security beyond the traditional perimeter -...
Post on 18-Mar-2018
221 Views
Preview:
TRANSCRIPT
Security Beyond the Traditional Perimeter
Ponemon Institute© Research Report
Sponsored by BrandProtect™ Independently conducted by Ponemon Institute LLC Publication Date: July 2016
Ponemon Institute: Private & Confidential Report 1
Security Beyond the Traditional Perimeter Ponemon Institute: July 2016
Part 1. Introduction Ponemon Institute is pleased to present the findings of Security Beyond the Traditional Perimeter, sponsored by BrandProtectTM. The purpose of this study is to understand companies’ ability to analyze and mitigate online incidents and cyber attacks that are beyond the traditional security perimeter. In the context of this survey, external threats are those that arise outside the company’s traditional firewall/security perimeter, and use online channels – email, social media, mobile apps, or domains, as their primary attack technology. These threats may or may not cross the firewall as they are perpetrated. Examples of external threats include socially engineered attacks, executive impersonations, brand-based attacks with ransomware, malware, or other payloads, rogue social domain activity, hactivism/activism and activities which violate compliance or regulatory requirements. In this study, we surveyed 591 IT and IT security practitioners in the United States. Sixty-five percent of these respondents are either CISOs (20 percent) or IT security operations (45 percent). Participants in this study agree external threats put companies’ ability to continue their operations in peril. As shown in Figure 1, 62 percent of respondents say external threats are more difficult to detect than internal threats within the security perimeter and 52 percent of respondents say they are more difficult to contain than internal threats within the security perimeter. The following are four important takeaways from this study. 1. Security processes for Internet and
social media monitoring are non-existent, partially deployed or inconsistently deployed, according to 79 percent of respondents.
2. The protection of intellectual
property from external threats is essential or very important to the sustainability of their companies, 59 percent of respondents.
3. External attacks are frequent and the financial costs of external attacks are significant.
The 505 enterprises and financial institutions surveyed experienced an average of more than one cyber attack each month and spent an average of almost $3.5 million annually to deal with attacks. This is consistent with other Ponemon Institute research.1
1 2016 Cost of Data Breach: United States, sponsored by IBM, May 2016, revealed the average total cost paid to resolve a data breach involving lost or stolen records is $7.01 million. The State of Cybersecurity in Healthcare Organizations in 2016, sponsored by ESET February 2016, found that healthcare organizations experience an average of almost one cyber attack per month and spend $1.32 million on DDoS attacks per year.
Figure 1. Perceptions about the difficulty in detecting and containing external threats Strongly Agree and Agree responses combined
Ponemon Institute: Private & Confidential Report 2
4. A lack of necessary tools and resources in most organizations diminishes the ability to respond to external threats. Only 42 percent of respondents believe their company has the tools to mitigate external threats. The lack of tools also affects the ability to monitor, analyze and understand external threats. Specifically, only 41 percent of respondents say they have the tools and resources necessary to analyze and understand external threats and only 39 percent of respondents believe their companies have tools to monitor external threats.
Ponemon Institute: Private & Confidential Report 3
Part 2. Key findings In this section, we provide an analysis of the findings. The complete audited findings are presented in the Appendix of this report. We have organized this report according to the following topics. ! Understanding the threat ! Monitoring of external threats ! Impact of external threats ! Ability to deal with external threats ! Special analysis: Industry differences ! Special analysis: Position level differences Understanding the threat Companies in this study experience an average of more than one external attack each month. Respondents say their companies have experienced an average of 32 material attacks against employees, executives, physical assets, locations and IP or brand/reputation over the past 24 months. As shown in Figure 2, the 505 enterprises and financial institutions surveyed report that an average of 30 percent of these attacks were perpetrated via the Internet or social media. Figure 2. What percent of material attacks were perpetrated via the Internet or social media? Extrapolated value = 30 percent
8%
17%
29% 27%
12%
7%
0%
5%
10%
15%
20%
25%
30%
35%
None Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 100%
Ponemon Institute: Private & Confidential Report 4
Cyber exploits and data loss are most likely to occur. When asked to rank nine external threat vectors in terms of the likelihood of occurrence in their organizations, cyber threats and incidents and data loss or theft are the primary threats, as shown in Figure 3. Also likely to occur are branded exploits against customers and the public, compliance/regulatory incidents and phishing/social engineering attacks. Figure 3. The likelihood of nine external threat vectors occurring 9 = most likely to 1 = least likely
1.91
2.32
3.42
4.11
5.03
6.24
6.78
7.99
8.21
1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00
Executive threats / impersonations
Domain-based threats/cyber-attack infrastructure creation
Hacktivism/activism/event/physical threats
Denial of service
Phishing/social engineering attacks
Compliance/regulatory incidents
Branded exploits against customers and the public
Data loss or theft
Cyber threats and incidents
Ponemon Institute: Private & Confidential Report 5
The number one worry about an external attack is reputational damage. As shown in Figure 4, 51 percent of respondents say they worry most about reputational damage following an external attack. Forty percent of respondents say they are concerned about branded exploits and 33 percent say compliance/regulatory incidents are a concern. Figure 4. What external threats worry your organization the most? Three choices permitted
16%
17%
19%
20%
20%
24%
29%
31%
33%
40%
51%
0% 10% 20% 30% 40% 50% 60%
Corporate Identity theft
Social data leaks
Social domains
Domain threats/cyber-infrastructure
Physical/event threats
Executive masquerades/employee or agent impersonations
Phishing/social engineering attacks
Hacktivism/activism
Compliance/regulatory incidents
Branded exploits
Reputational damage
Ponemon Institute: Private & Confidential Report 6
Monitoring of external threats Monitoring the Internet and social media is critical to gaining intelligence about external threats, but few companies have a formal process in place. According to Figure 5, 38 percent of respondents say their companies do not monitor the Internet and social media to determine external threats their companies face. Only 17 percent of respondents say they have a formal process in place that is applied consistently across the entire enterprise. As mentioned above, an average of 30 percent of external attacks are carried out through the Internet or social media (see Figure 2). Figure 5. How do you monitor the Internet and social media in order to gain actionable intelligence about external threats?
