State of Security Survey GLOBAL FINDINGS

2011 State of Security Survey GLOBAL FINDINGS

CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding 3: Details about cyberattacks for business... 12 Finding 4: What are businesses doing about security?... 16 Key Recommendations... 18 State of Security Survey 3

Introduction In its 2011 State of Security Survey, Symantec sought to update its global perspective on key security threats, trends and responses across a range of businesses worldwide, including SMBs and larger enterprises 3,300 in all. Of course, the insights from this survey provide a strategic market outlook for Symantec. At the same time, however, sharing its results with the industry in general and IT professionals in particular will help provide benchmarks for assessing the state of their own cybersecurity readiness. Overall, survey participants consider safeguarding their networks and data to be critically important to their business. Many see a growing menace in cyberattacks, with substantial hard and soft costs resulting from them. As the IT landscape continues its migration from desktop to mobile computing, along with increasing numbers of mobile and remote employees, the industry drivers of cybersecurity are reflecting these changes. Organizations are getting better at fighting the war against cybersecurity threats. While the majority of respondents suffered damages as a result of cyberattacks, more respondents reported a decline in the number and frequency of attacks compared to 2010. However, the survey revealed that many companies nearly half of the respondents could still do more to secure their networks and information assets. In response, companies are increasing their cybersecurity staffing and budgets. This report provides greater detail on Symantec s 2011 State of Security Survey, including our four key findings. Recommendations for improving cybersecurity follow, as does a compilation of the survey s most pertinent data behind our findings. For more information about any of the contents of this report, please contact your Symantec representative or visit www.symantec.com. 4 State of Security Survey

State of Security Survey 5

Methodology Symantec commissioned Applied Research to conduct the 2011 State of Security Survey in April and May of 2011. Researchers contacted a total of 3,300 businesses, ranging from five to more than 5,000 employees. The businesses represented a variety of industries. In the case of small businesses, the respondents were responsible for computing resources at the company, while enterprise respondents were tactical IT, strategic IT or C-level executives. The poll has a reliability of 95% confidence with +/- 1.8% margin of error. 6 State of Security Survey

How many employees does your organization have worldwide? 5 to 49 6% 50 to 99 6% 100 to 249 10% 250 to 499 13% 500 to 999 28% 1,000 to 2,499 (small enterprise) 12% 2,500 to 4,999 (medium enterprise) 12% 5,000 or more (large enterprise) 12% 0% 5% 10% 15% 20% 25% 30% State of Security Survey 7

Finding 1 Cybersecurity is important to business Businesses today are concerned about a variety of threats, including criminal activity, brand-related events, natural disasters and state-level attacks such as terrorism. According to our survey results, however, their most serious fears relate to cybersecurity. Specifically, their top worry is cyberattacks followed by IT incidents caused by well-meaning insiders and internally generated IT-related threats. Not only have cyberthreats risen to the top of organizations watch lists, but also the importance of these threats has increased for many respondents. In fact, 41 percent think cybersecurity is more important today than it was just a year ago. This compares to just 15 percent who say cybersecurity s importance is somewhat or significantly decreasing. Clearly, businesses increasingly believe that keeping their networks and information secure is of vital importance to their operations. Threats 8 State of Security Survey

Please rank the following business risks in order of significance to your organization. (1 being most significant, 7 being least significant, Average ranks) 0 Cyberattacks IT incidents caused by well-meaning insiders Internally generated Traditional criminal IT-related threats activity Brand-related events Natural disasters Terrorism 1 2 3 3.23 3.56 3.65 4 3.96 4.25 4.38 5 4.97 6 7 How has the importance of securing your organization s platforms and information changed from 12 months ago? Significantly more important 13% Somewhat more important 28% About the same 45% Somewhat less important 11% Significantly less important 4% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% The security of IT is threatened by trends including: Mobile computing Social media Consumerization of IT The most critical threats are: Well-meaning insiders Hackers Targeted attacks State of Security Survey 9

