The State of Data Centric Security

The State of Data Centric Security Sponsored by Informatica Independently conducted by Ponemon Institute LLC Publication Date: June 2014 Ponemon Institute Research Report

State of Data Centric Security Ponemon Institute, June 2014 Part 1. Introduction Ponemon Institute is pleased to present the results of the State of Data Centric Security, sponsored by Informatica. The purpose of this research is to learn how organizations are responding to threats to the security of their structured and unstructured data. According to the findings, the uncertainty about the location of sensitive and confidential data is more of a worry than a hacker or malicious employee. We surveyed 1,587 Global IT and IT security practitioners in 16 countries. 1 A list of participating countries is presented in the appendix of this report. To ensure a knowledgeable and quality response, only IT practitioners whose job involves the protection of sensitive or confidential structured and unstructured data were allowed to participate. For purposes of this research, data centric security assigns a data security policy at creation and follows the data wherever it gets replicated, copied or integrated independent of technology platform, geography or hosting platform. Data centric security includes technologies such as data masking, encryption, tokenization and database activity monitoring. This research reveals, however, that automated solutions would help improve an organization s compliance and data protection posture. Key findings of this research Data in the dark keeps IT practitioners up at night. Fifty-seven percent of respondents say not knowing where the organization s sensitive or confidential data is located keeps them up at night. This is followed by 51 percent who say migration to new mobile platforms is a concern. Sensitive or confidential data is often invisible to IT security. Only 16 percent of the respondents believe they know where all sensitive structured data is located and a very small percentage (7 percent) know where unstructured data resides. Organizations mainly rely upon the classification of sensitive data to safeguard data assets. The two most popular technologies for structured data are sensitive data classification and application-level access controls. Only 19 percent say their organizations use centralized access control management and entitlements and 14 percent use file system and access audits. Automated sensitive data-discovery solutions are believed to reduce the risk to data and increase security effectiveness. Despite the positive perception about automated solutions, 60 percent of respondents say they are not using automated solutions to discover where sensitive or confidential data is located. Of the 40 percent of respondents who say their organizations use automated solutions, 64 percent say they use it for discovering where sensitive or confidential data are located in databases and enterprise applications. Only 22 percent use it to discover data in files and emails. Specific automated solutions would improve the organization s compliance and data protection posture. The most popular capabilities are automated user access history with real time monitoring followed by policy workflow automation. 1 This global sample was analyzed according to three regions: North America (NA), Europe and Rest of World (ROW). Ponemon Institute Research Report Page 1

Part 2. Key findings In this section we present an analysis of the consolidated findings. The complete audited findings are presented in the appendix of this report. We have organized the report according to the following themes: Data in the dark keeps IT practitioners up at night Security solutions often do not improve visibility into the location of data and user access Get a good night s sleep with the right solutions in place Data in the dark keeps IT practitioners up at night Not knowing the location of sensitive or confidential data keeps most respondents up at night and represents a significant security risk. Respondents were given a list of threats and risks that can create a nightmare for IT security practitioners. Figure 1 shows that 57 percent of respondents say not knowing where the organization s sensitive or confidential data is located keeps them up at night. This is followed by 51 percent who say migration to new mobile platforms is a concern. Hackers, non-compliance with regulations and malicious employees are much lower on the list. Figure 1. What keeps you up at night? Three responses permitted Not knowing where confidential data is 57% Migration to new mobile platforms Temporary worker or contractor mistakes 51% 50% Third party or outsourcer management of data 42% Migration to cloud ecosystem Hackers Non-compliance with laws or regulations 23% 21% 24% Broken business processes 16% Employee mistakes Malicious employees 6% 10% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 2