4%
17%
18%
23%
38%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Cannot determine
We have a formal process in place that is applied consistently across the entire enterprise
We have a formal process in place, but is not applied consistently across the enterprise
Our process or approach is informal or “ad hoc”
We don’t have a process or approach
Ponemon Institute: Private & Confidential Report 7
Monitoring for social engineering activity and cyber incidents is considered critical. While many companies represented in this study are not monitoring the Internet or social media, certain activities are considered essential or very important to detecting and containing external threats against a company. According to Figure 6, the most important activities are: monitoring mobile apps (62 percent of respondents), monitoring for social engineering activity or reconnaissance (61 percent of respondents), monitoring cyber incidents (60 percent of respondents), monitoring branded exploits (59 percent of respondents), monitoring for spear-phishing infrastructure (58 percent of respondents) and monitoring phishing scams (57 percent of respondents). Figure 6. The most important external monitoring activities to achieve a strong security posture Essential and Very Important responses combined
11%
20%
21%
23%
23%
24%
25%
25%
26%
30%
29%
27%
28%
30%
29%
31%
33%
33%
34%
34%
31%
33%
0% 10% 20% 30% 40% 50% 60% 70%
Monitoring physical incidents
Monitoring for others masquerading as employees or agents
Monitoring Internet domain names
Monitoring compliance
Monitoring high value targets (such as C-level executives)
Monitoring phishing scams
Monitoring for spear-phishing infrastructure
Monitoring branded exploits
Monitoring cyber incidents
Monitoring for social engineering activity or reconnaissance
Monitoring mobile apps
Essential Very important
Ponemon Institute: Private & Confidential Report 8
To strengthen security posture, companies should collect phishing IP address data. According to Figure 7, 60 percent of respondents say phishing IP addresses are considered essential or very important to reducing external threats. Also important are malicious mobile app details (59 percent of respondents), rogue domain data (54 percent of respondents) and malicious twitter handles (52 percent of respondents). Figure 7. What threat intelligence is critical to a strong security posture? Essential and Very important responses combined
16%
19%
21%
25%
21%
26%
29%
29%
27%
30%
27%
33%
33%
31%
0% 10% 20% 30% 40% 50% 60% 70%
Phishing kit data
Social media accounts with the same owner(s)
Threat actor profiles and aliases
Malicious twitter handles
Rogue domain data
Malicious mobile app details
Phishing IP addresses
Essential Very important
Ponemon Institute: Private & Confidential Report 9
Cyber threat monitoring is forecasted to increase within the next 24 months. Respondents were asked what security services are implemented for the perimeter, infrastructure and outside the perimeter today and what services will be implemented in the next two years. These services included those in-house and outsourced. Figures 8a and 8b address the security services in the perimeter. As shown, 45 percent of respondents say they have firewall monitoring and 27 percent say they deploy internal network monitoring. The outsourcing of internal network monitoring will increase significantly. Today, 23 percent of respondents say they outsource internal network monitoring and this is expected to increase, according to 37 percent of respondents.
Figure 8a. Security implementation today Figure 8b. Security implementation in two years
23%
35%
27%
45%
0% 10% 20% 30% 40% 50%
Internal network monitoring
Firewall monitoring
Perimeter
In house Outsourced
37%
35%
31%
47%
0% 10% 20% 30% 40% 50%
Internal network monitoring
Firewall monitoring
Perimeter
In house Outsourced
Ponemon Institute: Private & Confidential Report 10
Figures 8c and 8d address security implementation in the infrastructure. Today, the services most often deployed in house are internal cyber threat monitoring (34 percent of respondents) and compliance monitoring (32 percent of respondents). These are expected to increase according to 42 percent and 41 percent of respondents, respectively. With the exception of threat analyst teams, most of the respondents say the outsourcing of these services in the infrastructure will increase significantly. Specifically, 24 percent of respondents say their organizations outsource internal cyber threat awareness training and in two years 38 percent of respondents say it will be outsourced.