Finding 2 The drivers of security are changing If concerns over corporate cybersecurity are increasing, why? With the market saturated by mobile devices, it s no surprise that 47 percent of survey respondents consider mobile computing to be the top challenge to providing cybersecurity. Mobile computing may be revolutionizing the productivity landscape, but IT finds it a major difficulty in securing corporate networks and data. In addition to mobile computing, 46 percent of respondents indicate that the second most pressing concern is the surge in social media. While these communication channels present unique marketing and collaborative opportunities, the potential for clicking on malicious links or posting sensitive information worries IT. Next on the list of drivers is the consumerization of IT, a concern for 45 percent of respondents. As end users adopt new technologies such as tablet computers that cross over from consumer to business markets, IT must address the additional challenges of securing those endpoints as well as the corporate network connectivity for those devices. The top sources of security threats? Forty-nine percent of respondents point to hackers. Next on the list are well-meaning insiders, say 46 percent. Third, say 45 percent of those surveyed, are targeted attacks. Attacks 10 State of Security Survey

Somewhat/Extremely Significant Industry Trends Affecting Difficulty of Security Public Infrastructure/Platform-as-a-Service 39% Public Software-as-a-Service 40% Private cloud computing 40% Compliance 41% Changes in the threat landscape 43% Application growth 44% Virtualization 44% Consumerization of IT 45% Social media 46% Mobile computing 47% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Somewhat/Extremely Significant Security Threats State-sponsored attacks 35% Criminals 41% Hacktivism 41% Industrial espionage 41% Malicious insiders 44% Targeted attacks 45% Well-meaning insiders 46% Hackers 49% 0% 10% 20% 30% 40% 50% 60% 71% 71% of respondents saw an attack in the last year, including malicious code, social engineering and external malicious attacks 21% 21% of respondents see the frequency of attacks increasing and almost ¼ saw the attacks as somewhat to significantly effective State of Security Survey 11

Finding 3 Details about cyberattacks for business Concerns about hackers are well-founded, given the number of businesses that are experiencing cyberattacks. Seventy-one percent of organizations saw attacks in the past 12 months, compared to 75 percent in 2010. Ninety-two percent of respondents report losses from such incidents, down from 100 percent last year. The percentage who reported an increasing frequency of attacks fell from 29 percent in 2010 to 21 percent in 2011. The top three losses were downtime, theft of employee s identity information and theft of intellectual property. How destructive are these attacks in hard costs? In a word, substantial. Among SMBs, 20 percent incurred at least $100,000 in expenses from attacks within the last year. And the cost was even higher for larger enterprises, with 20 percent incurring at least $271,000 in damages. Respondents say the top sources of those costs are lost productivity and revenue; lost organizational, customer, or employee data; and damage to a company s brand reputation. The methods cybercriminals use in their attacks reflect the evolving drivers of security, according to the survey s results. Malicious code attacks rank highest among respondents with 22 percent of them having experienced this kind of attack in the prior year. continued on page 14 Effects of Cyberattacks 12 State of Security Survey

Characterize the quantity of cyberattacks against your organization over the past 12 months: We saw an extremely large number of cyberattacks 2% We saw a large number of cyberattacks 4% We saw cyberattacks on a regular basis 21% We saw just a few cyberattacks 44% We saw no cyberattacks 29% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Somewhat/Extremely High Number in past 12 months? Targeted attacks 13% Internal malicious attacks 13% Denial of Service attacks 14% Internal unintentional actions 15% External malicious attacks 18% Social engineering attacks 20% Malicious code attacks 22% 0% 5% 10% 15% 20% 25% 92% 92% of those attacked saw losses from cyberattacks including downtime, intellectual property and customer credit card info 84% 84% of these losses translated into actual costs (productivity, revenue, money or goods) $195k 20% of businesses lost at least $195,000 as a result of cyberattacks State of Security Survey 13

Finding 3 continued from page 10 Twenty percent say they suffered social engineering attacks in the past year that include phishing, spoofing and pre-texting. External malicious attacks remain ever present, seeking to breach traditional defenses such as firewalls and antivirus software. This kind of attack affected 18 percent of respondents in the past year. Interestingly, respondents also see these three cyberattack methods as the fastest growing. Attacks Growing Somewhat/Extremely Quickly Internal malicious attacks 17% Denial of Service attacks 18% Targeted attacks 19% Internal unintentional actions 19% External malicious attacks 24% Social engineering attacks 26% Malicious code attacks 30% 0% 5% 10% 15% 20% 25% 30% 35% 14 State of Security Survey