Data security is a serious threat but not often a priority. Figure 2 reveals a significant gap in the percentage of respondents who agree that not knowing where sensitive and confidential information resides is a serious threat and the percentage of respondents who believe it is a high priority in their organizations. Seventy-nine percent of respondents agree it is a significant security risk facing their organizations. But a much smaller percentage (51 percent) believes that securing and/or protecting data is a high priority in their organizations. This gap indicates that there may be difficulty in acquiring the necessary resources to mitigate the risk. Figure 2. Attributions about the security of sensitive data Strongly agree and agree response combined Not knowing where my organization s sensitive information is represents a significant security risk 79% Securing and/or protecting data is a high priority 51% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Organizations are mostly in the dark about where sensitive or confidential data is located. According to Figure 3, only 16 percent of the respondents believe they know where all sensitive structured data is located and a very small percentage (7 percent) know where unstructured data resides. There is also a big difference between knowing the location of structured and unstructured data. Twenty-four percent of respondents say they cannot determine where structured data is located, whereas 41 percent are in the dark about their organization s unstructured data. Figure 3. Do you know where your sensitive or confidential data is located? 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 42% 41% 38% 24% 22% 16% 7% 10% Yes, all data Yes, most data Yes, some data No Structured data Unstructured data Ponemon Institute Research Report Page 3

Security solutions often do not improve visibility into the location of data and user access Organizations mainly rely upon sensitive data classification to safeguard structured and unstructured data assets. Respondents estimate that on average 34 percent of their organization s data could be classified as sensitive or confidential and this includes both structured and unstructured data. Customer data is considered most at risk by 53 percent of respondents followed by 38 percent who say it is intellectual property. Figure 4 reveals the technologies or tools organizations are using to protect structured data assets. The two most popular for structured data are sensitive data classification and applicationlevel access controls. Figure 4. Technologies to protect structured data assets More than one response permitted Sensitive data classification Application-level access controls 62% 68% Database activity monitoring 47% Database encryption Centralized access control for data in databases and enterprise applications Persistent masking of sensitive fields in non-prod environments Transparent Tokenization of sensitive fields Dynamic masking of sensitive field in prod environments 13% 20% 25% 42% 47% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 4

In the case of unstructured data (Figure 5), organizations also use sensitive data classification followed by security information management systems. Figure 5. Technologies to protect unstructured data assets More than one response permitted Sensitive data classification 54% Security Information Management 40% Identity and Access Management Digital rights management Data Loss Prevention 31% 29% 29% Centralized access control management and entitlements 19% File system and access audits 14% 0% 10% 20% 30% 40% 50% 60% The IT department is most often accountable for granting user access to data assets. According to Figure 6, 49 percent say the IT function grants access to employees followed by 25 percent who say business unit managers are responsible. Figure 6. Who has primary accountability for granting user access to data assets? Two responses permitted Information technology department 49% Business unit managers 25% Legal, risk or compliance department 12% Information security department 10% Data owners 5% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 5

Control over access to sensitive information is critical to reducing risk. Forty-two percent of respondents say access to sensitive data is controlled by role, location and other factors, as revealed in Figure 7. However, the findings reveal that companies are not successful with their access control procedures. Only 23 percent believe that employees, temporary employees or contractors have the appropriate level of access and there is little risk that these individuals would have too much access. Figure 7. Attributions about the security of sensitive data Strongly agree and agree response combined Access to sensitive data is controlled by role, location and/or other factors 42% There is little risk that employees, temporary employees or contractors would have too much access to data 23% Data asset security procedures are graded as poor or not accomplished. Figure 8 lists the security procedures that are not being accomplished in organizations. As shown, most organizations are not using comprehensive digital forensics, monitoring data transfers to and from third-party locations, including cloud, and enforcing data access policies in a consistent fashion. Figure 8. Security procedures for data assets in databases Procedures are poorly conducted or are not accomplished 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Comprehensive digital forensics capability 65% Monitor data transfers to and from third-party locations including cloud 61% Enforce data access policies in a consistent fashion across applications, locations, departments, technology standards, etc. 59% Protect sensitive data by masking, data deidentification, data redaction, or data suppression 56% Manage access changes based on changes in policy, user needs or application updates 53% Revoke data access rights upon an employee s termination or changes in policy 51% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 6