Figure 8c. Security implementation today Figure 8d. Security implementation in two years
20%
17%
20%
23%
19%
24%
24%
24%
25%
27%
30%
34%
0% 10% 20% 30% 40%
24/7 Security operations
Threat analyst team
Security operations center
Incorporation of external threat
feeds
Security incident and event
management
Internal cyber threat awareness training
Infrastructure
In house Outsourced
18%
30%
38%
30%
31%
31%
29%
30%
34%
41%
41%
42%
0% 20% 40% 60%
Threat analyst team
24/7 Security operations
Internal cyber threat awareness training
Security incident and event
management
Security operations center
Incorporation of external threat
feeds
Infrastructure
In house Outsourced
Ponemon Institute: Private & Confidential Report 11
Figures 8e and 8f address security implementations outside the perimeter today and in two years. Services outside the perimeter are expected to increase both in house and outsourced. The most significant increase is in cyber threat monitoring according to 51 percent of respondents. The outsourcing of social media monitoring is expected to increase significantly. Today 11 percent of respondents say social media monitoring is outsourced and this is expected to increase, according to 39 percent of respondents. More organizations represented in this research believe the outsourcing of external domain monitoring will increase significantly.
Figure 8e. Security implementation today Figure 8f. Security implementation in two years
11%
15%
20%
16%
17%
23%
19%
20%
22%
30%
32%
33%
0% 10% 20% 30% 40%
Social media monitoring
Employee/agent monitoring
External domain monitoring
Anti phishing
Compliance monitoring
Cyber threat monitoring
Outside the perimeter
In house Outsourced
39%
19%
21%
24%
24%
45%
22%
24%
35%
36%
39%
51%
0% 20% 40% 60%
External domain monitoring
Social media monitoring
Employee/agent monitoring
Anti phishing
Compliance monitoring
Cyber threat monitoring
Outside the perimeter
In house Outsourced
Ponemon Institute: Private & Confidential Report 12
Insufficient risk awareness is the main barrier to having an effective monitoring approach. Eighty-three percent of respondents believe their organizations are not effective in monitoring the Internet and social media. As shown in Figure 9, the main barriers to achieving a more effective monitoring approach are insufficient risk awareness (50 percent of respondents), lack of knowledgeable staff (45 percent of respondents) and lack of technologies and tools (43 percent of respondents). Figure 9. The main barriers to achieving an effective process for monitoring the Internet and social media Three choices permitted
As shown in Figure 10, 57 percent of respondents currently outsource the monitoring of the Internet and social media (35 percent), plan to do so in the next year (11 percent) or in the next two years (10 percent). Despite the lack of in-house expertise and technologies (as shown above), 40 percent of respondents say their organizations are not looking to outsource the monitoring of Internet and social media. Figure 10. Does your organization outsource, or plan to outsource the monitoring of the Internet and social media?
17%
18%
21%
25%
39%
42%
43%
45%
50%
0% 10% 20% 30% 40% 50% 60%
Complexity of business processes
Complexity of IT processes
Lack of funding
Lack of leadership
Existence of silos and turf issues
Not considered a priority issue
Lack of technologies and tools
Lack of knowledgeable staff
Insufficient risk awareness
4%
40%
10%
11%
35%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Unsure
No, we don’t plan to do so
Yes, we plan to do so in the next 24 months
Yes, we plan to do so in the next 12 months
Yes, we do so now
Ponemon Institute: Private & Confidential Report 13
Impact of external threats External attacks have a revenue, operational and reputational impact on companies. Respondents were asked to rate the impact of external attacks on revenue, operations and reputation on a scale of 1 = most significant to 9 = least significant. As presented in Figure 11, external attacks that have the greatest reputational impact are branded exploits against customers and the public and hacktivism/activism/physical threats (1.88 and 2.34, respectively). External attacks that have the greatest revenue impact are data loss or theft, branded exploits against customers and the public and denial of service (1.67, 2.22 and 2.79, respectively). External attacks that have the greatest operational impact are data loss or theft and denial of service (1.90 and 2.17, respectively). Over the past two years, an average of almost $7 million was spent as a result of material attacks against employees, executives, physical assets, locations, IP or brand/reputation. Figure 11. The impact of external attacks on revenue, operational and reputational 9 = most significant to 1 = least significant
.