Cyber Losses Experienced Theft of employee PHI 10% Theft of customer PHI 14% Identity theft 16% Theft of customer financial information 17% Theft of other corporate data 18% Theft of customer PII 19% Theft of intellectual property 19% Theft of employee PII 20% Downtime of our environment 43% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Costs of Cyberattacks Reduced stock price 11% Litigation costs Regulatory fines Direct financial cost (money or goods) Loss of customer trust/damaged customer relationships We don't know what was taken or impacted Costs to comply with regulations after an attack Damaged brand reputation Loss of organization, customer, or employee data 13% 14% 15% 15% 16% 17% 17% 17% Lost revenue 23% Lost productivity 35% 0% 5% 10% 15% 20% 25% 30% 35% 40% State of Security Survey 15

Finding 4 What are businesses doing about security? When it comes to security measures, businesses need to be able to both deter attacks and also react to them when they occur. It s also important to pursue strategic initiatives that will lay the foundation for future protection. Based on the survey results, there is room for organizations to improve in how they prepare for and respond to threats. The survey revealed that organizations are the most prepared when it comes to routine security measures. Fifty-two percent report that they are doing well in this area, and 51 percent say they are doing well in addressing cyberattacks. On the other hand, only 48 percent say they are doing well in the areas of strategic security initiatives and just 45 percent are pursuing innovative security issues. To address these shortfalls, businesses are increasing staffing levels for the IT department. In particular, they are adding staff to deal with network, Web and endpoint security. In addition, they are increasing their budgets for network and Web security as well as security systems management. It s clear that organizations are stepping up their efforts in improving their protection, but many companies nearly half of those surveyed have much work still to do in safeguarding their networks and information assets. How IT is Responding 16 State of Security Survey

Doing Well/Extremely Well Pursuing innovative or cutting-edge security issues 45% Pursuing strategic security initiatives 48% Demonstrating compliance 48% Attending to security attacks or breaches 51% Addressing routine security measures 52% 0% 10% 20% 30% 40% 50% 60% Manpower Slowly/Rapidly Growing Security Budget Slowly/Rapidly Growing Reporting 40% Reporting 34% Auditing/Compliance 40% Incident response 34% Policies and procedures 40% Policies and procedures 35% Security for virtualized environments 40% Security for private cloud initiatives 36% Security for public cloud initiatives 41% Security for public cloud initiatives 36% Security for private cloud initiatives 42% User training and awareness 36% Vulnerability assessment/detection 42% Messaging security 37% Security systems management 42% Vulnerability assessment/detection 37% Responding to security incidents 42% Endpoint security 37% Risk management 43% Risk management 37% User training and awareness 43% IT audit and compliance 37% Messaging security 43% Security for virtualized environments 38% Preventing data loss 43% Mobile security 38% Mobile security 43% Security systems management 38% Endpoint security 45% Data loss prevention 39% Web security 46% Web security 41% Network security 46% Network security 42% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 46% 46% of respondents are increasing staffing in areas of network and web security 38% 38% of respondents are increasing security systems management budgets 41% 41% of respondents are increasing network and web security budgets State of Security Survey 17

Key Recommendations Organizations need to develop and enforce IT policies. By prioritizing risks and defining policies that span across all locations, customers can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen. Businesses need to protect information proactively by taking an information-centric approach to protecting both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization. Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices. To help control access, IT administrators need to validate and protect the identities of users, sites and devices throughout their organizations. Furthermore, they need to provide trusted connections and authenticate transactions where appropriate. Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status. IT administrators need to protect their infrastructure by securing all of their endpoints including the growing number of mobile devices along with messaging and Web environments. Defending critical internal servers and implementing the ability to back up and recover data should also be priorities. In addition, organizations need the visibility and security intelligence to respond to threats rapidly. 18 State of Security Survey

State of Security Survey 19