Many security procedures for sensitive and confidential data in emails are not in place. Figure 9 reveals that the majority of organizations are not using comprehensive digital forensics, protecting sensitive data by masking, data de-identification, data redaction or data suppression and enforcing data access policies in a consistent fashion across applications, locations, departments and technology standards. Figure 9. Security procedures for data assets in emails Procedures are poorly conducted or are not accomplished Comprehensive digital forensics capability 69% Protect sensitive data by masking, data deidentification, data redaction, or data suppression 68% Detect and contain data leakage and theft 63% Enforce data access policies in a consistent fashion across applications, locations, departments, technology standards, etc. 62% Monitor data access of privileged users across structured and unstructured data 60% Revoke data access rights upon an employee s termination or changes in policy 59% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 7

Data security procedures at the file level often do not monitor data transfers to and from third-party locations, including the cloud. Figure 10 reveals the security procedures for data assets in files that respondents say are either poor or not accomplished in their organizations. In addition to not monitoring data transfers, organizations do not have comprehensive digital forensics capability or enforcing data access policies in a consistent fashion across applications and locations. Figure 10. Security procedures for data assets in files Procedures are poorly conducted or are not accomplished Monitor data transfers to and from third-party locations including cloud 72% Comprehensive digital forensics capability 68% Enforce data access policies in a consistent fashion across applications, locations, departments, technology standards, etc. 67% Protect sensitive data by masking, data deidentification, data redaction, or data suppression 64% Revoke data access rights upon an employee s termination or changes in policy 64% Monitor data access of privileged users across structured and unstructured data 63% Manage access changes based on changes in policy, user needs or application updates 63% Monitor access rights based on job, role, or on a need-to-know-basis 63% Data loss prevention solution implementation 62% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 8

Get a good night s sleep with the right solutions in place Automated sensitive data-discovery solutions are believed to reduce the risk to data and increase the security effectiveness. Despite the positive perception about automated solutions, 60 percent of respondents say they are not using automated solutions to discover where sensitive or confidential data is located. As shown in Figure 11, of the 40 percent of respondents who say their organizations use automated solutions, 64 percent say they use it for discovering where sensitive or confidential data are located in databases and enterprise applications. Only 22 percent say they have an automated solution for discovering where such data is located in files and emails. Figure 11. Automated solutions are used for discovering sensitive or confidential data in databases, enterprise applications, files & email 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 64% Yes 22% 36% No 78% Databases and enterprise applications Files and emails Ponemon Institute Research Report Page 9

Data breaches can be reduced. Seventy-two percent of organizations represented in this research had a data breach in the past 12 months. According to respondents, these data breach incidents could be stopped with effective data security technologies and skilled personnel. Measures to stop or reduce the magnitude and frequency of data breaches are shown in Figure 12. According to 58 percent of respondents, more effective data security technologies would reduce the risk and 57 percent believe having more skilled personnel with data security responsibilities would have decreased the likelihood of the data breach. Fifty-four percent believe automated processes or controls in place would avoid a breach. Budget does not seem to be as much a factor in reducing the risk of an incident. A smaller percentage of respondents (46 percent) believe the breach incident would have been avoided if their organization had a larger budget or spending level. Figure 12. How a data breach incident could have been avoided Very likely and likely responses combined The organization had more effective data security technologies in place 58% The organization had more skilled personnel with data security responsibilities 57% The organization had more automated processes or controls in place 54% The organization had a larger budget or spending level 46% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 10

Specific automated solutions would improve the organization s compliance and data protection posture. Figure 13 lists 8 data centric security capabilities that the majority of respondents believe would contribute to a more effective compliance and data protection posture. The most popular capabilities, according to respondents, are automated user access history with real time monitoring followed by policy workflow automation (76 percent and 74 percent of respondents, respectively). A close third at 69 percent of respondents believe automated data discovery would be beneficial. Figure 13. Would the following 8 data centric security capabilities improve compliance and data protection? Significant improvement and improvement responses combined Automated user access history with real time monitoring Policy workflow automation Automated data discovery Technology diagnostics Aggregated view across geography, data centers, and business units 76% 74% 69% 62% 62% Integrated data security analysis and protection Automated classification Data flow diagrams 53% 52% 51% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Ponemon Institute Research Report Page 11