4.65
4.37
6.39
1.77
7.66
3.30
2.08
8.12
6.01
4.86
1.78
2.17
4.14
2.32
5.96
7.83
6.75
8.10
1.81
2.12
3.30
4.99
5.44
6.16
7.21
7.78
8.33
1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00
Compliance/regulatory incidents
Phishing/social engineering attacks
Executive threats/impersonations
Domain-based threats/cyber-attack infrastructure creation
Hacktivism/activism/event/physical threats
Cyber threats and incidents
Denial of service
Branded exploits against customers and the public
Data loss or theft
Revenue impact Operational impact Reputational impact
Ponemon Institute: Private & Confidential Report 14
Senior executives recognize the risk of external threats to reputation. According to Figure 12, 60 percent of respondents say their organizations’ leaders recognize that external threats could affect reputation. Fifty-two percent of respondents say their leaders agree revenues could be affected by external threats and 47 percent say these threats could affect the safety and well being of key employees. Figure 12. Perceptions about the risk of external threats Strongly agree and Agree responses combined
47%
52%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Leaders recognize that external threats could affect the safety and well being of key employees
Leaders recognize that external threats could affect revenues
Leaders recognize that external threats could affect reputation
Ponemon Institute: Private & Confidential Report 15
External threats put companies’ sustainability in peril. According to Figure 13, 59 percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies. Other crucial business objectives that should be part of an external threat management program are: expanding into new global markets (55 percent of respondents) and minimizing non-compliance with laws (53 percent of respondents). Figure 13. Objectives critical to sustainability Essential and Very Important responses combined
16%
20%
16%
18%
20%
23%
19%
21%
22%
25%
28%
23%
25%
30%
29%
27%
25%
29%
27%
31%
30%
31%
0% 10% 20% 30% 40% 50% 60% 70%
Maximizing shareholder value
Protecting executives from physical or reputational harm
Maximizing employee productivity
Increasing revenues and positive cash flow
Enhancing brand value and reputation
Maximizing customer acquisition
Protecting the public from third parties attacking them through branded exploits
Ensuring the safety of employees, executives and the public at live events
Minimizing non-compliance with laws
Expanding into new global markets
Protecting intellectual property
Essential Very important
Ponemon Institute: Private & Confidential Report 16
Ability to respond to external threats A lack of necessary tools and resources in most organizations diminishes the ability to respond to external threats. According to Figure 14, only 42 percent of respondents believe their company has the tools to mitigate external threats. The lack of tools also affects the ability to monitor, analyze and understand external threats. Specifically, only 41 percent of respondents say they have the tools and resources necessary to analyze and understand external threats and only 39 percent of respondents believe their companies have tools to monitor external threats. Figure 14. Perceptions about the ability to respond to external threats Strongly agree and Agree responses combined
39%
41%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
My organization has the tools and resources necessary to mitigate external threats
My organization has the tools and resources necessary to analyze and understand external
threats
My organization has the tools and resources necessary to monitor external threats
Ponemon Institute: Private & Confidential Report 17
Actionable intelligence is vital to the detection and containment of external threats. Respondents were asked what factors help companies quickly detect and contain external attacks from 1 = most important to 7 = least important. As shown in Figure 15, to respond to external threats, the factors most critical are actionable intelligence, resilience and a strong security posture. Figure 15. Factors that contribute to the ability to quickly detect and contain external attacks 7 = most important to 1 = least important
6.53 6.01
4.87
4.15
3.55
2.31
1.67
1.00
2.00
3.00
4.00
5.00
6.00
7.00
Actionable intelligence
Resilience Strong security posture
Expert staff Leadership Ample resources
Agility
Ponemon Institute: Private & Confidential Report 18
The CIOs’ and CISOs’ responsibility for threats stops at the perimeter. Responsibility for directing efforts to minimize exposure to business risk stemming from threats on the network or at the security perimeter is concentrated in the chief information officer and chief information security officer function (36 percent and 21 percent of respondents, respectively), as shown in Figure 16. In contrast, responsibility for external threats is most often given to the lines of business or no one person. Figure 16. Responsibility for minimizing exposure to business risks stemming from external threats
1%
5%
6%
0%
3%
5%
9%
2%
19%
21%
16%
13%
0%
0%
0%
1%
2%
3%
5%
8%
12%
12%
21%
36%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Chief operating officer (COO)
Chief compliance officer (CCO)
Chief digital officer (CDO)
Chief financial officer (CFO)
Chief executive officer (CEO)
Chief risk officer (CRO)
General counsel
Chief technology officer (CTO)
No one person has overall responsibility
Line of business (LOB) leader
Chief information security officer (CISO)
Chief information officer (CIO)
Responsibility for threats on the network or at the security perimeter
Responsibility for external threats
Ponemon Institute: Private & Confidential Report 19
Further, as shown in Figure 17, only 36 percent of respondents say their companies’ security leader (CISO) is very involved (12 percent of respondents) or has some involvement (24 percent of respondents) in the collection and evaluation of intelligence obtained from the Internet and social media. Figure 17. How involved is the security leader in the collection and evaluation of intelligence obtained from the Internet and social media?
34%
30%
24%
12%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Not involved
No, minimal involvement
Yes, some involvement
Yes, very involved
Ponemon Institute: Private & Confidential Report 20
Special analysis: Industry differences In this section of the report, we provide a deeper analysis of how respondents in the financial services, health and pharma, industrial and manufacturing, public sector, services and retailing industries view the external threat. According to the findings, the financial services industry is most prepared to monitor and reduce external threats. The following are some key differences. According to Figure 18, the financial services industry is most likely to have a formal monitoring process. In contrast, services and industrial and manufacturing industries are less likely to have such a process. Figure 18. Our organization has a formal process for monitoring the Internet and social media Strongly agree and Agree responses combined
26%
18% 17% 16% 16%
11%
0%
5%
10%
15%
20%
25%
30%
Financial services
Retail Public sector Health & pharma
Services Industrial & manuf
Ponemon Institute: Private & Confidential Report 21
