one that infiltrated networks of enterprise systems.) Figure 3: Has your company experienced one or more substantial cyber attacks during the past 12 months? % 48% 7% Yes No Unsure Attack intelligence needs improvement. According to Figure 4, 44 percent of respondents say their company s security solutions do not provide adequate intelligence to inform them about an attempted cyber attack and the potential consequences. Further, 15 percent admit to not knowing 4

5 5 if they are getting such information. Only 42 percent say their solutions do provide actionable information. Fifty-one percent of respondents say their current security solutions do not provide information about the sources and/or root causes of cyber attacks or respondents are unsure. Figure 4: Security Solutions Ability to Provide Attack Intelligence % 49% 44% 44% 15% Yes No Unsure 7% We have adequate intelligence to know about an attempted attack and its impact. Our security solutions inform us about the root causes of a cyber attack. As shown in Figure 5, there are significant differences among countries regarding the availability of intelligence to inform them about an attempted cyber attack and the consequences of such an attack. The highest level of confidence is among respondents in Germany (65 percent) and Netherlands (61 percent). The lowest confidence is in Brazil (25 percent), Mexico (28 percent) and India (29 percent). Figure 5: We have adequate intelligence to know about an attempted attack and its impact % 61% 57% 53% 54% 43% 42% 42% 35% 36% 31% 29% 32% 28% 25% US CA AU CH HK SG ID UK DE FR NL SW IT MX BZ Yes DISCONNECTED There is a disconnect in perception about the perceived value of confidential data. According to respondents, there is a gap between data breach perception and reality specifically regarding the potential revenue loss to their business. Eighty percent of respondents say their executives do not believe that the loss of their organization s confidential data could result in a potential loss of revenue. This is in contrast to recent Ponemon Institute research, which indicates that data breaches have serious financial consequences for organizations. The 5

6 6 average cost per lost or stolen record due to a data breach is $188 and the average organizational data breach cost is $5.4 million. As shown in Figure 6, forty-eight percent of respondents say their board members and executives have a sub-par understanding of security issues. However, cyber security awareness is growing among this group and should continue into the future. Figure 6: How knowledgeable are non-it executives and board members about cybersecurity? 35% 25% 15% 5% 34% 35% 31% 29% 19% 16% 13% 11% 5% 5% Substantial Good Some Poor None Knowledge about cyber security among non-it executives. Knowledge about cyber security among the board members. IN THE DARK Many security professionals are in the dark. Research reveals that respondents find it difficult to keep track of the threat landscape and even know if their organization has been attacked. Further, only less than half (41 percent) have a good understanding of the threat landscape facing their company today, as shown in Figure 7. Figure 7: Do you have a good understanding about the threat landscape facing your company today? 6 53% 5 41% 6% Yes No Unsure 6

7 7 Figure 8 shows the differences among countries and reveals that respondents in Italy (52 percent) believe they have a good understanding about threats. They are followed by Netherlands (47 percent) and France (46 percent). Those less certain are Hong Kong (33 percent), Germany (34 percent), Singapore (35 percent), United Kingdom (35 percent) and India (39 percent). Figure 8: Do you have a good understanding about the threat landscape facing your company today? % 43% 43% 33% 35% 39% 35% 34% 46% 47% 41% 52% 43% 41% US CA AU CH HK SG ID UK DE FR NL SW IT MX BZ Yes The biggest targets of cyber attacks are intellectual property and customer data. Many security professionals have sleepless nights due to the sophistication of today s threats. Respondents were asked if their organization had indeed lost data as the result of a cyber attack and, if yes, what types of data were lost or stolen. While 37 percent of respondents say with certainty that their companies lost sensitive or confidential information as a result of a cyber attack, 15 percent are uncertain. As shown in Figure 9, data most often targeted is customer data followed by intellectual property. However, 35 percent of those who had lost sensitive or confidential information did not know what exactly had been stolen. Figure 9: Types of Confidential Data Targeted (More than one response permitted.) 5 47% 45% 35% 25% 15% 5% Customer data 39% Intellectual property 35% 19% 1% Don t know Financial records Other 7

8 8 Conclusion This research report exposes the cracks in cybersecurity defenses for organizations. How can companies better manage the cyber attacks targeting their sensitive and confidential information? The following are some recommendations: Eliminate the uncertainty of cyber risks by investing in technologies that provide visibility and details about attempted attacks and how successful attacks would affect your company. Look for access to better threat intelligence and real-time defenses. Deploy an all-encompassing defense strategy that incorporates web, and mobile channels. Avoid hyper-focusing on one channel and examine all the channels your users and network use to interact with information. Assess security solution capabilities and deployments against a comprehensive kill-chain model to eliminate gaps and minimize excessive overlap. Find effective employee security education methods to promote cooperation and communicate the seriousness of cyber attacks and reduce high risk behavior. 8

9 9 Methods Table 1 reports the sample response for 15 countries. A total of 160,534 IT and IT security practitioners in 15 countries were invited to participate in this global study. A total of 5,244 respondents returned the survey. Tests for reliability and screening removed 363 surveys. The final combined sample was 4,881 surveys, yielding a 3.0 percent response rate. Countries Abbreviations Sampling frame Table 1. Survey Response Total survey returns Screened or rejected Final sample Response rate Australia AU 5, % Brazil BZ 15, % Canada CA 7, % China CH 11, % France FR 11, % Germany DE 12, % Hong Kong HK 4, % India ID 23, % Italy IT 6, % Mexico MX 12, % Netherlands NL 8, % Singapore SG 3, % Sweden SW 2, % United Kingdom UK 11, % United States US 21, % ,534 5, , Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 59 percent of respondents are at or above the supervisory levels. Pie Chart 1: What organizational level best describes your current position? ( results for 15 countries.) 4% 2% 3% 2% 16% Vice President Director Manager 33% 22% Supervisor Technician Staff Contractor Other 19% 9