Part 3. Differences across global regions In this section, we provide an analysis of the most interesting differences among countries represented in this research. Worries about the state of data security keep respondents throughout the world up at night. Figure 14 shows the majority of respondents are concerned about the threats to the organization s data assets because of not knowing where sensitive or confidential data resides. The respondents in other countries have the greatest degree of sleeplessness. In contrast to other countries, European respondents are more concerned with non-compliance with laws or regulations. Figure 14. What keeps you up at night? Three responses permitted Not knowing where confidential data is Migration to new mobile platforms Temporary worker or contractor mistakes Third party or outsourcer management of data Migration to cloud ecosystem Hackers Non-compliance with laws or regulations Broken business processes Malicious employees Employee mistakes 34% 26% 21% 24% 26% 18% 23% 19% 33% 11% 15% 15% 18% 6% 8% 5% 5% 9% 17% 57% 50% 64% 52% 46% 56% 50% 51% 48% 43% 49% 0% 10% 20% 30% 40% 50% 60% 70% NA Europe ROW Ponemon Institute Research Report Page 12

Organizations are mostly in the dark about where sensitive or confidential data is located. According to Figure 15, only about one-quarter of respondents in this study in all parts of the world believe they know where all sensitive structured data is located. Specifically, 24 percent of North American respondents, 23 percent of European respondents and 26 percent of respondents in other countries do not know. However, when it comes to knowing where an organization s unstructured data is located a much higher percentage of respondents are uncertain. Figure 15. Do you know where your data is? Percentage No response 50% 45% 40% 43% 42% 38% 35% 30% 25% 24% 23% 26% 20% 15% 10% 5% 0% Structured data Unstructured data NA Europe ROW Detection of a data breach involving unstructured data is difficult throughout the world. Figure 16 reveals that there is more confidence in detecting a data breach involving structured data than if the data breach resulted in the loss or theft of unstructured data. Figure 16. Would you be able to detect a data breach? Percentage No response 40% 35% 34% 32% 34% 30% 25% 20% 15% 12% 14% 10% 8% 5% 0% Structured data Unstructured data NA Europe ROW Ponemon Institute Research Report Page 13

Customer data is considered most at risk in North America. Figure 17 reveals that respondents in other countries (ROW) also say customer data is vulnerable. Only 23 percent of respondents in Europe are worried about intellectual property. It is interesting that 56 percent of respondents in the other countries consider business intelligence to be most at risk. Figure 17. Data considered most at risk in the organization Two responses permitted Customer Intellectual property Business intelligence Employee Patient records Consumer National security/classified Taxpayer/citizen Finance and accounting Student records Payment data Other 23% 23% 14% 10% 6% 8% 9% 19% 9% 8% 7% 7% 7% 10% 3% 5% 7% 10% 4% 7% 3% 2% 4% 2% 0% 2% 1% 42% 39% 39% 29% 34% 39% 49% 56% 64% 0% 10% 20% 30% 40% 50% 60% 70% NA Europe ROW Ponemon Institute Research Report Page 14

Outside North America, the information technology department has primary responsibility for granting user access to data assets. While organizations in North America tend to share accountability between the IT function and business unit managers, Figure 18 shows that business unit managers have less influence. Because of concerns about non-compliance, more European respondents say the legal, risk or compliance department has primary accountability. Figure 18. Who has primary accountability for granting user access to data assets? Two responses permitted Information technology department 37% 49% 65% Business unit managers Information security department 18% 17% 12% 8% 8% 35% Legal, risk or compliance department Data owners Other 10% 6% 5% 6% 4% 1% 0% 0% 19% 0% 10% 20% 30% 40% 50% 60% 70% NA Europe ROW Ponemon Institute Research Report Page 15