As shown in Figure 19, 50 percent of respondents in financial services believe they have the tools and resources necessary to monitor external threats. In contrast, only 34 percent of respondents in health and pharma believe they have such tools and resources. Forty-seven percent of respondents also agree they have the tools and resources necessary to mitigate external threats. Only 29 percent of respondents in health and pharma believe they have the tools and resources to mitigate external threats. Respondents in the retail industry are the most confident in their ability to analyze and understand external threats. Figure 19. Perceptions about ability to monitor and reduce the risk of external threats Strongly agree and Agree responses combined
29%
41%
39%
35%
42%
47%
26%
39%
38%
45%
42%
44%
34%
36%
41%
41%
42%
50%
0% 10% 20% 30% 40% 50% 60%
Health & pharma
Services
Industrial & manuf
Retail
Public sector
Financial services
My organization has the tools and resources necessary to monitor external threats
My organization has the tools and resources necessary to analyze and understand external threats
My organization has the tools and resources necessary to mitigate external threats
Ponemon Institute: Private & Confidential Report 22
Special analysis: Position level differences Are perceptions about external threats influenced by the role and position of respondents? We divided the sample of 591 respondents between those who hold a position below director (471 respondents) and those who hold the position of director and above (120 respondents). Following are the most interesting differences between those two groups. According to Figure 20, respondents in the trenches who hold a position at or below manager are more confident in their organizations’ ability to monitor and reduce external threats than those at the director and above. The biggest gaps between these two groups are having the tools and resources necessary to monitor external threats (44 percent vs. 36 percent of respondents) and having the tools and resources to mitigate external threats (41 percent vs. 32 percent of respondents). Figure 20. Perceptions about ability to monitor and reduce external threats Strongly agree and Agree responses combined
41%
44%
42%
32%
36%
38%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
My organization has the tools and resources necessary to mitigate external threats
My organization has the tools and resources necessary to monitor external threats
My organization has the tools and resources necessary to analyze and understand external
threats
Director & above Manager & below
Ponemon Institute: Private & Confidential Report 23
Both groups agree the ability to monitor for a variety of threats is critical to detecting and containing external threats. As shown in Figure 21, more senior-level respondents believe monitoring mobile apps, spear-phishing infrastructure and branded exploits are essential or very important (72 percent, 65 percent or 64 percent of respondents, respectively). Respondents who are most often in the trenches (managers and below) believe monitoring for social engineering activity or reconnaissance, cyber incidents and mobile apps (62 percent, 61 percent and 59 percent of respondents) are essential or very important. Figure 21. Important Internet and social media monitoring activities Essential and Very important responses combined
37%
50%
52%
58%
46%
62%
61%
53%
58%
56%
59%
42%
53%
54%
54%
56%
58%
58%
60%
64%
65%
72%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Monitoring physical incidents
Monitoring Internet domain names
Monitoring compliance
Monitoring phishing scams
Monitoring for others masquerading as employees or agents
Monitoring for social engineering activity or reconnaissance
Monitoring cyber incidents
Monitoring high value targets (such as C-level executives)
Monitoring branded exploits
Monitoring for spear-phishing infrastructure
Monitoring mobile apps
Director & above Manager & below
Ponemon Institute: Private & Confidential Report 24
Managers and below consider the most important threat intelligence data are phishing IP addresses and malicious mobile app details. More senior level respondents consider rogue domain data and phishing IP addresses provides the most important insights into dealing with external threats, as shown in Figure 22. Figure 22. Most important threat intelligence data Essential and Very important responses combined
48%
53%
44%
52%
61%
62%
53%
40%
47%
47%
48%
51%
54%
57%
0% 10% 20% 30% 40% 50% 60% 70%
Social media accounts with the same owner(s)
Malicious twitter handles
Phishing kit data
Threat actor profiles and aliases
Malicious mobile app details
Phishing IP addresses
Rogue domain data
Director & above Manager & below
Ponemon Institute: Private & Confidential Report 25
Part 3. Methods A sampling frame of 15,440 IT and IT security practitioners in the United States were selected as participants in the research. Table 1 shows 629 total returns. Screening and reliability checks required the removal of 38 surveys. Our final sample consisted of 591 surveys, or a 3.8 percent response rate. Table 1. Sample response Freq Pct% Sampling frame 15,440 100.0% Total returns 629 4.1% Rejected or screened surveys 38 0.2% Final sample 591 3.8%
Pie Chart 1 reports the respondent’s position level within participating organizations. By design, more than half of the respondents (63 percent) are at or above the supervisory levels. Pie Chart 1. Position level within the organization
According to Pie Chart 2, 74 percent of the respondents are from organizations with a global headcount of more than 1,000 employees. Pie Chart 2. Fulltime headcount of the global organization
2% 2%
16%
21%
15%
37%
3% 4%
C-level executive
Executive/VP
Director
Manager
Supervisor
Staff/technician
11%
15%
27% 17%
12%
10%
8%
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 10,000
10,001 to 25,000
25,001 to 75,000
More than 75,000
Ponemon Institute: Private & Confidential Report 26
Pie Chart 3 reports the industry classification of respondents’ organizations. This chart identifies financial services (18 percent of respondents) as the largest segment, followed by health and pharmaceutical (11 percent of respondents), industrial and manufacturing (11 percent of respondents) and public sector (10 percent of respondents). Pie Chart 3. Primary industry classification
Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. ! Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
! Sampling-frame bias: The accuracy is based on contact information and the degree to which
the list is representative of individuals who are IT and IT security practitioners located in the United States. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
! Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.
2% 2% 2%
3% 3%
6% 6%
7% 9%
10% 10%
11% 11%
18%
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Other Education & research
Entertainment & media Communications
Transportation Consumer
Energy & utilities Technology & software
Retail Public sector
Services Health & pharmaceuticals Industrial & manufacturing
Financial services
Ponemon Institute: Private & Confidential Report 27
Appendix: Detailed Survey Results
The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in June 2016.