10 10 According to Pie Chart 2, 66 percent of respondents report directly to the chief information officer and 18 percent report to the chief information security officer. Pie Chart 2: Primary person you or your IT security leader reports to ( results for 15 countries.) 6% 3% 3% 4% Chief Information Officer Chief Information Security Officer 18% Chief Risk Officer Compliance Officer Chief Security Officer Other 66% Pie Chart 3 reports the industry segments of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by public sector (15 percent) and industrial (11 percent). Pie Chart 3: What industry best describes your organization s industry focus? ( results for 15 countries.) 3% 2% 2% 5% 4% 5% 5% 6% 7% 8% 9% 18% 11% 15% Financial services Public sector Industrial Retailing Services Health & pharmaceutical Technology & software Consumer products Hospitality Energy Education & research Communications Transportation Other 10

11 11 Pie Chart 4 reveals the worldwide headcount of the respondent s organization. Sixty-four percent of respondents are from organizations with a global headcount greater than 1,000. Pie Chart 4: Organization s worldwide headcount. ( results for 15 countries.) 7% 3% 15% 17% Less than to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000 37% Caveats There are inherent limitations to survey-based research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The findings are based on a sample of survey returns. Surveys were sent to a representative sample of individuals in 15 countries, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of their underlying beliefs from those who responded to our survey request. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 11

12 12 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in November (Individual country samples are weighted by size.) 15 countries Survey Response Sampling frame Total survey returns 5244 Screened and rejected surveys 363 Final sample 4881 Response rate 3. Part 1. Screening S1. How familiar are you with the cyber threats facing your company? Very familiar 48% Familiar 52% Not familiar (stop) S2. How are you involved in your company s cyber threat intelligence activities? Please select all that apply. User of cyber threat intelligence 73% Gatherer of cyber threat intelligence 49% Analyzer of cyber threat intelligence 45% Executive or manager in-charge of threat intelligence activities 35% None of these roles (stop) Total 202% Part 2: Attack Intelligence Attributions: Strongly agree and agree response combined. Q1. My company is protected from advanced cyber attacks. 43% Q2. Cybersecurity threats sometimes fall through the cracks of my company s existing security systems. 69% Q3. My company s security can stop cybercriminals from stealing corporate information. 37% Q4. It is possible to create a security program that can withstand all targeted attacks. 26% Q5. My company s leaders equate losing confidential data with a potential loss of revenue. Q6. Do your company s security solutions provide adequate intelligence to inform you about an attempted cyber attack and what would have happened if the attack succeeded? Yes 42% No 44% Unsure 15% Q7. Has your company experienced one or more substantial cyber attacks during the past 12 months? Yes 44% No 48% Unsure 7% 12

13 13 Q8. Do your security solutions provide information about the sources and/or root causes of cyber attacks experienced by your company? Yes 49% No 44% Unsure 7% Q9a. Has your company lost sensitive or confidential data as a result of a cyber attack (i.e., exfiltration)? Total Yes 37% No 48% Unsure 15% Q9b. If yes, what confidential data was targeted? Financial records 19% Customer data 47% Intellectual property 39% Don t know 35% Other (please list) 1% Total 142% Q16. Do you have a good understanding about the threat landscape facing your company today? Total Yes 41% No 53% Unsure 6% Q17. What best describes the level of knowledge among non-it executives about your company s cyber security defenses? Total Substantial 5% Good 16% Some 34% Poor 35% None (no understanding whatsoever) 11% Q18. What best describes the level of knowledge and concern about cyber security among the board members of your company? Total Substantial 5% Good 13% Some 31% Poor 29% None (no knowledge or concern whatsoever) 19% 13

14 14 Part 4. Organizational Characteristics and Respondent Demographics D1. What organizational level best describes your current position? Senior Executive 1% Vice President 2% Director 16% Manager 22% Supervisor 19% Technician 33% Staff 4% Contractor 2% Other 3% D2. Total years of relevant experience Average Total years of IT or security experience 9.66 Total years in current position 4.85 D3. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee Chief Financial Officer 1% General Counsel Chief Information Officer 66% Chief Information Security Officer 18% Compliance Officer 3% Human Resources VP Chief Security Officer 3% Chief Risk Officer 6% Other 3% D4. What industry best describes your organization s industry focus? Agriculture & food services 1% Communications 2% Consumer products 5% Defense & aerospace 1% Education & research 3% Energy 4% Entertainment & media 1% Financial services 18% Health & pharmaceutical 7% Hospitality 5% Industrial 11% Public sector 15% Retailing 9% Services 8% Technology & software 6% Transportation 2% Other 2% 14

15 15 D5. What is the worldwide headcount of your organization? Less than % 500 to 1,000 1,001 to 5,000 37% 5,001 to 25,000 17% 25,001 to 75,000 7% More than 75,000 3% Headcount 10,087 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. 15