Confidence in visibility into users access to sensitive or confidential information varies among countries. Figure 19 reveals that European organizations seem to have the most confidence in their ability to know users access to structured data and in other countries have the least. All countries are not as confident in their visibility into users access of unstructured data. Figure 19. How confident are you that your organization has visibility into users access to confidential data? Very confident and confident responses combined 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 72% 82% Structured data 69% 54% 59% Unstructured data 53% Countries represented in this research are positive about the use of automated solutions to discover where sensitive or confidential data has proliferated. While the use of these solutions are on the low side (41 percent of respondents in North America, 39 percent in Europe and 38 percent in other countries), the majority of respondents believe they would be very helpful in understanding where in the organization sensitive or confidential data has proliferated. Figure 20 shows the differences among countries. Figure 20. Use of automated solutions Percentage Yes response NA Europe ROW Using an automated solution for discovering where confidential data has proliferated would increase the effectiveness of your company s data security activities 69% 73% 74% Use of automated solutions to discover where sensitive or confidential data are located 41% 39% 38% 0% 10% 20% 30% 40% 50% 60% 70% 80% NA Europe ROW Ponemon Institute Research Report Page 16

Countries represented in this research share similar perceptions about the most effective data centric security capabilities. Figure 21 reveals that the top three capabilities are automated user access history with real-time monitoring, policy workflow automation and automated data discovery. Figure 21. Would the following 8 data centric security capabilities improve compliance and data protection? Significant improvement and improvement responses combined Automated user access history with real time monitoring 78% 72% 79% Policy workflow automation Automated data discovery Aggregated view across geography, data centers, and business units Technology diagnostics 71% 70% 69% 67% 72% 65% 61% 58% 62% 66% 59% 82% Integrated data security analysis and protection 45% 50% 61% Automated classification 57% 51% 47% Data flow diagrams 46% 49% 59% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% NA Europe ROW Ponemon Institute Research Report Page 17

Part 4. Methods & Limitations Table 1 reports the consolidated sample response for North America, Europe and Rest of World. A total of 45,829 IT and IT security practitioners in 16 countries were invited to participate in this global study. A total of 1,743 respondents returned the survey. Tests for reliability and screening removed 156 surveys. The final combined sample was 1,587 surveys, yielding a 3.5 percent response rate. Table 1. Sample response Freq Pct% Sampling frame 45,829 100% Total returns 1,743 3.8% Rejections and screened surveys 156 0.3% Final sample 1,587 3.5% Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 61 percent of respondents are at or above the supervisory levels. Pie Chart 1. Current position level within the organization view 2% 4% 17% Executive/VP 37% Director Manager Supervisor 23% Staff/technician Contractor 18% Pie Chart 2 reports the respondents direct reporting channel within the organizations. Sixty-four percent of respondents report directly to the CIO or head of corporate IT. Pie Chart 2. Direct reporting channel view 2% 2% 3% 15% CIO or head of corporate IT 16% 64% Business unit leader or general manager CISO/CSO or head of IT security COO or head of operations Head of compliance or internal audit Other Ponemon Institute Research Report Page 18

According to Pie Chart 3, forty-three percent of respondents identify the scope of their job or role as a corporate function. Thirty-four percent say support/service center. Pie Chart 3. Scope of your job or role view 6% 17% 43% Corporate Support/service center Line of business Other 34% Pie Chart 4 reports the industry classification of respondents organizations. This chart identifies financial services (16 percent) as the largest segment, followed by services (10 percent), and public sector (10 percent). Pie Chart 4. Primary industry classification view 5% 6% 9% 4% 4% 4% 2% 3% 9% 9% 16% 9% 10% 10% Financial services Services Public sector Industrial Health & pharmaceutical Retail Technology & software Energy & utilities Consumer products Transportation Entertainment & media Communications Hospitality Other Ponemon Institute Research Report Page 19

As shown in Pie Chart 5, 50 percent of respondents are from organizations with a global headcount of 5,000 or more employees. Pie Chart 5. The full-time headcount of the global organization view 8% 5% 23% 14% 23% 27% Less than 1,000 1,000 than 5,000 5,001 to 10,000 10,001 to 25,000 25,001 to 75,000 More than 75,000 Part 5. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute Research Report Page 20