Survey response Freq Pct% Total sampling frame 15,440 100.0% Total returns 629 4.1% Rejected or screened surveys 38 0.2% Final sample 591 3.8%
Part 1. Screening S1. What best describes your organizational role or area of focus? Pct%
IT security leader (CISO) 20% IT security operations (SecOps) 45% Data center management 5% IT security threat analyst 19% IT risk management 5% Enterprise risk management 6% None of the above (stop) 0% Total 100%
S2. Please check all the activities that you see as part of your job or role. Pct%
Managing budgets 44% Evaluating vendors 39% Setting priorities 41% Securing systems 70% Ensuring compliance 46% Ensuring system availability 30% None of the above (stop) 0% Total 270%
S3. What best describes the maturity stage of your organization’s IT security program? Pct%
Non-existent – we don’t have a program (stop) 0% Early stage – most program activities have not as yet been deployed 19% Middle stage – most program activities are only partially deployed 29% Late-middle stage – most program activities are fully deployed 27% Mature stage – all program activities are fully deployed 21% Unable to determine 4% Total 100% S4. What best describes the maturity stage of your organization’s IT
security program or activities around external threats? Pct% Non-existent – we don’t have a program (stop) 0% Early stage – most program activities have not as yet been deployed 29% Middle stage – most program activities are only partially deployed 36% Late-middle stage – most program activities are fully deployed 20% Mature stage – all program activities are fully deployed 11% Unable to determine 4% Total 100%
Ponemon Institute: Private & Confidential Report 28
Part 2. Attributions & background Q1. Please rank order the following nine threat vectors in terms of their
revenue impact on your organization. 1 = Most significant to 9 = least significant. Average rank Rank order Branded exploits against customers and the public 2.22 2 Compliance/regulatory incidents 8.19 9 Cyber threats and incidents 3.84 4 Domain-based threats/cyber-attack infrastructure creation 5.01 6 Data loss or theft 1.67 1 Denial of Service 2.79 3 Executive threats / Impersonations 6.70 7 Hacktivism/activism/event/physical threats 4.56 5 Phishing/social engineering attacks 7.88 8
Q2. Please rank order the following nine threat vectors in terms of their operational impact on your organization. 1 = Most significant to 9 = least significant. Average rank Rank order Branded exploits against customers and the public 3.25 3 Compliance/regulatory incidents 5.14 5 Cyber threats and incidents 4.04 4 Domain-based threats/cyber-attack infrastructure creation 5.86 6 Data loss or theft 1.90 1 Denial of Service 2.17 2 Executive threats / impersonations 7.83 8 Hacktivism/activism/event/physical threats 7.68 7 Phishing/Social engineering attacks 8.22 9
Q3. Please rank order the following nine threat vectors in terms of their reputational impact on your organization. 1 = Most significant to 9 = least significant. Average rank Rank order Branded exploits against customers and the public 1.88 1 Compliance/regulatory incidents 5.35 5 Cyber threats and incidents 6.70 7 Domain-based threats/cyber-attack infrastructure creation 8.23 9 Data loss or theft 3.99 4 Denial of Service 7.92 8 Executive threats / Impersonations 3.61 3 Hacktivism/activism/event/physical threats 2.34 2 Phishing/social engineering attacks 5.63 6
Q4. Please rank order the following nine threat vector in terms their likelihood of occurrence in your organization. 1 = Most likely to 9 = least likely. Average rank Rank order Branded exploits against customers and the public 3.22 3 Compliance/regulatory incidents 3.76 4 Cyber threats and incidents 1.79 1 Domain-based threats/cyber-attack infrastructure creation 7.68 8 Data loss or theft 2.01 2 Denial of Service 5.89 6 Executive threats / impersonations 8.09 9 Hacktivism/activism/event/physical threats 6.58 7 Phishing/social engineering attacks 4.97 5
Ponemon Institute: Private & Confidential Report 29
Please provide your opinion about each one of the following statements using the five-point scale provided below each item. % Strongly agree and Agree response
Strongly agree Agree
Q5. My organization’s leaders recognize that external threats could affect revenues. 19% 33% Q6. My organization’s leaders recognize that external threats could affect the safety and well being of key employees. 17% 30% Q7. My organization’s leaders recognize that external threats could affect reputation. 25% 35% Q8. My organization has the tools and resources necessary to monitor external threats. 16% 26% Q9. My organization has the tools and resources necessary to mitigate external threats. 15% 24% Q10. My organization has the tools and resources necessary to analyze and understand external threats. 15% 26% Q11. My organization has the expert personnel necessary to mitigate external threats. 16% 24% Q12. External threats in my organization are more difficult to detect than internal threats within the security perimeter. 26% 36% Q13. External threats in my organization are more difficult to contain than internal threats within the security perimeter. 23% 29%
Q14. What factors contribute to your organization’s ability to ensure external threats are detected and quickly contained? Please rank these seven factors from 1 = most to 7 = least important. Average rank Rank order Agility 6.33 7 Resilience 1.99 2 Actionable intelligence 1.47 1 Strong security posture 3.13 3 Expert staff 3.85 4 Ample resources 5.69 6 Leadership 4.45 5
Q15. What external threats worry your organization the most? Please select your top three choices. Pct%