Appendix: Detailed Survey Results The following tables provide the consolidated frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in April 2014. Survey response Sampling frame 45,829 Total returns 1,743 Rejected & screened surveys 156 Final sample 1,587 Response rate 3.5% Part 1: Screening questions S1. Does your job involve the protection of sensitive or confidential business information? Yes 100% No (stop) 0% S2. What best defines your job function? I am responsible for ensuring the protection of data in my organization 18% I am fully committed to data protection activities within my organization 24% I am partially committed to data protection activities within my organization 32% I am involved in the data protection activities within my organization 26% I am not committed to or involved (stop) 0% S3a. What percentage of your job function relates to the protection of structured data (such as data contained in databases)? Zero (stop) 0% Less than 5% 6% 5 to 10% 23% 11 to 25% 33% 26 to 50% 19% 51 to 75% 14% 76 to 100% 4% S3b. What percentage of your job function relates to the protection of unstructured data (such as data in emails and files)? Zero (stop) 0% Less than 5% 9% 5 to 10% 36% 11 to 25% 31% 26 to 50% 12% 51 to 75% 6% 76 to 100% 6% Ponemon Institute Research Report Page 21

Part 2: Issues Q1. With respect to your organization s state of data security, what keeps you up at night? Please select your top three choices. Not knowing where sensitive or confidential data is 57% Hackers 23% Malicious employees 6% Broken business processes 16% Employee mistakes 10% Temporary worker or contractor mistakes 50% Third party or outsourcer management of data (including cloud) 42% Non-compliance with laws or regulations 21% Migration to cloud ecosystem 24% Migration to new mobile platforms 51% Total 300% Q2a. Do you know where your organization s sensitive or confidential structured data (such as data contained in a database) is located? Include production, test, support or data warehouses. Yes, all data 16% Yes, most data 22% Yes, some data 38% No 24% Q2b. If no, what percentage of your organization s sensitive or confidential structured data are you unable to know where it is located? Your best guess is welcome. Zero 0% Less than 5% 6% 5 to 10% 24% 11 to 25% 28% 26 to 50% 29% 51 to 75% 10% 76 to 100% 3% Q3a. Do you know where your organization s sensitive or confidential unstructured data (such as data contained in emails or files) is located? Yes, all data 7% Yes, most data 10% Yes, some data 42% No 41% Q3b. If no, what percentage of your organization s sensitive or confidential unstructured data are you unable to know where it is located? Your best guess is welcome. Zero 0% Less than 5% 3% 5 to 10% 8% 11 to 25% 16% 26 to 50% 25% 51 to 75% 27% 76 to 100% 21% Ponemon Institute Research Report Page 22

Q4a. If your organization had a data breach involving structured data, would you be able to detect it? Yes, all the time 26% Yes, most of the time 34% Yes, some of the time 29% No 11% 0% Q4b. If your organization had a data breach involving unstructured data, would you be able to detect it? Yes, all the time 12% Yes, most of the time 22% Yes, some of the time 33% No 33% Attributions: Please rate your opinion to each item using the scale provided below the statement about sensitive or confidential data. Strongly agree and agree responses combined Q5a. Not knowing where my organization s sensitive or confidential information represents a significant security risk. 79% Q5b. In my organization, securing and/or protecting data is a high priority. 51% Q5c. In my organization, there is little risk that employees, temporary employees or contractors would have too much access to data. 23% Q5d. In my organization, access to sensitive data is controlled by role, location and/or other factors. 42% Q6. In the context of data loss or theft, what types of data do you consider to be most at risk in your organization? Please select your top two choices. Customer 53% Intellectual property 34% Business intelligence 38% Employee 25% Patient records 8% Consumer 12% National security/classified 7% Taxpayer/citizen 6% Finance and accounting 7% Student records 4% Payment data (i.e. credit card number) 3% Other (please specify) 1% Total 200% Q7. What percentage of your organization s data is considered sensitive or confidential (consider all sources, including structured and unstructured)? Less than 5% 3% 5 to 10% 21% 11 to 25% 36% 26 to 50% 13% 51 to 75% 10% 76 to 100% 17% Ponemon Institute Research Report Page 23

Q8. Who has primary accountability for granting user access to data assets? Please check only two responses. Information technology department 49% Information security department 10% Legal, risk or compliance department 12% Business unit managers 25% Data owners 5% Other (please specify) 0% Q9a. What technologies or tools does your organization have in place with regard to the safe use of sensitive or confidential structured data assets? Database activity monitoring (DAM) 47% Sensitive data classification 68% Database encryption 47% Transparent Tokenization of sensitive fields 20% Persistent masking of sensitive fields in non-prod environments 25% Dynamic masking of sensitive field in prod environments 13% Application-level access controls 62% Centralized access control for data in databases and enterprise applications 42% Q9b. What technologies or tools does your organization have in place with regard to the safe use of sensitive or confidential unstructured data assets? Please check all that apply. Data Loss Prevention (DLP) 29% Sensitive data classification 54% Identity and Access Management 31% Digital rights management 29% Centralized access control management and entitlements 19% File system and access audits 14% Security Information Management (SIM) 40% Q10a. How confident are you that your organization has visibility into users access to sensitive or confidential structured data? Very confident 34% Confident 40% Not confident 26% Q10b. How confident are you that your organization has visibility into users access to sensitive or confidential unstructured data? Very confident 21% Confident 34% Not confident 45% Ponemon Institute Research Report Page 24

Q11. How well does your organization govern the acceptable uses of data assets based on the procedures listed below? Rating on a five-point scale from excellent to not accomplished Data security procedures [DATA BASE] Knowing and tracking where sensitive and confidential data are located 45% Construct data architecture - including maps, lineage, flows and inventories 50% Manage data classification with prioritization 40% Monitor access rights based on job, role, or on a need-to-know-basis 48% Manage access changes based on changes in policy, user needs or application updates 53% Revoke data access rights upon an employee s termination or changes in policy 51% Enforce data access policies in a consistent fashion across applications, locations, departments, technology standards, etc. 59% Monitor data access of privileged users across structured and unstructured data 49% Monitor segregation of duties 27% Provide evidence of compliance with policies and regulations 35% Create acceptable use policies 30% Monitor data transfers to and from third-party locations including cloud 61% Educate end-users about data access and control policies 47% Detect and contain data leakage and theft (data breach) 45% Data loss prevention solution implementation 45% Protect sensitive data by encryption and/or tokenization 42% Protect sensitive data by masking, data de-identification, data redaction, or data suppression 56% Comprehensive digital forensics capability 65% Data security procedures [EMAIL] Knowing and tracking where sensitive and confidential data are located 56% Construct data architecture - including maps, lineage, flows and inventories 56% Manage data classification with prioritization 44% Monitor access rights based on job, role, or on a need-to-know-basis 59% Manage access changes based on changes in policy, user needs or application updates 57% Revoke data access rights upon an employee s termination or changes in policy 59% Enforce data access policies in a consistent fashion across applications, locations, departments, technology standards, etc. 62% Monitor data access of privileged users across structured and unstructured data 60% Monitor segregation of duties 40% Provide evidence of compliance with policies and regulations 44% Create acceptable use policies 33% Monitor data transfers to and from third-party locations including cloud 38% Educate end-users about data access and control policies 55% Detect and contain data leakage and theft (data breach) 63% Data loss prevention solution implementation 45% Protect sensitive data by encryption and/or tokenization 49% Protect sensitive data by masking, data de-identification, data redaction, or data suppression 68% Comprehensive digital forensics capability 69% Ponemon Institute Research Report Page 25