Reputational damage 51% Branded exploits 40% Compliance/regulatory incidents 33% Hacktivism/activism 31% Phishing/social engineering attacks 29% Executive masquerades/employee or agent impersonations 24% Domain threats/cyber-infrastructure 20% Physical/event threats 20% Social domains 19% Social data leaks 17% Corporate identity theft 16% Total 300%
Ponemon Institute: Private & Confidential Report 30
Following is a list of eight common business objectives critical to the sustainability for most companies. Using the scale, please rate the importance of external threat management in helping to achieve each stated objective. % Essential and Very important response Essential
Very important
Q16a. Maximizing shareholder value 16% 23% Q16b. Maximizing customer acquisition 23% 25% Q16c. Minimizing non-compliance with laws 22% 31% Q16d. Maximizing employee productivity 16% 30% Q16e. Increasing revenues and positive cash flow 18% 29% Q16f. Expanding into new global markets 25% 30% Q16g. Protecting intellectual property 28% 31% Q16h. Enhancing brand value and reputation 20% 27% Q16i. Protecting the public from third parties attacking them through branded exploits 19% 29% Q16j. Protecting executives from physical or reputational harm 20% 25% Q16k. Ensuring the safety of employees, executives and the public at live events 21% 27%
Q17a. Who has overall responsibility for directing your organization’s efforts to minimize exposure to business risks stemming from external threats? Check one best choice. Pct%
Chief compliance officer (CCO) 5% Chief digital officer (CDO) 6% Chief executive officer (CEO) 3% Chief financial officer (CFO) 0% Chief information officer (CIO) 13% Chief information security officer (CISO) 16% Chief operating officer (COO) 1% Chief risk officer (CRO) 5% Chief technology officer (CTO) 2% General counsel 9% Line of business (LOB) leader 21% No one person has overall responsibility 19% Total 100%
Q17b. Who has overall responsibility for directing your organization’s efforts to minimize exposure to business risk stemming from threats on the network or at the security perimeter? Please check one best choice. Pct%
Chief compliance officer (CCO) 0% Chief digital officer (CDO) 0% Chief executive officer (CEO) 2% Chief financial officer (CFO) 1% Chief information officer (CIO) 36% Chief information security officer (CISO) 21% Chief operating officer (COO) 0% Chief risk officer (CRO) 3% Chief technology officer (CTO) 8% General counsel 5% Line of business (LOB) leader 12% No one person has overall responsibility 12% Total 100%
Ponemon Institute: Private & Confidential Report 31
Q18. For the following departments or functions, please characterize the working relationship that exists between the department or function and your organization’s security team. Please use the following scale: 1 = collaboration is excellent, 2 = collaboration is adequate, 3 = collaboration is poor or non-existent 1 = Excellent 3 = Poor Compliance 20% 29% Customer Support 13% 33% Executive Suite 15% 36% Information Technology 23% 27% Investor Relations 16% 33% Legal 16% 30% Marketing 11% 40%
Q19a. Please check one statement that best describes your organization’s approach for monitoring the Internet and social media in order to gain actionable intelligence about external threats. Pct%
We have a formal process in place that is applied consistently across the entire enterprise 17%
We have a formal process in place, but is not applied consistently across the enterprise 18%
Our process or approach is informal or “ad hoc” 23% We don’t have a process or approach 38% Cannot determine 4% Total 100%
Q19b. [If you have a formal process] Using the following 10-point scale, please rate the effectiveness of your organization’s process for monitoring the Internet and social media to gain actionable intelligence about external threats. Pct%
1 or 2 14% 3 or 4 27% 5 or 6 42% 7 or 8 9% 9 or 10 8% Total 100% Extrapolated value 4.90
Q19c. [For ratings below 7] What do you see as the main barriers to achieving a highly effective process for monitoring the Internet and social media to gain intelligence about external threats? Please select your top three choices. Pct%
Insufficient risk awareness 50% Lack of knowledgeable staff 45% Lack of technologies and tools 43% Not considered a priority issue 42% Existence of silos and turf issues 39% Lack of leadership 25% Lack of funding 21% Complexity of IT processes 18% Complexity of business processes 17% Other (please specify) 0% Total 300%
Ponemon Institute: Private & Confidential Report 32
Q20. Is your organization’s security leader (CISO) directly involved in the collection and evaluation of intelligence obtained from the Internet and social media? Pct%
Yes, very involved 12% Yes, some involvement 24% No, minimal involvement 30% Not involved 34% Total 100%
Q21a. In the past 24 months, how many times has your organization experienced material attacks against employees, executives, physical assets, locations, IP or brand/reputation? Pct%
Zero 5% 1 to 10 21% 11 to 25 30% 26 to 50 27% 51 to 100 11% More than 100 6% Total 100% Extrapolated value 32.2
Q21b. What percent of the above material attacks were perpetrated via the Internet or social media? Pct%
None 8% Less than 10% 17% 10 to 25% 29% 26 to 50% 27% 51 to 75% 12% 76 to 100% 7% Total 100% Extrapolated value 30%
Part 3. Estimating costs Q22. What is the estimated total cost that your organization expended
as a result of material attacks against employees, executives, physical assets, locations, IP or brand/reputation over the past 24 months? Your best guess is welcome. Pct%