Data security procedures [FILE] Knowing and tracking where sensitive and confidential data are located 51% Construct data architecture - including maps, lineage, flows and inventories 58% Manage data classification with prioritization 49% Monitor access rights based on job, role, or on a need-to-know-basis 63% Manage access changes based on changes in policy, user needs or application updates 63% Revoke data access rights upon an employee s termination or changes in policy 64% Enforce data access policies in a consistent fashion across applications, locations, departments, technology standards, etc. 67% Monitor data access of privileged users across structured and unstructured data 63% Monitor segregation of duties 42% Provide evidence of compliance with policies and regulations 43% Create acceptable use policies 40% Monitor data transfers to and from third-party locations including cloud 72% Educate end-users about data access and control policies 58% Detect and contain data leakage and theft (data breach) 56% Data loss prevention solution implementation 62% Protect sensitive data by encryption and/or tokenization 48% Protect sensitive data by masking, data de-identification, data redaction, or data suppression 64% Comprehensive digital forensics capability 68% Q12a. Does your organization currently use any automated solution to discover where sensitive or confidential data are located? Yes 40% No 60% Q12b. If yes, do you have an automated solution for discovering where sensitive or confidential data are located in databases and enterprise applications? Yes 64% No 36% Q12c. If yes, do you have an automated solution for discovering where sensitive or confidential data are located in files and emails? Yes 22% No 78% Q12d. If no, do you believe using any automated solution for discovering sensitive or confidential data location would increase the effectiveness of your data security activities? Yes 78% No 22% Q12e. Do you believe using an automated solution for discovering where sensitive or confidential data has proliferated would increase the effectiveness of your company s data security activities? Yes 72% No 28% Ponemon Institute Research Report Page 26

Q13a. Did your organization experience a data breach in the past 12-month period? Yes, only one incident 27% Yes, two to five incidents 18% Yes, more than five incidents 4% No (skip to Q14) 51% Q13b. Very likely and likely responses combined Q13b-1. If yes, do you believe this breach incident would have been avoided if your organization had more effective data security technologies in place? 58% Q13b-2. If yes, do you believe this breach incident would have been avoided if your organization had a larger budget or spending level? 46% Q13b-3. If yes, do you believe this breach incident would have been avoided if your organization had more skilled personnel with data security responsibilities? 57% Q13b-4. If yes, do you believe this breach incident would have been avoided if your organization had more automated processes or controls in place? 54% Q14. If you had the following capabilities, do you believe you would improve your organization s compliance and data protection posture? Please respond to each capability using the scale provided below the item. Significant improvement and improvement responses combined. Q14a. Automated data discovery 69% Q14b. Automated classification 52% Q14c. Automated user access history with real time monitoring 76% Q14d. Aggregated view across geography, data centers, and business units 62% Q14e. Data flow diagrams 51% Q14f. Technology diagnostics (including vulnerability assessment tools) 62% Q14g. Integrated data security analysis and protection 53% Q14h. Policy workflow automation 74% Part 3. Sample Characteristics D1. What best describes your position level within the organization? Executive/VP 4% Director 17% Manager 23% Supervisor 18% Staff/technician 37% Contractor 2% Other (please specify) 0% D2. What best describes your direct reporting channel? CEO/executive committee 1% COO or head of operations 2% CFO, controller or head of finance 1% CIO or head of corporate IT 64% Business unit leader or general manager 16% Head of compliance or internal audit 2% CISO/CSO or head of IT security 15% CPO or head of corporate privacy 1% Other (please specify) 0% Ponemon Institute Research Report Page 27

D3. What best describes the geographic footprint of your job or role? Global 48% Regional 38% Local 14% D4. What best describes the scope of your job or role? Corporate 43% Line of business 17% Support/service center 34% Other (please specify) 6% D6. What best describes your organization s primary industry classification? Agriculture & food services 1% Communications 4% Consumer products 5% Defense & aerospace 0% Education & research 1% Energy & utilities 6% Entertainment & media 4% Financial services 16% Health & pharmaceutical 9% Hospitality 2% Industrial 9% Public sector 10% Retail 9% Services 10% Technology & software 9% Transportation 4% Other (please specify) 1% D5. What range best describes the full-time headcount of your global organization? Less than 1,000 23% 1,000 than 5,000 27% 5,001 to 10,000 23% 10,001 to 25,000 14% 25,001 to 75,000 8% More than 75,000 5% Ponemon Institute Research Report Page 28

Countries D6. Where are you located (country list). Argentina 67 Australia 89 Brazil 54 Canada 142 France 45 Germany 165 Hong Kong 39 Italy 55 Japan 82 Mexico 55 Netherlands 71 Singapore 26 South Korea 41 Spain 46 United Kingdom 109 United States 501 Total 1,587 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 29