Zero 0% Less than $10,000 2% $10,001 to $100,000 4% $100,001 to $250,000 13% $250,001 to $500,000 12% $500,001 to $1,000,000 13% $1,000,001 to $5,000,000 24% $5,000,001 to $10,000,000 15% $10,000,001 to $25.000,000 12% $25,000,001 to $50,000,000 3% $50,00,001 to $100,000,000 2% More than $100,000,000 0% Total 100% Extrapolated value $6,737,630
Ponemon Institute: Private & Confidential Report 33
Q23. Using all 100 points provided, please allocate your total cost estimate according to what you see as the most appropriate proportion for each one of the six cost categories mentioned above. Note that the total point allocation must sum to 100 for each column. Points
Cost of technical support 12 Cost of forensics to determine the root causes 9 Cost of employees’ idle time and lost productivity 25 Revenues lost or diminished 13 Cost associated with reputation and brand damage 25 Cost associated with compliance or regulatory failure 16 Total points (must allocate 100 points) 100
Part 4. Other questions Q24. Does your organization outsource, or plan to outsource, the
monitoring of the Internet and social media to gain intelligence about external threats? Pct%
Yes, we do so now 35% Yes, we plan to do so in the next 12 months 11% Yes, we plan to do so in the next 24 months 10% No, we don’t plan to do so 40% Unsure 4% Total 100%
Q25. Following are device, Internet and social media monitoring activities that may be important for detecting and containing external threats against your organization. Please rate the importance of each monitoring activity in terms of achieving a strong security posture. % Essential and Very important response Essential
Very important
Q25a. Monitoring Internet domain names 21% 30% Q25b. Monitoring branded exploits 25% 34% Q25c. Monitoring mobile apps 29% 33% Q25d. Monitoring phishing scams 24% 33% Q25e. Monitoring physical incidents 11% 27% Q25f. Monitoring cyber incidents 26% 34% Q25g. Monitoring for spear-phishing infrastructure 25% 33% Q25h. Monitoring for others masquerading as employees or agents 20% 28% Q25i Monitoring compliance 23% 29% Q25j Monitoring high value targets (such as C-level executives) 23% 31% Q25k. Monitoring for social engineering activity or reconnaissance 30% 31%
Ponemon Institute: Private & Confidential Report 34
Q26. Please describe your organization’s current security implementation. Specifically, which of these capabilities do you deploy (either in house or outsourced)? Please leave blank if the given security capability is not deployed at present. In house Outsourced 24/7 Security Operations 24% 20% Anti phishing 30% 16% Compliance monitoring 32% 17% Cyber threat monitoring 33% 23% Employee/agent monitoring 20% 15% External domain monitoring 22% 20% Firewall monitoring 45% 35% Incorporation of external threat feeds 27% 23% Internal cyber threat awareness training 34% 24% Internal network monitoring 27% 23% Security incident and event management (SIEM) 30% 19% Security operations center 25% 20% Social media monitoring 19% 11% Threat analyst team 24% 17%
Q27. Please describe your organization’s forecasted security implementation within the next 24 months. Specifically, which of these capabilities will you deploy (either in house or outsourced)? Please leave blank if the given security capability is not expected to be deployed. Your best guess is welcome.\ In house Outsourced 24/7 Security operations 30% 30% Anti phishing 36% 24% Compliance monitoring 39% 24% Cyber threat monitoring 51% 45% Employee/agent monitoring 35% 21% External domain monitoring 22% 39% Firewall monitoring 47% 35% Incorporation of external threat feeds 42% 31% Internal cyber threat awareness training 34% 38% Internal network monitoring 31% 37% Security incident and event management (SIEM) 41% 30% Security operations center 41% 31% Social media monitoring 24% 19% Threat analyst team 29% 18%
Following are seven kinds of threat intelligence data that may be important to your security team and organization. Please rate the importance of each kind of intelligence data in terms of strengthening your organization’s security posture. % Essential and Very important response. Essential
Very important
Q28a. Malicious mobile app details 26% 33% Q28b. Malicious twitter handles 25% 27% Q28c. Phishing IP addresses 29% 31% Q28d. Phishing kit data 16% 29% Q28e. Rogue domain data 21% 33% Q28f. Social media accounts with the same owner(s) 19% 27% Q28g. Threat actor profiles and aliases 21% 30%
Ponemon Institute: Private & Confidential Report 35
Part 6. Organization and respondents’ demographics Pct%
C-level executive 2% Executive/VP 2% Director 16% Manager 21% Supervisor 15% Staff/technician 37% Administrative 3% Consultant/contractor 4% Other (please specify) 0% Total 100%
D2. What range best describes the full-time headcount of your global organization? Pct%
Less than 500 11% 500 to 1,000 15% 1,001 to 5,000 27% 5,001 to 10,000 17% 10,001 to 25,000 12% 25,001 to 75,000 10% More than 75,000 8% Total 100%
D3. What best describes your organization’s primary industry classification? Pct%
Aerospace & defense 1% Agriculture & food services 1% Communications 3% Consumer 6% Education & research 2% Energy & utilities 6% Entertainment & media 2% Financial services 18% Health & pharmaceuticals 11% Industrial & manufacturing 11% Public sector 10% Retailing 9% Services 10% Technology & software 7% Transportation 3% Other 0% Total 100%
Ponemon Institute: Private & Confidential Report 36
Pleasecontactresearch@ponemon.orgorcallusat800.877.3118ifyouhaveanyquestions.
Ponemon Institute
Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
top related